Trojan Horse PSW.Agent.AFCI

April 20, 2010 at 15:04:25
Specs: Microsoft Windows Vista Home Premium, 1.801 GHz / 2045 MB

Hello all,

I have suddenly started to have my AVG anti-virus continously pop-up with a message blocking the threat of "Trojan Horse PSW.Agent.AFCI". I always move the threat to the vault but when I go to the vault it is no longer there.
I have run spybot Search & destroy but it finds nothing.

Please help.

Best regards.


See More: Trojan Horse PSW.Agent.AFCI

Report •


#1
April 20, 2010 at 16:21:32

Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt (do not zip just copy/paste)

Save both reports to your desktop then post them please.You may need to post in segments to get all the info to us as the logs may be to large to fit in one post.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Report •

#2
April 21, 2010 at 01:53:33

Thanks for the response. Attached are the reports.

1. DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Frank Khan at 0:20:45,03 on 21/04/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.34.3082.18.2045.839 [GMT 2:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer3\TeamViewer_Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Users\FRANKK~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Frank Khan\Desktop\dds.scr
C:\Windows\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.es/
uSEARCH PAGE = hxxp://es.rd.yahoo.com/customize/ycomp/defaults/sp/*http://es.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://es.es.acer.yahoo.com
mDefault_Page_URL = hxxp://es.es.acer.yahoo.com
uSearchURL,(Default) = hxxp://es.rd.yahoo.com/customize/ycomp/defaults/su/*http://es.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Tour]
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [SetPanel] c:\acer\apanel\APanel.cmd
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Skytel] Skytel.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [POL Agent] c:\program files\pol\POL.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Anexar destino de vínculo a PDF existente - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convertir a Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo a Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: sagelogiccontrol.com\logicclass
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/spanish/kavwebscan_unicode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {49DAAA81-99C9-46A2-BED7-FFC987AADA36} - hxxp://logicclass.sagelogiccontrol.com/LcPrint5_1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - c:\users\frankk~1\appdata\local\temp\ixp000.tmp\urxshost.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll eNetHook.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-24 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-24 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-24 242696]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2007-11-8 13560]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-8-13 50688]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-27 1153368]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 TeamViewer;TeamViewer 3;c:\program files\teamviewer3\TeamViewer_Service.exe [2008-10-7 185640]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2007-8-14 32256]
S2 gupdate;Servicio Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-23 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-14 179712]
S3 FontCache;Servicio de caché de fuentes de Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-23 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-3-6 9728]
S3 USBZTECCID;ZTE USB Smartcard Driver;c:\windows\system32\drivers\ZTEusbccid.sys [2010-3-6 13824]
S3 WSDPrintDevice;Soporte de impresión WSD a través de UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-6-23 16896]
S3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\system32\drivers\WlanUZG.sys [2009-8-25 449536]

=============== Created Last 30 ================

2010-04-20 12:22:57 0 d-----w- c:\program files\Trend Micro
2010-04-19 23:35:37 1435272 ----a-w- c:\windows\system32\Flash8.ocx
2010-04-19 23:35:17 0 d-----w- c:\program files\Wondershare
2010-04-19 23:00:29 4163 ----a-w- c:\users\frank khan\.recently-used.xbel
2010-04-18 22:57:13 0 d-----w- c:\program files\Picture Collage Maker Free
2010-04-16 22:13:50 0 d-----w- c:\users\frank khan\.thumbnails
2010-04-16 22:11:22 0 d-----w- c:\users\frank khan\.gimp-2.6
2010-04-16 22:10:40 0 d-----w- c:\program files\GIMP-2.0
2010-04-15 21:47:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 21:47:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 21:47:04 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 21:47:04 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 21:47:04 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 21:47:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 21:47:01 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-15 21:47:01 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-15 21:46:49 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 21:46:49 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-15 21:46:49 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 12:16:20 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:16:18 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 18:16:17 274432 ----a-w- c:\windows\system32\FFTIFF16.dll
2010-04-13 18:16:17 208896 ----a-w- c:\windows\system32\FFRafShellEx.dll
2010-04-13 18:16:16 155648 ----a-w- c:\windows\system32\FFRAFLIB.DLL
2010-04-12 21:06:43 0 d-----w- c:\program files\JDownloader
2010-04-05 08:53:20 0 d-----w- c:\users\frankk~1\appdata\roaming\PeerNetworking
2010-03-31 10:37:41 0 d-----w- c:\programdata\Sun

==================== Find3M ====================

2010-04-20 21:20:30 667966 ----a-w- c:\windows\system32\perfh00A.dat
2010-04-20 21:20:30 129720 ----a-w- c:\windows\system32\perfc00A.dat
2010-04-19 20:53:19 86016 ----a-w- c:\windows\inf\infpub.dat
2010-04-19 20:53:19 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-26 12:12:53 27810 ----a-w- c:\users\frankk~1\appdata\roaming\nvModes.dat
2010-03-16 13:16:06 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-16 13:16:04 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 13:15:21 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 11:00:57 224909 ----a-w- c:\windows\hpoins46.dat
2010-03-09 02:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 11:28:29 23711 ----a-w- c:\windows\hpqins15.dat
2010-03-06 17:45:05 143360 ----a-w- c:\windows\inf\infstor.dat
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 10:32:56 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-09 13:50:29 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-01-26 08:57:54 96548 ----a-w- c:\windows\fonts\Mute Fruit Black Krash.ttf
2010-01-26 08:57:54 74416 ----a-w- c:\windows\fonts\Ravie.ttf
2010-01-26 08:57:54 54996 ----a-w- c:\windows\fonts\ActionIs.ttf
2010-01-26 08:57:54 28452 ----a-w- c:\windows\fonts\Happy.ttf
2010-01-26 08:57:54 27064 ----a-w- c:\windows\fonts\Big Lou.ttf
2010-01-26 08:57:54 18252 ----a-w- c:\windows\fonts\Padaloma.ttf
2010-01-26 08:57:54 164604 ----a-w- c:\windows\fonts\A Cut Above The Rest.ttf
2010-01-26 08:57:54 11436 ----a-w- c:\windows\fonts\Excelsior.ttf
2010-01-26 08:57:54 113656 ----a-w- c:\windows\fonts\Base 02.ttf
2010-01-26 08:57:54 113088 ----a-w- c:\windows\fonts\Blazed.ttf
2010-01-26 08:57:54 101460 ----a-w- c:\windows\fonts\Caveman.ttf
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-18 08:53:47 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-06-23 14:46:33 174 --sha-w- c:\program files\desktop.ini
2006-11-02 15:43:35 40258 ----a-w- c:\windows\inf\perflib\0c0a\perfd.dat
2006-11-02 15:43:35 40258 ----a-w- c:\windows\inf\perflib\0c0a\perfc.dat
2006-11-02 15:43:35 336930 ----a-w- c:\windows\inf\perflib\0c0a\perfi.dat
2006-11-02 15:43:35 336930 ----a-w- c:\windows\inf\perflib\0c0a\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-21 20:55:02 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 0:24:19,27 ===============


Report •

#3
April 21, 2010 at 01:55:38

2. Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 08/11/2007 9:27:57
System Uptime: 20/04/2010 23:12:51 (1 hours ago)

Motherboard: Acer | | Poyang
Processor: Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz | uPGA-478 | 1801/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 55,639 GiB free.
D: is FIXED (NTFS) - 111 GiB total, 87,862 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Broadcom NetLink (TM) Gigabit Ethernet
Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011E1025&REV_02\4&185174AE&0&00E2
Manufacturer: Broadcom
Name: Broadcom NetLink (TM) Gigabit Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011E1025&REV_02\4&185174AE&0&00E2
Service: b57nd60x

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Deskjet F4500 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Deskjet F4500 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Deskjet F4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Deskjet F4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================


==== Installed Programs ======================

32 Bit HP CIO Components Installer
Acer Arcade Deluxe
Acer Crystal Eye webcam
Acer Crystal Eye Webcam Video Class Camera
Acer eAudio Management
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer ScreenSaver
Acer Tour
Activation Assistant for the 2007 Microsoft Office suites
Actualización del controlador del Centro de dispositivos de Windows Mobile
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.2
Adobe Shockwave Player 11
Apple Mobile Device Support
Apple Software Update
Application Suite
Ares 2.1.4
AVG Free 9.0
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
BlackBerry Connect Desktop para Windows Mobile
BlackBerry Desktop Software 4.3
BufferChm
CCleaner
Centro de dispositivos de Windows Mobile
Compatibility Pack for the 2007 Office system
Compresor WinRAR
Controlador de Pinnacle Video
Copy
Destinations
DeviceDiscovery
DJ_AIO_06_F4500_SW_MIN
doPDF 5.3 printer
Escritorio movistar
F4500
FreeRIP v3.30
Galería fotográfica de Windows Live
GIMP 2.6.8
Gogo MP3 To CD Burner
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GPBaseService2
HDAUDIO Soft Data Fax Modem with SmartCP
Herramienta de carga de Windows Live
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 13.0
HP Deskjet F4500 Printer Driver Software 13.0 Rel .6
HP Imaging Device Functions 13.0
HP Print Projects 1.0
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPPhotoGadget
hpPrintProjects
HPProductAssistant
HPSSupply
hpWLPGInstaller
Intel(R) Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 19
JDownloader
Junk Mail filter update
Launch Manager
LightScribe 1.4.142.1
LimeWire 5.4.8
Macromedia Dreamweaver 8
Macromedia Extension Manager
Magic Bullet Looks Studio
Manual del dispositivo Windows Mobile®
MarketResearch
Microsoft .NET Framework 3.5 Language Pack SP1 - esn
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Paquete de idioma de Microsoft .NET Framework 3.5 SP1 - esn
PhotoScape
Picture Collage Maker Free 2.1.2
Pinnacle Instant DVD Recorder
Pinnacle Studio 12
Pinnacle Studio 12 Ultimate Plugins
PowerProducer 3.72
QuickTime
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Roxio Media Manager
Scan
Security Update for CAPICOM (KB931906)
Shop for HP Supplies
Skype™ 4.2
SmartWebPrinting
SolidWorks eDrawings 2010
SolutionCenter
Spybot - Search & Destroy
Status
SureThing Express Labeler
Synaptics Pointing Device Driver
TeamViewer 3
Toolbox
TrayApp
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 1.0.1
WebReg
Windows Live Asistente para el inicio de sesión
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sync
Windows System Scanner
Youtube Downloader HD v. 1.8.1
ZTE Drivers v1.2050.0.10

==== End Of File ===========================


Report •

Related Solutions

#4
April 21, 2010 at 01:57:46

3. MBAM resport

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versión de la base de datos: 4014

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

21/04/2010 0:42:20
mbam-log-2010-04-21 (00-42-20).txt

Tipo de examen: Examen rápido
Objetos examinados: 108255
Tiempo transcurrido: 5 minuto(s), 54 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 1
Archivos Infectados: 3

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos de Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
C:\Program Files\POL (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.

Archivos Infectados:
C:\Program Files\POL\akv.cfg (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\Program Files\POL\key.bin (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.
C:\Program Files\POL\test (PUP.ArdamaxKeyLogger) -> Quarantined and deleted successfully.


Report •

#5
April 21, 2010 at 03:44:48

Please download Combofix with internet explorer instead of any other browser if possible.

Remember..your AVG antivirus, Windows Defender, and SPybot's TeaTimer must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#6
April 21, 2010 at 04:55:44

Phew - it took some time but here is the report:

ComboFix 10-04-20.01 - Frank Khan 21/04/2010 13:20:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.34.3082.18.2045.944 [GMT 2:00]
Running from: c:\users\Frank Khan\Desktop\Combo-Fix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-21 11:41 . 2010-04-21 11:44 -------- d-----w- c:\users\Frank Khan\AppData\Local\temp
2010-04-20 22:33 . 2010-04-20 22:33 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\Malwarebytes
2010-04-20 22:32 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 22:32 . 2010-04-20 22:32 -------- d-----w- c:\programdata\Malwarebytes
2010-04-20 22:32 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 22:32 . 2010-04-20 22:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 12:22 . 2010-04-20 12:22 -------- d-----w- c:\program files\Trend Micro
2010-04-19 23:35 . 2010-04-19 23:35 -------- d-----w- c:\program files\Wondershare
2010-04-18 22:57 . 2010-04-18 22:57 -------- d-----w- c:\program files\Picture Collage Maker Free
2010-04-16 22:13 . 2010-04-19 23:00 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\gtk-2.0
2010-04-16 22:13 . 2010-04-16 22:13 -------- d-----w- c:\users\Frank Khan\.thumbnails
2010-04-16 22:11 . 2010-04-19 23:00 -------- d-----w- c:\users\Frank Khan\.gimp-2.6
2010-04-16 22:10 . 2010-04-16 22:10 -------- d-----w- c:\program files\GIMP-2.0
2010-04-16 21:28 . 2010-04-16 21:28 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\InstallShield
2010-04-15 21:47 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 21:47 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 21:47 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 21:47 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 21:47 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 21:47 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 21:46 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 21:46 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 21:46 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 12:16 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:16 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 18:16 . 2006-07-12 12:39 208896 ----a-w- c:\windows\system32\FFRafShellEx.dll
2010-04-13 18:16 . 2003-09-03 14:45 274432 ----a-w- c:\windows\system32\FFTIFF16.dll
2010-04-13 18:16 . 2010-04-16 21:29 -------- d-----w- c:\program files\FinePixViewer
2010-04-13 18:16 . 2004-07-24 19:28 155648 ----a-w- c:\windows\system32\FFRAFLIB.DLL
2010-04-13 15:10 . 2010-04-16 21:29 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\FUJIFILM
2010-04-12 21:06 . 2010-04-16 21:49 -------- d-----w- c:\program files\JDownloader
2010-04-12 08:06 . 2010-04-12 08:06 -------- d-----w- c:\program files\Common Files\Skype
2010-04-05 08:53 . 2010-04-05 08:53 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\PeerNetworking
2010-03-31 10:37 . 2010-03-31 10:37 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 11:42 . 2009-01-13 09:14 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-21 11:23 . 2006-11-02 15:46 667966 ----a-w- c:\windows\system32\perfh00A.dat
2010-04-21 11:23 . 2006-11-02 15:46 129720 ----a-w- c:\windows\system32\perfc00A.dat
2010-04-21 11:00 . 2010-01-27 00:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-21 08:43 . 2010-04-21 08:43 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-21 08:43 . 2010-02-23 23:39 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 08:42 . 2010-04-21 08:42 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-21 08:38 . 2007-12-20 09:41 -------- d-----w- c:\programdata\Google Updater
2010-04-20 12:13 . 2010-02-01 08:30 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\HpUpdate
2010-04-20 12:13 . 2010-01-24 22:07 -------- d-----w- c:\program files\HP
2010-04-20 09:27 . 2007-12-20 14:44 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\Skype
2010-04-20 08:57 . 2007-12-20 14:50 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\skypePM
2010-04-20 00:37 . 2010-01-27 00:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-19 23:36 . 2007-12-19 09:58 136760 ----a-w- c:\users\Frank Khan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-16 23:04 . 2008-01-31 09:22 -------- d-----w- c:\program files\CCleaner
2010-04-16 21:30 . 2007-12-19 09:56 -------- d-----w- c:\program files\Yahoo!
2010-04-16 21:30 . 2007-08-13 19:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-15 23:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-12 08:06 . 2010-02-09 13:50 -------- d-----r- c:\program files\Skype
2010-04-09 09:05 . 2008-10-20 17:53 -------- d-----w- c:\program files\TeamViewer3
2010-03-31 10:10 . 2009-05-15 12:03 -------- d-----w- c:\program files\Java
2010-03-26 12:12 . 2007-12-19 10:07 27810 ----a-w- c:\users\Frank Khan\AppData\Roaming\nvModes.dat
2010-03-16 13:16 . 2010-03-16 13:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 13:16 . 2010-02-23 23:39 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 13:15 . 2010-02-23 23:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 22:11 . 2009-05-15 12:07 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\LimeWire
2010-03-09 22:13 . 2010-03-09 22:13 -------- d-----w- c:\programdata\TomTom
2010-03-09 22:12 . 2010-03-09 22:12 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\TomTom
2010-03-09 22:10 . 2010-03-09 22:10 -------- d-----w- c:\program files\TomTom DesktopSuite
2010-03-09 11:00 . 2010-03-06 16:56 224909 ----a-w- c:\windows\hpoins46.dat
2010-03-09 02:28 . 2009-05-15 12:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 11:28 . 2010-02-01 08:33 23711 ----a-w- c:\windows\hpqins15.dat
2010-03-06 17:46 . 2010-03-06 17:46 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\Telefónica Móviles
2010-03-06 17:42 . 2010-03-06 17:42 -------- d-----w- c:\program files\Movistar
2010-03-06 17:35 . 2007-12-20 14:28 -------- d-----w- c:\program files\Windows Live
2010-03-06 17:34 . 2010-03-06 17:34 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-03-06 17:08 . 2010-01-24 22:05 -------- d-----w- c:\programdata\HP
2010-03-06 17:08 . 2010-03-06 17:08 -------- d-----w- c:\programdata\HP Product Assistant
2010-03-06 17:06 . 2010-03-06 17:06 -------- d-----w- c:\program files\Common Files\HP
2010-03-05 10:46 . 2010-01-12 13:06 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\proDAD
2010-03-05 10:36 . 2007-08-13 21:12 -------- d-----w- c:\program files\Acer GameZone
2010-03-05 10:30 . 2010-02-26 01:10 -------- d-----w- c:\program files\Devious Codeworks
2010-03-05 10:21 . 2010-01-12 13:04 -------- d-----w- c:\program files\Boris FX, Inc
2010-03-03 20:48 . 2010-03-03 20:48 -------- d-----w- c:\program files\LimeWire
2010-03-01 16:05 . 2010-01-26 15:09 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\FileZilla
2010-02-26 03:06 . 2010-02-26 03:00 2855 ----a-w- c:\users\Frank Khan\AppData\Roaming\Microsoft\Office\Reciente\Anabel valdilecha.jpeg - frank@live.com.pif
2010-02-26 02:30 . 2010-02-26 02:30 2855 ----a-w- c:\users\Frank Khan\AppData\Roaming\Microsoft\Office\Reciente\Anabel valdilecha-frank@live.com.pif
2010-02-26 00:31 . 2010-02-26 00:08 -------- d-----w- c:\program files\Unlocker
2010-02-25 23:31 . 2010-01-27 12:09 -------- d-----w- c:\program files\Ares
2010-02-24 22:01 . 2009-08-15 23:12 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\vlc
2010-02-23 23:41 . 2010-02-23 23:38 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-02-23 23:38 . 2010-02-23 23:38 -------- d-----w- c:\programdata\avg9
2010-02-23 23:38 . 2008-05-21 16:21 -------- d-----w- c:\program files\AVG
2010-02-23 06:39 . 2010-03-31 09:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 09:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 09:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 09:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 13:00 . 2010-01-24 22:23 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\HP
2010-02-21 22:56 . 2008-02-28 11:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-21 22:48 . 2010-02-21 22:48 -------- d-----w- c:\programdata\FLEXnet
2010-02-21 22:14 . 2010-02-21 21:45 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\Youtube Downloader HD
2010-02-21 21:45 . 2010-02-21 21:45 -------- d-----w- c:\program files\Youtube Downloader HD
2010-02-20 23:06 . 2010-03-10 09:26 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 09:26 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 09:26 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 10:32 . 2010-03-13 09:47 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-09 13:50 . 2010-02-09 13:50 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-02-02 09:35 . 2010-02-02 09:35 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbFB41.tmp.exe
2010-01-25 12:00 . 2010-02-24 08:42 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 08:41 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 08:41 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 08:42 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 08:41 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 08:41 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 08:41 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 08:41 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 08:41 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 08:42 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60201684-1807-42B0-BA59-1E39789D391F}]
2008-01-19 05:49 109568 ----a-w- c:\windows\System32\naduecv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 12:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Enhanced Storage]
@="{60201684-1807-42B0-BA59-1E39789D391F}"
[HKEY_CLASSES_ROOT\CLSID\{60201684-1807-42B0-BA59-1E39789D391F}]
2008-01-19 05:49 109568 ----a-w- c:\windows\System32\naduecv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-20 68856]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-08-01 222592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-27 752136]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-09 845360]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-25 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-25 8470528]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-25 81920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-13 535336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8f,aa,93,50,2a,52,ca,01

R2 gupdate;Servicio Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-11-28 9728]
R3 USBZTECCID;ZTE USB Smartcard Driver;c:\windows\system32\DRIVERS\ZTEusbccid.sys [2008-11-06 13824]
R3 WSDPrintDevice;Soporte de impresión WSD a través de UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
R3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\system32\DRIVERS\WlanUZG.sys [2007-04-03 449536]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-01-12 716272]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-16 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 13560]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S2 dseieegs;Transmeta Crusoe Processor Helper;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2007-03-07 32256]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
dseieegs
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-20 08:02]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 12:03]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 12:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.es/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://es.es.acer.yahoo.com
uSearchURL,(Default) = hxxp://es.rd.yahoo.com/customize/ycomp/defaults/su/*http://es.yahoo.com
IE: Anexar destino de vínculo a PDF existente - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convertir a Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo a Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: sagelogiccontrol.com\logicclass
DPF: {49DAAA81-99C9-46A2-BED7-FFC987AADA36} - hxxp://logicclass.sagelogiccontrol.com/LcPrint5_1.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
HKLM-Run-IgfxTray - c:\windows\system32\igfxtray.exe
HKLM-Run-HotKeysCmds - c:\windows\system32\hkcmd.exe
HKLM-Run-Persistence - c:\windows\system32\igfxpers.exe
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-POL Agent - c:\program files\POL\POL.exe
HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 13:43
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5676)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TeamViewer3\TeamViewer_Service.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\program files\TeamViewer3\TeamViewer.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-04-21 13:51:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 11:51

Pre-Run: 59.570.937.856 bytes libres
Post-Run: 59.433.639.936 bytes libres

- - End Of File - - 15045D4B088D0C90680BEA8A80F02E9B


Report •

#7
April 21, 2010 at 05:07:41

A file has appeared on my desktop after running Combofix called "catchme.log". I don't know if it's important for you but the contents are:

driver loading error


Once again thanks and hope to hear from you soon.


Report •

#8
April 21, 2010 at 20:06:53

Its part of Combofix.

Please go to Virus Total and upload the following file for analysis:

c:\windows\System32\naduecv.dll

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". If the file has already been analyzed click the reanalyze button to have it checked again.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Driver::
dseieegs

Registry::
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetSvcs
"dseieegs"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.



Report •

#9
April 22, 2010 at 01:26:08

sorry, I have tried accessing the file using Virus Total in both normal and safe mode and it won't allow me to open the file as it says that I do not have Administraator rights. I have tried to copy and paste the file but with the same problem. I have also tried to access the file and change the property security settings but in Explorer the file does not appear.

What should i do?

Thanks


Report •

#10
April 22, 2010 at 02:33:32

I have tried to change the properties of the file i.e. owner within security settings but without any luck. I thought about using File Assassin to remove the file but I prefer and feel more comfortable following your help instructions.

Best regards,

Frank


Report •

#11
April 22, 2010 at 03:40:15

I was unable to access the file naduecv.dll but every so often I can see a file below it with the extension .bak. In "properties" it is the same size so I ran Virus Total on it, below are the results if it is of any help. However, I don't know what to do next.

Análisis del archivo naduecv.dll.bak recibido el 2010.04.22 10:26:15 (UTC)
Estado actual: Cargando ... en cola en espera en proceso análisis terminado NO ENCONTRADO DETENIDO


Resultado: 29/41 (70.74%)
Cargando información del servidor..
Su archivo se encuentra encolado en la posición: ___.
Se estima que tendrá que esperar entre ___ y ___
hasta el comienzo del análisis.
No cierre la ventana hasta se haya completado el análisis.
El analizador que estaba procesando su muestra se encuentra detenido,
se va a esperar unos segundos por si fuera posible recuperar el resultado.
Si lleva esperando varios minutos necesitará reenviar su archivo de nuevo.
Su archivo está siendo analizado por VirusTotal en estos momentos,
los resultados se iran mostrando a continuación.
Compactar Imprimir resultados

La muestra ha caducado o no existe.
El sistema se encuentra detenido en estos momentos, su muestra se encuentra a la espera de ser analizada (posicion: ) por un tiempo indefinido.
Usted puede continuar esperando la respuesta por web (se recargará automaticamente) o bien introducir su email en el siguiente formulario y pulsar el botón "solicitar" para que la respuesta le sea automaticamente remitida por correo electrónico. Email:

Motor antivirus Versión Última actualización Resultado
a-squared 4.5.0.50 2010.04.22 Trojan-Spy.Win32.Agent!IK
AhnLab-V3 5.0.0.2 2010.04.22 -
AntiVir 8.2.1.220 2010.04.22 -
Antiy-AVL 2.0.3.7 2010.04.21 Trojan/Win32.Agent.gen
Authentium 5.2.0.5 2010.04.22 W32/Agent.EY.gen!Eldorado
Avast 4.8.1351.0 2010.04.22 Win32:Malware-gen
Avast5 5.0.332.0 2010.04.22 Win32:Malware-gen
AVG 9.0.0.787 2010.04.22 PSW.Agent.AFFO
BitDefender 7.2 2010.04.22 Trojan.Boaxxe.X
CAT-QuickHeal 10.00 2010.04.22 Trojan.Boaxxe.gen
ClamAV 0.96.0.3-git 2010.04.22 Trojan.Spy-70296
Comodo 4663 2010.04.22 TrojWare.Win32.TrojanDownloader.Banload.a
DrWeb 5.0.2.03300 2010.04.22 -
eSafe 7.0.17.0 2010.04.21 -
eTrust-Vet 35.2.7443 2010.04.22 Win32/Kvol.CT
F-Prot 4.5.1.85 2010.04.21 W32/Agent.EY.gen!Eldorado
F-Secure 9.0.15370.0 2010.04.22 Trojan.Boaxxe.X
Fortinet 4.0.14.0 2010.04.21 -
GData 21 2010.04.22 Trojan.Boaxxe.X
Ikarus T3.1.1.80.0 2010.04.22 Trojan-Spy.Win32.Agent
Jiangmin 13.0.900 2010.04.22 TrojanSpy.Agent.pdw
Kaspersky 7.0.0.125 2010.04.22 -
McAfee 5.400.0.1158 2010.04.22 Boaxxe.gen.d
McAfee-GW-Edition 6.8.5 2010.04.22 Heuristic.LooksLike.Trojan.Spy.Agent.B
Microsoft 1.5703 2010.04.22 Trojan:Win32/Boaxxe.E
NOD32 5049 2010.04.22 Win32/TrojanClicker.Delf.NJE
Norman 6.04.11 2010.04.21 -
nProtect 2010-04-22.01 2010.04.22 Trojan-Spy/W32.Agent.109568.BK
Panda 10.0.2.7 2010.04.21 Trj/Genetic.gen
PCTools 7.0.3.5 2010.04.22 -
Prevx 3.0 2010.04.22 Medium Risk Malware
Rising 22.44.03.04 2010.04.22 -
Sophos 4.53.0 2010.04.22 Sus/UnkPack-C
Sunbelt 6207 2010.04.22 TrojanSpy.Win32.Agent.bedm (v)
Symantec 20091.2.0.41 2010.04.22 -
TheHacker 6.5.2.0.266 2010.04.21 Trojan/Spy.Agent.bdsw
TrendMicro 9.120.0.1004 2010.04.22 -
TrendMicro-HouseCall 9.120.0.1004 2010.04.22 -
VBA32 3.12.12.4 2010.04.22 Trojan-Spy.Win32.Agent.bdsv
ViRobot 2010.4.21.2288 2010.04.22 Trojan.Win32.Boaxxe.109568
VirusBuster 5.0.27.0 2010.04.21 TrojanSpy.Agent.TNVU
Información adicional
Tamano archivo: 109568 bytes
MD5...: 4b26e3b6a06ff39437e5d711222c33ff
SHA1..: 4e346e046bb52cea4951483f183b6c353f7c55a0
SHA256: a386b4864679df826677b914245e40a0826b61e9292948acb4516ea65911e431
ssdeep: 1536:LytCPi/AD7HQALa6reiT8nUc5xyxirFcVpX1RqVk8/36ECq7U+nDb5iqmZz
Up71:LJPa6wT6KnUcemcVpt8/5CW7DbzuUf

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6f88
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x5fa0 0x6000 6.45 c51101e3266599708fe5dd07f132f5d5
DATA 0x7000 0x13210 0x13400 7.98 b238c999d632d31b3e2cf3801f2b4d92
BSS 0x1b000 0x8f5 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x1c000 0x6d0 0x800 4.34 d868f9e0584d7232651d0510e2ec5d81
.edata 0x1d000 0xdf 0x200 2.46 63ce9ac167ec2fbd16d394681f07bc73
.reloc 0x1e000 0x704 0x800 6.25 8ea53d09d24e321e085ca0d6ac36a19c
.rsrc 0x1f000 0x10 0x200 2.88 89ed230ccbb9e8bed2cf0692654d8633

( 4 imports )
> kernel32.dll: HeapCompact, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, HeapCreate, GetVersionExA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, ReleaseMutex, CreateMutexA, WaitForSingleObject, Sleep, GetVersion, GetLocaleInfoA, GetCommandLineA, ExitProcess, GlobalMemoryStatus, GetComputerNameA, GetSystemDirectoryA, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, FileTimeToDosDateTime, FileTimeToLocalFileTime, GetStdHandle, GetFileSize, WriteFile, ReadFile, CreateFileA, FindClose, SearchPathA, FindFirstFileA, GetThreadLocale, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, GetVolumeInformationA, UnhandledExceptionFilter, RtlUnwind, RaiseException, MultiByteToWideChar, GetStartupInfoA, GetModuleHandleA, GetModuleFileNameA, GetLastError, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, CloseHandle, GetProcAddress, FreeLibrary, LoadLibraryA
> advapi32.dll: SetSecurityDescriptorDacl, FreeSid, GetLengthSid, IsValidSecurityDescriptor, InitializeSecurityDescriptor, InitializeAcl, AllocateAndInitializeSid, AddAccessAllowedAce
> user32.dll: wvsprintfA, MessageBoxA
> oleaut32.dll: SysFreeString, SysAllocStringLen

( 7 exports )
DllCanUnloadNow, DllGetClassObject, Omknomk, DllMain, DllRegisterServer, DllUnregisterServer, ServiceMain

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_re...
http://info.prevx.com/aboutprogramtext.asp?PX5=5BF53AD2009DAD6FAC490173F6EDF0006EE6F98F


Report •

#12
April 22, 2010 at 03:41:56

Don't remove it just yet. Are you still getting pop ups?

Report •

#13
April 22, 2010 at 03:44:40

All the time. Non-stop - every time I start a program or when I try to write something like now.

Report •

#14
April 22, 2010 at 14:38:18

Hello Jabuck,

I am really desperate now because the AVG pop-up threats are non-stop now.

What do you think I should do?

Please let me know as soon as possible.

Thanks and best regards.


Report •

#15
April 22, 2010 at 15:21:30

Before you run the Combo script below go offline turn off your AVG antivirus, Windows Defender, and Spybot's TeaTimer

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\System32\naduecv.dll
c:\windows\System32\naduecv.dll.bak
c:\windows\System32\naduecv.bak

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Enhanced Storage]
@=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Restart your protection before getting back on line.


Report •

#16
April 22, 2010 at 16:13:00

I have done as instructed. The pop-ups have disappeared. Is there anything else that needs to be cleaned or done?

ComboFix 10-04-20.01 - Frank Khan 23/04/2010 0:36.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.34.3082.18.2045.941 [GMT 2:00]
Running from: c:\users\Frank Khan\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Frank Khan\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\System32\naduecv.bak"
"c:\windows\System32\naduecv.dll"
"c:\windows\System32\naduecv.dll.bak"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\acer\AcerTour\Reminder.exe
c:\drv\Tuner\Yuan\Resources\_desktop.ini
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera \Uninstall.lnk
c:\windows\system32\naduecv.dll
c:\windows\System32\naduecv.dll.bak

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_dseieegs


((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-22 22:44 . 2010-04-22 22:47 -------- d-----w- c:\users\Frank Khan\AppData\Local\temp
2010-04-22 22:44 . 2010-04-22 22:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-22 22:44 . 2010-04-22 22:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-22 10:18 . 2010-04-22 10:18 -------- d-----w- c:\program files\NoVirusThanks
2010-04-21 11:05 . 2010-04-21 11:51 -------- d-----w- C:\Combo-Fix
2010-04-20 22:33 . 2010-04-20 22:33 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\Malwarebytes
2010-04-20 22:32 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 22:32 . 2010-04-20 22:32 -------- d-----w- c:\programdata\Malwarebytes
2010-04-20 22:32 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 22:32 . 2010-04-20 22:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 12:22 . 2010-04-20 12:22 -------- d-----w- c:\program files\Trend Micro
2010-04-19 23:35 . 2010-04-19 23:35 -------- d-----w- c:\program files\Wondershare
2010-04-18 22:57 . 2010-04-18 22:57 -------- d-----w- c:\program files\Picture Collage Maker Free
2010-04-16 22:13 . 2010-04-19 23:00 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\gtk-2.0
2010-04-16 22:13 . 2010-04-16 22:13 -------- d-----w- c:\users\Frank Khan\.thumbnails
2010-04-16 22:11 . 2010-04-19 23:00 -------- d-----w- c:\users\Frank Khan\.gimp-2.6
2010-04-16 22:10 . 2010-04-16 22:10 -------- d-----w- c:\program files\GIMP-2.0
2010-04-16 21:28 . 2010-04-16 21:28 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\InstallShield
2010-04-15 21:47 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 21:47 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 21:47 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 21:47 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 21:47 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 21:47 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 21:46 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 21:46 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 21:46 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 12:16 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:16 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 18:16 . 2006-07-12 12:39 208896 ----a-w- c:\windows\system32\FFRafShellEx.dll
2010-04-13 18:16 . 2003-09-03 14:45 274432 ----a-w- c:\windows\system32\FFTIFF16.dll
2010-04-13 18:16 . 2010-04-16 21:29 -------- d-----w- c:\program files\FinePixViewer
2010-04-13 18:16 . 2004-07-24 19:28 155648 ----a-w- c:\windows\system32\FFRAFLIB.DLL
2010-04-13 15:10 . 2010-04-16 21:29 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\FUJIFILM
2010-04-12 21:06 . 2010-04-16 21:49 -------- d-----w- c:\program files\JDownloader
2010-04-12 08:06 . 2010-04-12 08:06 -------- d-----w- c:\program files\Common Files\Skype
2010-04-05 08:53 . 2010-04-05 08:53 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\PeerNetworking
2010-03-31 10:37 . 2010-03-31 10:37 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 22:45 . 2009-01-13 09:14 12 ----a-w- c:\windows\bthservsdp.dat
2010-04-22 21:34 . 2006-11-02 15:46 667966 ----a-w- c:\windows\system32\perfh00A.dat
2010-04-22 21:34 . 2006-11-02 15:46 129720 ----a-w- c:\windows\system32\perfc00A.dat
2010-04-22 09:39 . 2007-12-20 09:41 -------- d-----w- c:\programdata\Google Updater
2010-04-21 11:00 . 2010-01-27 00:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-21 08:43 . 2010-04-21 08:43 242696 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-04-21 08:43 . 2010-02-23 23:39 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-21 08:42 . 2010-04-21 08:42 1689952 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-20 12:13 . 2010-02-01 08:30 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\HpUpdate
2010-04-20 12:13 . 2010-01-24 22:07 -------- d-----w- c:\program files\HP
2010-04-20 09:27 . 2007-12-20 14:44 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\Skype
2010-04-20 08:57 . 2007-12-20 14:50 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\skypePM
2010-04-20 00:37 . 2010-01-27 00:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-19 23:36 . 2007-12-19 09:58 136760 ----a-w- c:\users\Frank Khan\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-16 23:04 . 2008-01-31 09:22 -------- d-----w- c:\program files\CCleaner
2010-04-16 21:30 . 2007-12-19 09:56 -------- d-----w- c:\program files\Yahoo!
2010-04-16 21:30 . 2007-08-13 19:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-15 23:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-12 08:06 . 2010-02-09 13:50 -------- d-----r- c:\program files\Skype
2010-04-09 09:05 . 2008-10-20 17:53 -------- d-----w- c:\program files\TeamViewer3
2010-03-31 10:10 . 2009-05-15 12:03 -------- d-----w- c:\program files\Java
2010-03-26 12:12 . 2007-12-19 10:07 27810 ----a-w- c:\users\Frank Khan\AppData\Roaming\nvModes.dat
2010-03-16 13:16 . 2010-03-16 13:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-16 13:16 . 2010-02-23 23:39 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-16 13:15 . 2010-02-23 23:39 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-14 22:11 . 2009-05-15 12:07 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\LimeWire
2010-03-09 22:13 . 2010-03-09 22:13 -------- d-----w- c:\programdata\TomTom
2010-03-09 22:12 . 2010-03-09 22:12 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\TomTom
2010-03-09 22:10 . 2010-03-09 22:10 -------- d-----w- c:\program files\TomTom DesktopSuite
2010-03-09 11:00 . 2010-03-06 16:56 224909 ----a-w- c:\windows\hpoins46.dat
2010-03-09 02:28 . 2009-05-15 12:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-08 11:28 . 2010-02-01 08:33 23711 ----a-w- c:\windows\hpqins15.dat
2010-03-06 17:46 . 2010-03-06 17:46 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\Telefónica Móviles
2010-03-06 17:42 . 2010-03-06 17:42 -------- d-----w- c:\program files\Movistar
2010-03-06 17:35 . 2007-12-20 14:28 -------- d-----w- c:\program files\Windows Live
2010-03-06 17:34 . 2010-03-06 17:34 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-03-06 17:08 . 2010-01-24 22:05 -------- d-----w- c:\programdata\HP
2010-03-06 17:08 . 2010-03-06 17:08 -------- d-----w- c:\programdata\HP Product Assistant
2010-03-06 17:06 . 2010-03-06 17:06 -------- d-----w- c:\program files\Common Files\HP
2010-03-05 10:46 . 2010-01-12 13:06 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\proDAD
2010-03-05 10:36 . 2007-08-13 21:12 -------- d-----w- c:\program files\Acer GameZone
2010-03-05 10:30 . 2010-02-26 01:10 -------- d-----w- c:\program files\Devious Codeworks
2010-03-05 10:21 . 2010-01-12 13:04 -------- d-----w- c:\program files\Boris FX, Inc
2010-03-03 20:48 . 2010-03-03 20:48 -------- d-----w- c:\program files\LimeWire
2010-03-01 16:05 . 2010-01-26 15:09 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\FileZilla
2010-02-26 03:06 . 2010-02-26 03:00 2855 ----a-w- c:\users\Frank Khan\AppData\Roaming\Microsoft\Office\Reciente\Anabel valdilecha.jpeg - frank@live.com.pif
2010-02-26 02:30 . 2010-02-26 02:30 2855 ----a-w- c:\users\Frank Khan\AppData\Roaming\Microsoft\Office\Reciente\Anabel valdilecha-frank@live.com.pif
2010-02-26 00:31 . 2010-02-26 00:08 -------- d-----w- c:\program files\Unlocker
2010-02-25 23:31 . 2010-01-27 12:09 -------- d-----w- c:\program files\Ares
2010-02-24 22:01 . 2009-08-15 23:12 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\vlc
2010-02-23 23:41 . 2010-02-23 23:38 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-02-23 23:38 . 2010-02-23 23:38 -------- d-----w- c:\programdata\avg9
2010-02-23 23:38 . 2008-05-21 16:21 -------- d-----w- c:\program files\AVG
2010-02-23 06:39 . 2010-03-31 09:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 09:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 09:50 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 09:50 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 13:00 . 2010-01-24 22:23 -------- d-----w- c:\users\Frank Khan\AppData\Roaming\HP
2010-02-21 22:56 . 2008-02-28 11:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-20 23:06 . 2010-03-10 09:26 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 09:26 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 09:26 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 10:32 . 2010-03-13 09:47 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-09 13:50 . 2010-02-09 13:50 56 ---ha-w- c:\programdata\ezsidmv.dat
2010-02-02 09:35 . 2010-02-02 09:35 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbFB41.tmp.exe
2010-01-25 12:00 . 2010-02-24 08:42 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00 . 2010-02-24 08:41 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00 . 2010-02-24 08:41 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00 . 2010-02-24 08:42 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58 . 2010-02-24 08:41 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21 . 2010-02-24 08:41 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21 . 2010-02-24 08:41 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21 . 2010-02-24 08:41 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21 . 2010-02-24 08:41 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26 . 2010-02-24 08:42 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 12:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-20 68856]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-08-01 222592]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-27 752136]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-09 845360]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"Skytel"="Skytel.exe" [2007-06-15 1826816]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-25 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-25 8470528]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-25 81920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-13 535336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8f,aa,93,50,2a,52,ca,01

R2 gupdate;Servicio Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-11-28 9728]
R3 USBZTECCID;ZTE USB Smartcard Driver;c:\windows\system32\DRIVERS\ZTEusbccid.sys [2008-11-06 13824]
R3 WSDPrintDevice;Soporte de impresión WSD a través de UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
R3 ZY202_VS;ZyXEL 802.11g XG202 1211 Vista Driver;c:\windows\system32\DRIVERS\WlanUZG.sys [2007-04-03 449536]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-01-12 716272]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-16 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-21 242896]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 13560]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-16 308064]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2007-03-07 32256]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-20 08:02]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 12:03]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-23 12:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.es/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://es.es.acer.yahoo.com
uSearchURL,(Default) = hxxp://es.rd.yahoo.com/customize/ycomp/defaults/su/*http://es.yahoo.com
IE: Anexar destino de vínculo a PDF existente - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convertir a Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Convertir destino de vínculo a Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: E&xportar a Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: sagelogiccontrol.com\logicclass
DPF: {49DAAA81-99C9-46A2-BED7-FFC987AADA36} - hxxp://logicclass.sagelogiccontrol.com/LcPrint5_1.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{60201684-1807-42B0-BA59-1E39789D391F} - c:\windows\system32\naduecv.dll
HKCU-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-23 00:47
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5112)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\TeamViewer3\TeamViewer_Service.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\conime.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wbem\unsecapp.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-04-23 00:54:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 22:54
ComboFix2.txt 2010-04-21 11:51

Pre-Run: 59.266.265.088 bytes libres
Post-Run: 59.008.929.792 bytes libres

- - End Of File - - 6F96F4D46BF03D101490FA74C364EE61


Report •

#17
April 22, 2010 at 16:59:03

Did that stop the popups?

Report •

#18
April 24, 2010 at 14:11:53

Sorry for the delay in responding. Yes Jabuck, it has stopped the pop-ups. Does that mean my computer is clean now or do I need to do other things as well? Please let me know as soon as you can.
Once again thanks and I hope to hear from you soon.

Frank


Report •

#19
April 24, 2010 at 17:19:00

Delete DDS from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#20
April 25, 2010 at 02:41:12

Hi Jabuck,

First of all, thanks for your time, patience and help.

I have done as you said and hopefully the computer will stay clean for some time.

Thanks again and best regards,

Frank


Report •

#21
April 27, 2010 at 06:02:18

Hi Jabuck, i have the same some of Khany (Frank) and i did
same steps and there are my reports:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Vladi at 7:52:44.39 on Tue 04/27/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Business
6.0.6001.1.1252.1.3082.18.2036.820 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled*
(Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access
scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-
AFAE-013EFC3EDE33}
SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-
435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated)
{67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes
===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k
LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k
LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k
NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement
Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows
Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows
Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft
Office\Office12\GrooveMonitor.exe
C:\Program Files\Sony Ericsson\Mobile2\Application
Launcher\Application Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Research In
Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Sony\Sony Picture
Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone
Monitor\epmworker.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\Research In
Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB
Drivers\BbDevMgr.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Safari\Safari.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Vladi\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*htt
p://www.yahoo.com
uSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*htt
p://www.yahoo.com/ext/search/search.html
mDefault_Search_URL =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*htt
p://www.yahoo.com
mSearch Page =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*htt
p://www.yahoo.com
mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*htt
p://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*htt
p://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-
1f87-4686-aa43-5347d756017c} - c:\program
files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-
4989-b3f2-9732e92d17cc} - c:\program
files\vuze_remote\tbVuze.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-
1f87-4686-aa43-5347d756017c} - c:\program
files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: ShoppingReport: {100eb1fd-d03e-47fd-81f3-
ee91287f9465} - c:\program
files\shoppingreport\bin\2.6.79\ShoppingReport.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-
fa578c2ebdc3} - c:\program files\common
files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-
4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No
File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-
b9e3aac4465b} - c:\program files\microsoft\search
enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-
b7f9-0bbc1d38a37e} - c:\program files\microsoft
office\office12\GrooveShellExtensions.dll
BHO: : {7be4182b-9946-4bc3-911a-f8ace058b97b} -
c:\windows\system32\wxykvcy.dll
BHO: Aplicación auxiliar de inicio de sesión de Windows
Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} -
c:\program files\common files\microsoft shared\windows
live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-
aa43-5347d756017c} - c:\program
files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-
cf10577473f7} - c:\program files\google\google
toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-
b6fa-ce66b5ad205d} - c:\program
files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-
9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-
4195-bb24-76c02e2e7c4e} - c:\program files\google\google
toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-
bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-
81ea-dc94ec1acf10} - c:\program files\windows
live\toolbar\wltcore.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-
dfee4931a4aa} - c:\program
files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} -
c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-
8a89d3229068} - c:\program files\windows
live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-
009027a5cd4f} - c:\program files\google\google
toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-
9f516dd69829} - c:\program
files\avg\avg8\toolbar\IEToolbar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-
9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No
File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No
File
EB: ShopperReports: {a7cddcdc-beeb-4685-a062-
978f5e07ceee} - c:\program
files\shoppingreport\bin\2.6.79\ShoppingReport.dll
uRun: [Sidebar] c:\program files\windows
sidebar\sidebar.exe /autoRun
uRun: [ISUSPM] "c:\program files\common
files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [MsnMsgr] "c:\program files\windows
live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program
files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media
player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows
Defender\MSASCui.exe -hide
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd
dx\PDVDDXSrv.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft
office\office12\GrooveMonitor.exe"
mRun: [Sony Ericsson PC Suite] "c:\program files\sony
ericsson\mobile2\application launcher\Application
Launcher.exe" /startoptions
mRun: [AppleSyncNotifier] c:\program files\common
files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-
aware\AAWTray.exe
mRun: [QuickTime Task] "c:\program
files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program
files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program
files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program
files\java\jre6\bin\jusched.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common
files\research in motion\auto update\RIMAutoUpdate.exe
/background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
StartupFolder:
c:\users\vladi\appdata\roaming\micros~1\windows\startm~1\
programs\startup\adobeg~1.lnk - c:\program files\common
files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder:
c:\users\vladi\appdata\roaming\micros~1\windows\startm~1\
programs\startup\herram~1.lnk - c:\program files\sony\sony
picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder:
c:\progra~2\micros~1\windows\startm~1\programs\startup\d
eskto~1.lnk - c:\program files\research in
motion\blackberry\DesktopMgr.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd....
IE: E&xport to Microsoft Excel -
c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-
E1D6-4330-914C-F5F514E3486C} -
c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -
c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} -
{C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program
files\shoppingreport\bin\2.6.79\ShoppingReport.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} -
{A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program
files\shoppingreport\bin\2.6.79\ShoppingReport.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -
hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/Fac
ebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
hxxp://download.macromedia.com/pub/shockwave/cabs/dire
ctor/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNP
Uplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-
i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
hxxp://fpdownload.macromedia.com/get/flashplayer/current/u
ltrashim.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} -
hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-
shop/GoBitGamesPlayer_v4.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-
i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-
i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-
i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -
hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} -
hxxp://actiftp.hosting4less.com/ACTIGENERAL/AP&Manual/
Live%20Demo/nvUnifiedControl.ocx
TCP: {914FCB7B-8256-42FD-917A-3CCC8FFA3A92} =
196.3.81.5 200.88.127.23
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-
B719FE26E377} - c:\program files\google\google
toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-
3CB6248B04CD} - c:\program files\microsoft
office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-
FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
STS: ShroyenaNvc.Shroyena: {49d379fe-6fca-4f2b-998f-
c7400704c3fb} - c:\windows\system32\shroyena.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-
4420-b3ba-52453494e6cd} - c:\program files\microsoft
office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS
===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-28
64160]
R1 AvgLdx86;AVG Free AVI Loader Driver
x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-3
335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver
x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-3
27784]
R2 avg8wd;AVG Free8
WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-3
297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;c:\program files\lavasoft\ad-aware\AAWService.exe
[2009-1-18 1028432]
R3
VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV
3.SYS [2008-1-20 987648]
R3
VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VST
BS23.SYS [2008-1-20 251904]
S2 gupdate;Google Update Service (gupdate);c:\program
files\google\update\GoogleUpdate.exe [2010-3-4 135664]
S2 ucaczfgp;USB Modem
Support;c:\windows\system32\svchost.exe -k netsvcs [2008-
1-20 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys
[2010-3-1 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program
files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 nmwcdnsu;Nokia USB Flashing Phone
Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-3-
19 136704]
S3 nmwcdnsuc;Nokia USB Flashing
Generic;c:\windows\system32\drivers\nmwcdnsuc.sys
[2009-3-19 8320]

=============== Created Last 30 ================

2010-04-25 14:17:05 0 d-----w- c:\program
files\ffdshow
2010-04-22 23:32:43 171520 ----a-w-
c:\windows\system32\wintrust.dll
2010-04-22 23:32:41 98304 ----a-w-
c:\windows\system32\cabview.dll
2010-04-17 00:47:26 0 d-----w- c:\program
files\Conduit
2010-04-17 00:47:25 0 d-----w- c:\program
files\Vuze_Remote

==================== Find3M
====================

2010-04-15 02:49:30 667082 ----a-w-
c:\windows\system32\perfh00A.dat
2010-04-15 02:49:30 129692 ----a-w-
c:\windows\system32\perfc00A.dat
2010-03-17 03:32:36 51200 ----a-w-
c:\windows\inf\infpub.dat
2010-03-17 03:32:36 143360 ----a-w-
c:\windows\inf\infstrng.dat
2010-03-17 03:32:35 86016 ----a-w-
c:\windows\inf\infstor.dat
2010-02-24 14:16:06 181632 ------w-
c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w-
c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w-
c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w-
c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w-
c:\windows\system32\ieUnatt.exe
2010-02-20 23:39:35 24064 ----a-w-
c:\windows\system32\nshhttp.dll
2010-02-20 23:37:20 31232 ----a-w-
c:\windows\system32\httpapi.dll
2008-09-03 03:27:58 665600 ----a-w-
c:\windows\inf\drvindex.dat
2008-01-21 08:09:33 40258 ----a-w-
c:\windows\inf\perflib\0c0a\perfd.dat
2008-01-21 08:09:33 40258 ----a-w-
c:\windows\inf\perflib\0c0a\perfc.dat
2008-01-21 08:09:33 336930 ----a-w-
c:\windows\inf\perflib\0c0a\perfi.dat
2008-01-21 08:09:33 336930 ----a-w-
c:\windows\inf\perflib\0c0a\perfh.dat
2008-01-21 02:43:58 174 --sha-w- c:\program
files\desktop.ini
2006-11-02 09:20:21 287440 ----a-w-
c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w-
c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w-
c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w-
c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 7:55:01.02 ===============


Report •

#22
April 27, 2010 at 06:03:02

Attach.exe

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST
THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume2
Install Date: 9/2/2008 11:45:49 PM
System Uptime: 4/27/2010 12:30:06 AM (7 hours ago)

Motherboard: Dell Inc. | | 0CU409
Processor: Intel(R) Core(TM)2 Duo CPU E8300 @
2.83GHz | Socket 775 | 2831/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 134.626 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description: Controladora de bus SM
Device ID:
PCI\VEN_8086&DEV_2930&SUBSYS_02381028&REV_02\3
&2411E6FE&0&FB
Manufacturer:
Name: Controladora de bus SM
PNP Device ID:
PCI\VEN_8086&DEV_2930&SUBSYS_02381028&REV_02\3
&2411E6FE&0&FB
Service:

==== System Restore Points ===================

RP749: 3/8/2010 - Punto de control programado
RP750: 3/8/2010 5:49:02 PM - Punto de control programado
RP751: 3/9/2010 7:49:58 AM - Windows Update
RP752: 3/10/2010 2:02:02 PM - Punto de control
programado
RP753: 3/11/2010 3:51:02 PM - Windows Update
RP754: 3/11/2010 4:22:35 PM - Windows Update
RP756: 3/12/2010 11:26:20 AM - Windows Defender
Checkpoint
RP757: 3/14/2010 1:07:00 AM - Punto de control
programado

==== Installed Programs ======================

AC3Filter (remove only)
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.1
Adobe Shockwave Player 11
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
AVG 8.5
AVI ReComp 1.4.5
AviSynth 2.5
Ayudante para el inicio de sesión de Windows Live ID
BlackBerry Desktop Software 5.0.1
BlackBerry Device Software v5.0.0 for the BlackBerry 9000
smartphone
BlackBerry® Media Sync
Bonjour
Canon iP1800 series
Dell Resource CD
Drawing for Children
EA SPORTS online 2008
Easy Avi/Divx/Xvid to DVD Burner 2.5.1
EAX Unified
Enciclopedia Microsoft Encarta 2003
ffdshow (remove only)
FLV Player 2.0, build 24
Google Toolbar for Internet Explorer
Google Update Helper
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 17
Java(TM) SE Runtime Environment 6
Junk Mail filter update
Magic ISO Maker v5.5 (build 0265)
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 3.5 Language Pack SP1 - esn
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (Spanish)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86
8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIRC
MobileMe Control Panel
Monica 8.5. Su asistente en los negocios
MSVC80_x86
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetOp School
Nokia Connectivity Cable Driver
Paquete de compatibilidad para 2007 Office system
Paquete de controladores de Windows - Nokia pccsmcfd
(08/22/2008 7.0.0.0)
Paquete de idioma de Microsoft .NET Framework 3.5 SP1 -
esn
PC Connectivity Solution
Picture Package Music Transfer
Power Sound Editor Free
PowerDVD
QuickTime
Ray's Letters and Numbers
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Safari
Security Update for 2007 Microsoft Office System
(KB969559)
Security Update for 2007 Microsoft Office System
(KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007
(KB972363)
Security Update for Microsoft Office PowerPoint 2007
(KB957789)
Security Update for Microsoft Office Publisher 2007
(KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007
(KB969613)
Security Update for Microsoft Office system 2007
(KB974234)
Security Update for Microsoft Office Visio Viewer 2007
(KB973709)
Shockwave
ShopperReports
ShroyenaNvc
Smart Menus (Windows Live Toolbar)
Sonic CinePlayer Decoder Pack
Sony Ericsson Device Data
Sony Ericsson Drivers
Sony Ericsson PC Suite
Sony Picture Utility
Sony USB Driver
Tux Paint 0.9.20b
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB977724)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features
(KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help
(KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981433)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
Vuze_Remote Toolbar
Windows Driver Package - Logitech HIDClass (10/16/2006
1.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
Xvid 1.2.1

==== End Of File ===========================


Report •

#23
April 27, 2010 at 06:03:43

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Versión de la base de datos: 4041

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

4/27/2010 8:16:23 AM
mbam-log-2010-04-27 (08-16-23).txt

Tipo de examen: Examen rápido
Objetos examinados: 130845
Tiempo transcurrido: 8 minuto(s), 53 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 45
Valores del Registro Infectados: 1
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 3
Archivos Infectados: 4

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos de Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-
ee91287f9465} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-
6371fe9295fc} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-
b1c286708842} (Adware.ShopperReports) -> Quarantined
and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-
978f5e07ceee} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-
9b2933132116} (Adware.ShopperReports) -> Quarantined
and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-
9bed-7429d6c477a2} (Adware.ShopperReports) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-
893df03ec5df} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e343edfc-1e6c-4cb5-aa29-
e9c922641c80} (Adware.ShopperReports) -> Quarantined
and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-
978f5e07ceee} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-
f927f4d3a949} (Adware.180Solutions) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-
ee91287f9465} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Ext\Stats\{a7cddcdc-beeb-4685-a062-
978f5e07ceee} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-
520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-
520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\C
urrentVersion\Ext\Settings\{100eb1fd-d03e-47fd-81f3-
ee91287f9465} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{c5428486-50a0-4a02-9d20-
520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions\{c5428486-50a0-4a02-9d20-
520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-
d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\shoppingreport
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\hbmain.commband
(Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1
(Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui
(Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1
(Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -
> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango)
-> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\XML
(Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle
(Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TOY5KNQ8OC
(Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WEK9EMDHI9
(Trojan.Agent) -> Quarantined and deleted successfully.

Valores del Registro Infectados:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-
bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted
successfully.

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
C:\Program Files\ShoppingReport (Adware.ShopperReports)
-> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
C:\Program Files\ShoppingReport\Bin\2.6.79
(Adware.ShopperReports) -> Quarantined and deleted
successfully.

Archivos Infectados:
C:\Program
Files\ShoppingReport\Bin\2.6.79\ShoppingReport.dll
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
C:\Program Files\ShoppingReport\Uninst.exe
(Adware.ShopperReports) -> Quarantined and deleted
successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-
8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and
deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-
FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined
and deleted successfully.


Report •

#24
April 27, 2010 at 06:05:14

ComboFix 10-04-26.04 - Vladi 04/27/2010 8:42.1.2 - x86
Microsoft® Windows Vista™ Business
6.0.6001.1.1252.1.3082.18.2036.774 [GMT -4:00]
Running from: c:\users\Vladi\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning enabled*
(Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access
scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-
013EFC3EDE33}
SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-
435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated)
{67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-
831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1059877426-1840680496-2087889005-
500
c:\users\Vladi\AppData\Roaming\Desktopicon
c:\users\Vladi\AppData\Roaming\Desktopicon\config.ini
c:\users\Vladi\AppData\Roaming\Desktopicon\eBayShortcut
s.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was
found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-03-27 to 2010-
04-27 )))))))))))))))))))))))))))))))
.

2010-04-27 12:51 . 2010-04-27 12:51 -------- d-----w-
c:\users\Vladi\AppData\Local\temp
2010-04-27 12:51 . 2010-04-27 12:51 -------- d-----w-
c:\users\Steven\AppData\Local\temp
2010-04-27 12:00 . 2010-04-27 12:00 -------- d-----w-
c:\users\Vladi\AppData\Roaming\Malwarebytes
2010-04-27 11:59 . 2010-03-29 19:24 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-27 11:59 . 2010-04-27 12:00 -------- d-----w-
c:\program files\Malwarebytes' Anti-Malware
2010-04-27 11:59 . 2010-04-27 11:59 -------- d-----w-
c:\programdata\Malwarebytes
2010-04-27 11:59 . 2010-03-29 19:24 20824 ----a-w-
c:\windows\system32\drivers\mbam.sys
2010-04-25 14:17 . 2010-04-25 14:17 -------- d-----w-
c:\program files\ffdshow
2010-04-22 23:32 . 2009-12-23 12:43 171520 ----a-w-
c:\windows\system32\wintrust.dll
2010-04-22 23:32 . 2010-01-15 00:04 98304 ----a-w-
c:\windows\system32\cabview.dll
2010-04-17 00:47 . 2010-04-17 00:47 -------- d-----w-
c:\program files\Conduit
2010-04-17 00:47 . 2010-04-17 00:47 -------- d-----w-
c:\program files\Vuze_Remote

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-27 12:48 . 2008-01-21 08:10 667082 ----a-w-
c:\windows\system32\perfh00A.dat
2010-04-27 12:48 . 2008-01-21 08:10 129692 ----a-w-
c:\windows\system32\perfc00A.dat
2010-04-27 12:35 . 2008-09-03 16:47 -------- d-----w-
c:\users\Vladi\AppData\Roaming\Azureus
2010-04-25 14:09 . 2009-01-16 02:51 -------- d-----w-
c:\users\Vladi\AppData\Roaming\AVI ReComp
2010-04-18 15:10 . 2008-09-03 15:02 -------- d-----w-
c:\programdata\Microsoft Help
2010-04-18 15:10 . 2008-09-03 02:41 -------- d-----w-
c:\program files\Google
2010-04-18 14:21 . 2008-09-03 13:20 680 ----a-w-
c:\users\Steven\AppData\Local\d3d9caps.dat
2010-04-17 00:55 . 2008-11-03 01:54 175 ----a-w-
c:\users\Vladi\AppData\Roaming\Azureus\restart.bat
2010-04-17 00:48 . 2008-09-03 16:46 -------- d-----w-
c:\program files\Vuze
2010-04-08 15:03 . 2008-09-03 05:43 -------- d-----w-
c:\program files\Common Files\Adobe
2010-04-04 15:03 . 2008-09-03 00:51 5676 ----a-w-
c:\users\Vladi\AppData\Local\d3d9caps.dat
2010-03-27 12:09 . 2010-03-15 12:17 -------- d-----w-
c:\program files\EA SPORTS
2010-03-26 16:50 . 2009-06-11 13:01 -------- d-----w-
c:\programdata\AVG Security Toolbar
2010-03-20 19:37 . 2008-09-03 01:05 -------- d--h--w-
c:\program files\InstallShield Installation Information
2010-03-20 18:27 . 2008-09-03 13:20 116952 ----a-w-
c:\users\Steven\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-17 16:32 . 2010-03-17 16:32 -------- d-----w-
c:\users\Vladi\AppData\Roaming\Blackberry Desktop
2010-03-17 16:22 . 2008-09-03 01:08 -------- d-----w-
c:\program files\Roxio
2010-03-17 01:38 . 2010-03-15 11:41 -------- d-----w-
c:\program files\MagicISO
2010-03-17 01:32 . 2009-01-16 02:49 -------- d-----w-
c:\program files\Gabest
2010-03-17 01:01 . 2010-03-17 01:01 -------- d--h--r-
c:\users\Vladi\AppData\Roaming\SecuROM
2010-03-15 04:01 . 2008-09-03 08:09 -------- d-----w-
c:\programdata\avg8
2010-03-14 20:38 . 2010-03-14 20:38 -------- d-----w-
c:\users\Vladi\AppData\Roaming\Media Player Classic
2010-03-11 20:01 . 2006-11-02 11:18 -------- d-----w-
c:\program files\Windows Mail
2010-03-05 02:31 . 2008-09-03 13:06 116952 ----a-w-
c:\users\Heidy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 13:25 . 2010-03-02 05:28 -------- d-----w-
c:\users\Vladi\AppData\Roaming\Research In Motion
2010-03-02 12:40 . 2010-03-02 05:28 256 ----a-w-
c:\windows\system32\pool.bin
2010-03-02 12:38 . 2010-03-02 12:38 26694 ----a-r-
c:\users\Vladi\AppData\Roaming\Microsoft\Installer\{42AEF6
3C-31EF-4FAD-9F4F-7079E0D0B831}\BlackBerry.exe
2010-03-02 12:38 . 2010-03-02 05:22 -------- d-----w-
c:\program files\Common Files\Research In Motion
2010-03-02 12:25 . 2008-09-03 00:51 116952 ----a-w-
c:\users\Vladi\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-02 05:41 . 2010-03-02 05:34 -------- d-----w-
c:\programdata\Research In Motion
2010-03-02 05:41 . 2010-03-02 05:22 -------- d-----w-
c:\program files\Research In Motion
2010-03-01 14:49 . 2010-03-01 14:49 -------- d-----w-
c:\program files\Microsoft Office Outlook Connector
2010-03-01 14:48 . 2008-09-03 01:52 -------- d-----w-
c:\program files\Windows Live
2010-03-01 13:57 . 2008-09-03 02:58 -------- d-----w-
c:\programdata\Roxio
2010-03-01 13:57 . 2008-09-03 01:09 -------- d-----w-
c:\program files\Common Files\Sonic Shared
2010-03-01 13:57 . 2008-09-03 01:08 -------- d-----w-
c:\program files\Common Files\Roxio Shared
2010-02-28 17:57 . 2008-09-03 01:09 -------- d-----w-
c:\program files\Common Files\PX Storage Engine
2010-02-28 16:21 . 2008-09-03 13:02 -------- d-----w-
c:\program files\Microsoft Silverlight
2010-02-28 08:01 . 2008-09-03 01:01 -------- d-----w-
c:\program files\Java
2010-02-24 14:16 . 2009-10-02 19:11 181632 ------w-
c:\windows\system32\MpSigStub.exe
2010-02-23 06:39 . 2010-04-18 11:09 916480 ----a-w-
c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-04-18 11:09 109056 ----a-w-
c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-04-18 11:09 71680 ----a-w-
c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-04-18 11:09 133632 ----a-w-
c:\windows\system32\ieUnatt.exe
2010-02-20 23:39 . 2010-03-11 19:53 24064 ----a-w-
c:\windows\system32\nshhttp.dll
2010-02-20 23:37 . 2010-03-11 19:53 31232 ----a-w-
c:\windows\system32\httpapi.dll
2010-02-20 21:18 . 2010-03-11 19:53 411136 ----a-w-
c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"=
"c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-
25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-
5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 17:02 1230080 ----a-w- c:\program
files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2010-03-17 19:45 2355224 ----a-w- c:\program
files\Vuze_Remote\tbVuze.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=
"c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-
25 1230080]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program
files\Vuze_Remote\tbVuze.dll" [2010-03-17 2355224]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-
9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-
9732e92d17cc}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"=
"c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-
25 1230080]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"=
"c:\program files\Vuze_Remote\tbVuze.dll" [2010-03-17
2355224]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-
9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-
9732e92d17cc}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe"
[2008-01-21 1233920]
"ISUSPM"="c:\program files\Common
Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24
206112]
"MsnMsgr"="c:\program files\Windows
Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program
files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
[2008-10-22 39408]
"WMPNSCFG"="c:\program files\Windows Media
Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows
Defender\MSASCui.exe" [2008-01-21 1008184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD
DX\PDVDDXSrv.exe" [2008-02-26 128296]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-
03-21 2046816]
"GrooveMonitor"="c:\program files\Microsoft
Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Sony Ericsson PC Suite"="c:\program files\Sony
Ericsson\Mobile2\Application Launcher\Application
Launcher.exe" [2007-06-13 528384]
"AppleSyncNotifier"="c:\program files\Common
Files\Apple\Mobile Device
Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-
Aware\AAWTray.exe" [2009-09-21 520024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe"
[2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
[2009-06-05 292136]
"Adobe Reader Speed Launcher"="c:\program
files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27
35696]
"SunJavaUpdateSched"="c:\program
files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"BlackBerryAutoUpdate"="c:\program files\Common
Files\Research In Motion\Auto Update\RIMAutoUpdate.exe"
[2009-11-20 623960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-14
142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-
04-14 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-
04-14 138008]
"Malwarebytes Anti-Malware (reboot)"="c:\program
files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-29
1086856]

c:\users\Vladi\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-
16 113664]
Herramienta de b£squeda de soportes de Picture Motion
Browser.lnk - c:\program files\Sony\Sony Picture
Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-9-2
344064]

c:\programdata\Microsoft\Windows\Start
Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In
Motion\BlackBerry\DesktopMgr.exe [2009-11-19 1807704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curre
ntversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\drivers32]
"aux3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SafeBoot\Minimal\WinDefend]
@="Service"

R1 Avgfwfd;AVG network filter
service;c:\windows\system32\DRIVERS\avgfwd6x.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program
files\Google\Update\GoogleUpdate.exe [2010-03-04 135664]
R2 ucaczfgp;USB Modem
Support;c:\windows\System32\svchost.exe [2008-01-21
21504]
R3 nmwcdnsu;Nokia USB Flashing Phone
Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-
03-19 136704]
R3 nmwcdnsuc;Nokia USB Flashing
Generic;c:\windows\system32\drivers\nmwcdnsuc.sys
[2009-03-19 8320]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-
05-27 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver
x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-01
335240]
S2 avg8wd;AVG Free8
WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2010-03-
15 297752]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware
Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe
[2009-09-21 1028432]
S3
VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTD
PV3.SYS [2008-01-21 987648]
S3
VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\V
STBS23.SYS [2008-01-21 251904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS
BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Svchost - NetSvcs
ucaczfgp
.
Contents of the 'Scheduled Tasks' folder

2010-04-27 c:\windows\Tasks\Ad-Aware Update
(Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
[2009-01-18 12:15]

2010-04-27
c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-
03-04 11:45]

2010-04-27
c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-
03-04 11:45]

2010-04-27 c:\windows\Tasks\User_Feed_Synchronization-
{DD78104A-9308-48BA-A609-7C2E89641BBB}.job
- c:\windows\system32\msfeedssync.exe [2010-04-18 04:54]
.
.
------- Supplementary Scan -------
.
mSearch Bar =
hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*htt
p://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) =
hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*htt
p://www.yahoo.com
IE: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd....
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} -
hxxp://actiftp.hosting4less.com/ACTIGENERAL/AP&Manual/
Live%20Demo/nvUnifiedControl.ocx
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-*{ba14329e-9550-4989-b3f2-
9732e92d17cc} - (no file)
BHO-{7BE4182B-9946-4BC3-911A-F8ACE058B97B} -
c:\windows\system32\wxykvcy.dll
ShellIconOverlayIdentifiers-{7BE4182B-9946-4BC3-911A-
F8ACE058B97B} - c:\windows\system32\wxykvcy.dll
SharedTaskScheduler-{49D379FE-6FCA-4F2B-998F-
C7400704C3FB} - c:\windows\system32\shroyena.dll

**********************************************************************
****

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-27 08:51
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**********************************************************************
****
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
Class\{4D36E96D-E325-11CE-BFC1-
08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-27 08:53:26
ComboFix-quarantined-files.txt 2010-04-27 12:53

Pre-Run: 148,178,063,360 bytes libres
Post-Run: 154,352,930,816 bytes libres

- - End Of File - - 88DCA3549FEE5AFA43F4BA44BE192772


Report •

#25
April 27, 2010 at 06:05:40

I still have the problem

Report •


Ask Question