Trojan that I cannot remove

View previous topic View next topic Go down

Trojan that I cannot remove

Post by jonathancunliffe on 21st January 2010, 8:01 am

Hi,

I have been infected by a Trojan. It seems to be residing in c:\Windows\Systems32\drivers\mxjiry.sys - this is a file I cannot remove and is identified by Avast.

I have tried to run Trojan removal 6.8.1 and it detects it and says it will remove it on reboot, but it never succeeds.

I have also run Malwarebytes Anti Malware which doesn't seem to detect it.

Avast often triggers when I type in a search string into the Chrome Browser address bar, and often mentions redirect trojans.

I have run all the updates you suggested, and here is the hijack file. Please help! Thanks:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:53:24, on 21/01/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Working\winlogon.scr
C:\Program Files\TextPad 5\TextPad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: VMN Toolbar - {A057A204-BACC-4D26-8287-79A187E26987} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-206687524.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-206687524.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: VMN Toolbar - {A057A204-BACC-4D26-8287-79A187E26987} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [VMCL] C:\Program Files\vodafone\vmclite\DongleEnumerator.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [EPSON SX510W Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFIE.EXE /FU "C:\Windows\TEMP\E_S9D35.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Calendar.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: Note this (Google Notebook) - [You must be registered and logged in to see this link.] Files\Google\Google Notebook\gnotes1.0.2.19-206687524.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - [You must be registered and logged in to see this link.] Files\Google\Google Notebook\gnotes1.0.2.19-206687524.dll/gn_menu2.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: dlcf_device - - C:\Windows\system32\dlcfcoms.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate1c8a555915eee20) (gupdate1c8a555915eee20) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9237 bytes


This is the hosts file that is couldn't open:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by jonathancunliffe on 21st January 2010, 8:05 am

Also, Avast comes up with this as an infection, apparently residing the Windows Temp directory (which I have emptied in an attempt to remove the infection).

JS:Illredir-D [Trj]

Not sure if that helps....

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by jonathancunliffe on 21st January 2010, 8:10 am

Avast also finds this:

PHP:Redirector-H [Expl]

All related I think...

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by jonathancunliffe on 21st January 2010, 8:12 am

And this:

HTML:IFrame-GZ [Trj]

All of these are triggered by typing in for example the beginning of an IP address in the browser address bar of Chrome. I type in "88" and that is as far as I need to go before Avast detects the files such as those above...

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by Belahzur on 21st January 2010, 5:22 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by jonathancunliffe on 21st January 2010, 6:50 pm

Hi Belahzur,

I have run this as you suggested, and it found one file. I have pasted the output below. The file was removed successfully.

However, I still am infected as Avast has again shown me that I have HTML:IFrame-GZ[Trj] in C:\Users\myname\AppData\Local\Temp\etilqs_MBQGLDtVc1ZkPWrZnQr

And I still cannot remove that file c:\windows\system32\drivers\Mxjiri.sys (and MBAM didn't detect that).

What is my next step?

Thanks,

Jonathan

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by jonathancunliffe on 21st January 2010, 8:56 pm

After doing all of this, Avast now confirms:

A Rootkit Was Found!

File name: C:\Windows\System32\Drivers\mxjiry.sys

Type: hȋdden services

Malware name: Win32:Rootkit-gen [Rtk]


Delete Now / Ignore





I always say Delete, but it simply cannot delete it (and neither can I nor can MBAM or Trojan Remover 6.8.1).


Please help - how do I zap this thing!!

Thanks in advance,

Jonathan

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by Belahzur on 21st January 2010, 11:17 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Here is combofix.log - sorry it is long!

Post by jonathancunliffe on 22nd January 2010, 9:36 am

ComboFix 10-01-21.06 - Jonathan 22/01/2010 8:55.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1262 [GMT 0:00]
Running from: c:\working\Combo-Fix.exe
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-120015169-2902866275-3612616595-500
c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
C:\install.exe
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\install.exe
c:\windows\system32\libmysql41.dll
c:\windows\system32\SIntf16.dll
c:\windows\system32\drivers\mxjiry.sys . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_mxjiry
-------\Service_mxjiry


((((((((((((((((((((((((( Files Created from 2009-12-22 to 2010-01-22 )))))))))))))))))))))))))))))))
.

2010-01-22 09:12 . 2010-01-22 09:12 -------- d-----w- c:\users\Jonathan2008\AppData\Local\temp
2010-01-22 09:12 . 2010-01-22 09:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-21 20:18 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-01-21 20:18 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2010-01-20 22:27 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 22:09 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-20 22:09 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-01-20 22:09 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-20 21:58 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-01-20 21:58 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-01-20 21:58 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-01-20 21:58 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-01-20 21:58 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2010-01-20 21:58 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-01-20 21:58 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-01-20 21:50 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-01-20 21:50 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-01-20 21:50 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-01-20 21:50 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-01-20 21:50 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2010-01-20 21:47 . 2010-01-20 21:47 -------- d-----w- c:\program files\MSXML 4.0
2010-01-20 21:46 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2010-01-20 21:46 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-01-20 21:46 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-01-20 21:46 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-01-20 21:45 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-01-20 21:45 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2010-01-20 21:45 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-01-20 21:45 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-01-20 21:45 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-01-20 21:45 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-01-20 21:45 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-01-20 21:45 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-01-20 21:45 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2010-01-20 21:45 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2010-01-20 21:44 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2010-01-20 21:44 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-20 21:44 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-20 21:44 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-20 21:44 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-20 21:44 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-20 21:44 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-01-20 21:44 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2010-01-20 21:44 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-01-20 21:44 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2010-01-20 21:44 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2010-01-20 21:42 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-20 21:41 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-01-20 21:40 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2010-01-20 21:40 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-01-20 21:32 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-01-20 10:53 . 2010-01-20 10:53 -------- d-----w- c:\program files\Trojan Remover
2010-01-20 10:50 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-20 10:50 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-20 10:50 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-20 10:50 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-01-20 10:50 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-20 10:49 . 2010-01-20 10:53 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Simply Super Software
2010-01-20 10:49 . 2010-01-20 10:49 -------- d-----w- c:\programdata\Simply Super Software
2010-01-19 11:40 . 2010-01-19 11:40 -------- d-----w- c:\users\Jonathan\AppData\Roaming\AI Internet Solutions
2010-01-19 11:39 . 2009-07-08 11:08 2827984 ----a-w- c:\windows\system32\csevalidator.dll
2010-01-19 11:39 . 2010-01-19 11:39 -------- d-----w- c:\program files\HTMLValidator90
2010-01-18 11:05 . 2010-01-14 11:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-15 15:21 . 2010-01-21 21:41 -------- d-----w- C:\settings
2010-01-15 15:05 . 2010-01-15 15:28 -------- d-----w- c:\program files\reinstalled
2010-01-15 13:46 . 2010-01-15 13:46 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Malwarebytes
2010-01-15 13:46 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 13:46 . 2010-01-15 13:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 13:46 . 2010-01-15 13:46 -------- d-----w- c:\programdata\Malwarebytes
2010-01-15 13:46 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 11:30 . 2010-01-15 11:30 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Dynamic
2010-01-15 11:30 . 2010-01-15 11:49 -------- d-----w- c:\users\Jonathan\AppData\Roaming\SiteClasses
2010-01-15 11:30 . 2010-01-15 11:35 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Sites
2010-01-15 11:27 . 2010-01-15 11:28 -------- d-----w- c:\program files\CA VMN Anti-Spyware
2010-01-15 11:27 . 2010-01-15 11:28 -------- d-----w- c:\programdata\EmailNotifier
2010-01-15 11:27 . 2010-01-15 11:27 -------- d-----w- c:\users\Jonathan\AppData\Roaming\EmailNotifier
2010-01-15 11:27 . 2010-01-15 11:27 -------- d-----w- c:\program files\vmntoolbar
2010-01-15 11:27 . 2010-01-15 11:27 -------- d-----w- c:\users\Jonathan\AppData\Roaming\vmntoolbar
2010-01-15 11:26 . 2010-01-15 12:01 -------- d-----w- c:\program files\Visicom Media
2010-01-15 10:19 . 2010-01-15 10:19 -------- d-----w- c:\program files\CoreFTP
2010-01-14 18:51 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-14 18:51 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-14 18:51 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-14 18:50 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-14 18:50 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-14 18:50 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-14 18:50 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-14 18:50 . 2010-01-14 18:50 -------- d-----w- c:\program files\Alwil Software
2010-01-11 18:36 . 2010-01-15 09:05 0 ----a-w- c:\users\Jonathan\AppData\Local\Hruvoqeziwa.bin
2010-01-11 18:36 . 2010-01-15 13:30 120 ----a-w- c:\users\Jonathan\AppData\Local\Byeja.dat
2010-01-11 18:36 . 2010-01-11 18:36 -------- d-----w- c:\users\Jonathan\AppData\Local\{062F90A8-0B63-4D22-9180-15A5F2DBD2A2}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 09:30 . 2007-08-28 08:53 -------- d-----w- c:\programdata\Google Updater
2010-01-20 21:22 . 2008-12-14 20:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-20 21:22 . 2007-03-24 14:58 -------- d-----w- c:\program files\Java
2010-01-20 09:06 . 2007-04-18 15:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 21:25 . 2009-05-27 13:37 -------- d-----w- c:\users\Jonathan\AppData\Roaming\MySQL
2010-01-18 06:28 . 2007-03-28 10:57 86480 ----a-w- c:\users\Jonathan\AppData\Roaming\nvModes.dat
2010-01-15 15:28 . 2008-02-27 19:39 -------- d-----w- c:\users\Jonathan\AppData\Roaming\FileZilla
2010-01-15 15:00 . 2007-08-29 19:55 -------- d-----w- c:\program files\Norton Security Scan
2010-01-15 14:56 . 2008-09-03 08:24 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-15 13:44 . 2007-09-27 08:35 -------- d-----w- c:\program files\Vista Buttons
2010-01-14 18:34 . 2009-12-16 08:07 -------- d-----w- c:\programdata\avg9
2010-01-13 10:30 . 2008-05-03 06:32 -------- d-----w- c:\program files\Nokia
2010-01-13 10:16 . 2007-03-24 14:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-13 10:03 . 2007-03-24 15:17 -------- d-----w- c:\program files\Google
2010-01-13 09:57 . 2007-05-10 16:20 -------- d-----w- c:\program files\Citrix
2010-01-07 11:53 . 2009-06-02 12:52 -------- d-----w- c:\program files\SEO PowerSuite
2010-01-01 15:03 . 2009-04-10 14:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-24 10:58 . 2007-03-28 10:47 90176 ----a-w- c:\users\Jonathan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-16 08:08 . 2009-12-16 08:08 -------- d-----w- c:\program files\AVG
2009-12-16 07:59 . 2009-12-11 16:05 -------- d-sh--w- c:\users\Jonathan\AppData\Roaming\lowsec
2009-12-16 07:58 . 2007-03-24 15:15 -------- d-----w- c:\programdata\McAfee
2009-12-16 07:24 . 2007-03-28 13:03 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-15 19:22 . 2009-12-07 19:55 163128 ----a-w- c:\windows\hpoins39.dat
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-07 20:04 . 2009-12-07 20:04 -------- d-----w- c:\program files\Common Files\HP
2009-12-07 19:55 . 2008-05-16 17:19 -------- d-----w- c:\program files\HP
2009-11-30 08:42 . 2009-11-30 08:42 -------- d-----w- c:\users\Jonathan\AppData\Roaming\WebbIE
2009-11-30 08:33 . 2009-11-30 08:33 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Sensory
2009-11-30 08:33 . 2009-11-30 08:32 -------- d-----w- c:\program files\WebbIE
2009-11-30 08:32 . 2009-11-30 08:32 -------- d-----w- c:\programdata\WebbIE
2009-11-27 17:42 . 2009-11-27 17:42 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Texthelp Systems
2009-11-21 06:40 . 2010-01-20 21:43 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2010-01-20 21:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2010-01-20 21:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2010-01-20 21:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-02 09:51 . 2009-01-02 17:46 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2000-01-01 00:00 . 2009-11-27 17:44 163840 ----a-w- c:\program files\mozilla firefox\components\XPBrowsealoudPlugin.dll
2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\System32\CdI5T.drv
2007-03-24 22:41 . 2007-03-24 22:40 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8287-79A187E26987}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"VMCL"="c:\program files\vodafone\vmclite\DongleEnumerator.exe" [2007-11-07 131072]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-28 68856]
"Google Update"="c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-04 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-02 30192]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-17 1070984]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Calendar.lnk - c:\windows\Installer\{EF460231-0460-44CD-BB09-76D274F272FE}\Calendar.exe [2009-11-30 5390]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk]
backup=c:\windows\pss\Audible Download Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoStart IR.lnk]
backup=c:\windows\pss\AutoStart IR.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jonathan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jonathan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PersonalBrain.lnk]
path=c:\users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PersonalBrain.lnk
backup=c:\windows\pss\PersonalBrain.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPGServiceTool
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToAssist Express Expert
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMReminderService
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 22:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 07:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-09-03 19:12 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto LogOff]
2008-10-17 16:40 36864 ----a-w- c:\program files\Turn Off Monitor\AutoLogOff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 17:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCFCATS]
2006-10-21 00:48 73728 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\dlcftime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-12-02 09:51 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-04-19 05:37 3289088 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IECheck]
2005-11-17 19:40 108544 ----a-w- c:\windows\IEcheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
2007-09-07 13:44 3100672 ----a-w- c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2007-10-04 21:24 86016 ----a-w- c:\windows\System32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 10:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-28 08:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-06-10 22:07 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [14/01/2010 18:50 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [14/01/2010 18:50 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [14/01/2010 18:50 53328]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [05/12/2008 07:16 16896]
S3 radpms;Driver for RADPMS Device;c:\windows\System32\drivers\radpms.sys [24/07/2008 17:45 12192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MXJIRY
*Deregistered* - mxjiry

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-01-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-22 17:02]

2010-01-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-28 11:28]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 05:03]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 05:03]

2010-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-120015169-2902866275-3612616595-1000Core.job
- c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 03:08]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-120015169-2902866275-3612616595-1000UA.job
- c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 03:08]

2010-01-15 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-19 21:42]

2010-01-22 c:\windows\Tasks\User_Feed_Synchronization-{0DA16482-3D15-4CAE-BEA7-D1D8C9C4E503}.job
- c:\windows\system32\msfeedssync.exe [2010-01-20 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Note this (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-206687524.dll/gn_menu1.html
IE: Note this item (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-206687524.dll/gn_menu2.html
FF - ProfilePath - c:\users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\8y958tq7.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\8y958tq7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\8y958tq7.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Jonathan\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-emMON - HCWemMON.exe
MSConfigStartUp-hcwemMON - hcwemMON.exe
MSConfigStartUp-MskAgentexe - c:\program files\McAfee\MSK\MskAgent.exe
MSConfigStartUp-RGSC - c:\program files\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-SurfOffline Professional 2 - c:\program files\SurfOffline Professional 2\uninstall.exe
AddRemove-Vista Buttons - c:\program files\Vista Buttons\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-22 09:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mxjiry]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-120015169-2902866275-3612616595-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{42101CB8-7A43-0C74-BF09-4F5B6D4398CF}*]
"maahogijhfcmgggdldbhgnmmnp"=hex:6a,61,6f,6a,6d,61,6a,66,61,68,6c,67,6c,61,62,
70,64,6a,70,6e,00,90
"nakiiognemfbdckanolaiikegohl"=hex:6a,61,6c,6c,6f,6f,66,6e,67,69,70,70,61,65,
70,6f,64,70,6c,69,00,90
"fbllfpdlhlhinoggghieimkcmokjhbofnnflmjidfdho"=hex:66,61,6c,6c,69,70,66,6f,6e,
6f,61,64,00,03

[HKEY_USERS\S-1-5-21-120015169-2902866275-3612616595-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,85,49,7d,ff,86,fb,f1,a5,68,37,1b,d0,87,45,a3,89,ae,c3,be,78,c3,9b,
6d,1b,d6,20,e5,de,e2,d6,52,0b,95,47,3a,0d,02,cd,a1,3b,ff,8a,60,7b,61,2e,3d,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3

[HKEY_USERS\S-1-5-21-120015169-2902866275-3612616595-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:72,e4,bf,95,e9,df,4a,b6,cf,69,81,6c,b6,0a,a1,16,d8,d6,02,16,8a,
d2,c7,0b,7d,cb,ec,27,23,62,8d,a5,69,18,76,4b,60,57,9e,92,7d,f4,a5,ef,4d,ed,\
"rkeysecu"=hex:dd,26,a1,5f,05,1d,a7,c6,a6,01,e8,79,68,66,f8,cc

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\windows\system32\dlcfcoms.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\sttray.exe
c:\windows\System32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2010-01-22 09:32:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-22 09:32

Pre-Run: 30,668,042,240 bytes free
Post-Run: 30,304,677,888 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 9AC5F251FA85F4F4D2D05CB044ADF3E6

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by Belahzur on 22nd January 2010, 10:31 pm

Hello.
A stubborn file doesn't want to leave, guess we'll need to put Combofix into overdrive.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    KILLALL::

    Driver::
    mxjiry

    Rootkit::
    c:\windows\system32\drivers\mxjiry.sys

    File::
    c:\windows\system32\drivers\mxjiry.sys

    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mxjiry]

    RegNull::
    [HKEY_USERS\S-1-5-21-120015169-2902866275-3612616595-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{42101CB8-7A43-0C74-BF09-4F5B6D4398CF}*]

    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by jonathancunliffe on 25th January 2010, 7:42 am

Hi, I did that and this is the output. Do you think that has finally done it?!

ComboFix 10-01-24.03 - Jonathan 25/01/2010 7:00.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1330 [GMT 0:00]
Running from: c:\working\Combo-Fix.exe
Command switches used :: c:\working\CFScript.txt
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\mxjiry.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Jonathan\AppData\Local\{062F90A8-0B63-4D22-9180-15A5F2DBD2A2}
c:\users\Jonathan\AppData\Local\{062F90A8-0B63-4D22-9180-15A5F2DBD2A2}\chrome.manifest
c:\users\Jonathan\AppData\Local\{062F90A8-0B63-4D22-9180-15A5F2DBD2A2}\chrome\content\_cfg.js
c:\users\Jonathan\AppData\Local\{062F90A8-0B63-4D22-9180-15A5F2DBD2A2}\chrome\content\overlay.xul
c:\users\Jonathan\AppData\Local\{062F90A8-0B63-4D22-9180-15A5F2DBD2A2}\install.rdf
c:\windows\Fonts\MyriadPro-Regular.otf
c:\windows\system32\drivers\mxjiry.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MXJIRY
-------\Service_mxjiry


((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-25 07:18 . 2010-01-25 07:26 -------- d-----w- c:\users\Jonathan\AppData\Local\temp
2010-01-25 07:18 . 2010-01-25 07:18 -------- d-----w- c:\users\user01\AppData\Local\temp
2010-01-25 07:18 . 2010-01-25 07:18 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-25 07:18 . 2010-01-25 07:18 -------- d-----w- c:\users\Jonathan2008\AppData\Local\temp
2010-01-25 07:18 . 2010-01-25 07:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-22 12:27 . 2010-01-02 06:38 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-22 12:26 . 2010-01-02 06:32 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-22 12:26 . 2010-01-02 04:57 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-22 12:26 . 2010-01-02 06:32 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-22 12:26 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-01-21 20:18 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-01-21 20:18 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2010-01-20 22:27 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-20 22:09 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-20 22:09 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-01-20 22:09 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-20 21:58 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-01-20 21:58 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-01-20 21:58 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-01-20 21:58 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-01-20 21:58 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
2010-01-20 21:58 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-01-20 21:58 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-01-20 21:50 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-01-20 21:50 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-01-20 21:50 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-01-20 21:50 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-01-20 21:50 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
2010-01-20 21:47 . 2010-01-20 21:47 -------- d-----w- c:\program files\MSXML 4.0
2010-01-20 21:46 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2010-01-20 21:46 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-01-20 21:46 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-01-20 21:46 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-01-20 21:45 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-01-20 21:45 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2010-01-20 21:45 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-01-20 21:45 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-01-20 21:45 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-01-20 21:45 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-01-20 21:45 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-01-20 21:45 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-01-20 21:45 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2010-01-20 21:45 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2010-01-20 21:44 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2010-01-20 21:44 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-20 21:44 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-20 21:44 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-20 21:44 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-01-20 21:44 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2010-01-20 21:44 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-01-20 21:44 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2010-01-20 21:44 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-01-20 21:44 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2010-01-20 21:44 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2010-01-20 21:42 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-01-20 21:41 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-01-20 21:40 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2010-01-20 21:40 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-01-20 21:32 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-01-20 10:53 . 2010-01-20 10:53 -------- d-----w- c:\program files\Trojan Remover
2010-01-20 10:50 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-20 10:50 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-20 10:50 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-20 10:50 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-01-20 10:50 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-20 10:49 . 2010-01-20 10:53 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Simply Super Software
2010-01-20 10:49 . 2010-01-20 10:49 -------- d-----w- c:\programdata\Simply Super Software
2010-01-19 11:40 . 2010-01-19 11:40 -------- d-----w- c:\users\Jonathan\AppData\Roaming\AI Internet Solutions
2010-01-19 11:39 . 2009-07-08 11:08 2827984 ----a-w- c:\windows\system32\csevalidator.dll
2010-01-19 11:39 . 2010-01-19 11:39 -------- d-----w- c:\program files\HTMLValidator90
2010-01-18 11:05 . 2010-01-14 11:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-15 15:21 . 2010-01-25 06:43 -------- d-----w- C:\settings
2010-01-15 15:05 . 2010-01-15 15:28 -------- d-----w- c:\program files\reinstalled
2010-01-15 13:46 . 2010-01-15 13:46 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Malwarebytes
2010-01-15 13:46 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 13:46 . 2010-01-15 13:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 13:46 . 2010-01-15 13:46 -------- d-----w- c:\programdata\Malwarebytes
2010-01-15 13:46 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 11:30 . 2010-01-15 11:30 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Dynamic
2010-01-15 11:30 . 2010-01-15 11:49 -------- d-----w- c:\users\Jonathan\AppData\Roaming\SiteClasses
2010-01-15 11:30 . 2010-01-15 11:35 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Sites
2010-01-15 11:27 . 2010-01-15 11:28 -------- d-----w- c:\program files\CA VMN Anti-Spyware
2010-01-15 11:27 . 2010-01-15 11:28 -------- d-----w- c:\programdata\EmailNotifier
2010-01-15 11:27 . 2010-01-15 11:27 -------- d-----w- c:\users\Jonathan\AppData\Roaming\EmailNotifier
2010-01-15 11:27 . 2010-01-15 11:27 -------- d-----w- c:\program files\vmntoolbar
2010-01-15 11:27 . 2010-01-15 11:27 -------- d-----w- c:\users\Jonathan\AppData\Roaming\vmntoolbar
2010-01-15 11:26 . 2010-01-15 12:01 -------- d-----w- c:\program files\Visicom Media
2010-01-15 10:19 . 2010-01-15 10:19 -------- d-----w- c:\program files\CoreFTP
2010-01-14 18:51 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-14 18:51 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-14 18:51 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-01-14 18:50 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-14 18:50 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-14 18:50 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-14 18:50 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-14 18:50 . 2010-01-14 18:50 -------- d-----w- c:\program files\Alwil Software
2010-01-11 18:36 . 2010-01-15 09:05 0 ----a-w- c:\users\Jonathan\AppData\Local\Hruvoqeziwa.bin
2010-01-11 18:36 . 2010-01-15 13:30 120 ----a-w- c:\users\Jonathan\AppData\Local\Byeja.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 12:33 . 2007-08-28 08:53 -------- d-----w- c:\programdata\Google Updater
2010-01-22 15:00 . 2007-08-29 19:55 -------- d-----w- c:\program files\Norton Security Scan
2010-01-20 21:22 . 2008-12-14 20:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-20 21:22 . 2007-03-24 14:58 -------- d-----w- c:\program files\Java
2010-01-20 09:06 . 2007-04-18 15:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 21:25 . 2009-05-27 13:37 -------- d-----w- c:\users\Jonathan\AppData\Roaming\MySQL
2010-01-18 06:28 . 2007-03-28 10:57 86480 ----a-w- c:\users\Jonathan\AppData\Roaming\nvModes.dat
2010-01-15 15:28 . 2008-02-27 19:39 -------- d-----w- c:\users\Jonathan\AppData\Roaming\FileZilla
2010-01-15 14:56 . 2008-09-03 08:24 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-15 13:44 . 2007-09-27 08:35 -------- d-----w- c:\program files\Vista Buttons
2010-01-14 18:34 . 2009-12-16 08:07 -------- d-----w- c:\programdata\avg9
2010-01-13 10:30 . 2008-05-03 06:32 -------- d-----w- c:\program files\Nokia
2010-01-13 10:16 . 2007-03-24 14:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-13 10:03 . 2007-03-24 15:17 -------- d-----w- c:\program files\Google
2010-01-13 09:57 . 2007-05-10 16:20 -------- d-----w- c:\program files\Citrix
2010-01-07 11:53 . 2009-06-02 12:52 -------- d-----w- c:\program files\SEO PowerSuite
2010-01-01 15:03 . 2009-04-10 14:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-24 10:58 . 2007-03-28 10:47 90176 ----a-w- c:\users\Jonathan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-16 08:08 . 2009-12-16 08:08 -------- d-----w- c:\program files\AVG
2009-12-16 07:59 . 2009-12-11 16:05 -------- d-sh--w- c:\users\Jonathan\AppData\Roaming\lowsec
2009-12-16 07:58 . 2007-03-24 15:15 -------- d-----w- c:\programdata\McAfee
2009-12-16 07:24 . 2007-03-28 13:03 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-12-15 19:22 . 2009-12-07 19:55 163128 ----a-w- c:\windows\hpoins39.dat
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-07 20:04 . 2009-12-07 20:04 -------- d-----w- c:\program files\Common Files\HP
2009-12-07 19:55 . 2008-05-16 17:19 -------- d-----w- c:\program files\HP
2009-11-30 08:42 . 2009-11-30 08:42 -------- d-----w- c:\users\Jonathan\AppData\Roaming\WebbIE
2009-11-30 08:33 . 2009-11-30 08:33 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Sensory
2009-11-30 08:33 . 2009-11-30 08:32 -------- d-----w- c:\program files\WebbIE
2009-11-30 08:32 . 2009-11-30 08:32 -------- d-----w- c:\programdata\WebbIE
2009-11-27 17:42 . 2009-11-27 17:42 -------- d-----w- c:\users\Jonathan\AppData\Roaming\Texthelp Systems
2009-12-02 09:51 . 2009-01-02 17:46 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2000-01-01 00:00 . 2009-11-27 17:44 163840 ----a-w- c:\program files\mozilla firefox\components\XPBrowsealoudPlugin.dll
2002-04-16 09:27 . 2002-04-16 09:27 5 --sha-w- c:\windows\System32\CdI5T.drv
2007-03-24 22:41 . 2007-03-24 22:40 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8287-79A187E26987}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"VMCL"="c:\program files\vodafone\vmclite\DongleEnumerator.exe" [2007-11-07 131072]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-28 68856]
"Google Update"="c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-04 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-02 30192]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-17 1070984]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Calendar.lnk - c:\windows\Installer\{EF460231-0460-44CD-BB09-76D274F272FE}\Calendar.exe [2009-11-30 5390]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk]
backup=c:\windows\pss\Audible Download Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AutoStart IR.lnk]
backup=c:\windows\pss\AutoStart IR.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jonathan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Jonathan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PersonalBrain.lnk]
path=c:\users\Jonathan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PersonalBrain.lnk
backup=c:\windows\pss\PersonalBrain.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 22:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 07:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-09-03 19:12 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Auto LogOff]
2008-10-17 16:40 36864 ----a-w- c:\program files\Turn Off Monitor\AutoLogOff.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
2004-12-02 17:23 102400 ------w- c:\program files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCFCATS]
2006-10-21 00:48 73728 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\dlcftime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-12-02 09:51 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-04-19 05:37 3289088 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IECheck]
2005-11-17 19:40 108544 ----a-w- c:\windows\IEcheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
2007-09-07 13:44 3100672 ----a-w- c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2007-10-04 21:24 86016 ----a-w- c:\windows\System32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 10:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-28 08:53 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-06-10 22:07 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [14/01/2010 18:50 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [14/01/2010 18:50 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [14/01/2010 18:50 53328]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [05/12/2008 07:16 16896]
S2 gupdate1c8a555915eee20;Google Update Service (gupdate1c8a555915eee20);c:\program files\Google\Update\GoogleUpdate.exe [17/07/2008 22:55 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [02/01/2009 17:45 30192]
S3 radpms;Driver for RADPMS Device;c:\windows\System32\drivers\radpms.sys [24/07/2008 17:45 12192]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [29/08/2007 20:17 729416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-22 17:02]

2010-01-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-28 11:28]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 05:03]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 05:03]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-120015169-2902866275-3612616595-1000Core.job
- c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 03:08]

2010-01-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-120015169-2902866275-3612616595-1000UA.job
- c:\users\Jonathan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 03:08]

2010-01-22 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-04-19 21:42]

2010-01-24 c:\windows\Tasks\User_Feed_Synchronization-{0DA16482-3D15-4CAE-BEA7-D1D8C9C4E503}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Note this (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-206687524.dll/gn_menu1.html
IE: Note this item (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-206687524.dll/gn_menu2.html
FF - ProfilePath - c:\users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\8y958tq7.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\8y958tq7.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\8y958tq7.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Jonathan\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-25 07:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-120015169-2902866275-3612616595-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,85,49,7d,ff,86,fb,f1,a5,68,37,1b,d0,87,45,a3,89,ae,c3,be,78,c3,9b,
6d,1b,d6,20,e5,de,e2,d6,52,0b,95,47,3a,0d,02,cd,a1,3b,ff,8a,60,7b,61,2e,3d,\
"??"=hex:32,6d,17,bd,ce,bc,fe,c7,b0,58,a8,8f,4a,f8,bf,a3

[HKEY_USERS\S-1-5-21-120015169-2902866275-3612616595-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:72,e4,bf,95,e9,df,4a,b6,cf,69,81,6c,b6,0a,a1,16,d8,d6,02,16,8a,
d2,c7,0b,7d,cb,ec,27,23,62,8d,a5,69,18,76,4b,60,57,9e,92,7d,f4,a5,ef,4d,ed,\
"rkeysecu"=hex:dd,26,a1,5f,05,1d,a7,c6,a6,01,e8,79,68,66,f8,cc
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\windows\system32\dlcfcoms.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\sttray.exe
c:\windows\System32\rundll32.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\system32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-01-25 07:38:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 07:38
ComboFix2.txt 2010-01-22 09:32

Pre-Run: 31,747,989,504 bytes free
Post-Run: 31,621,427,200 bytes free

- - End Of File - - D4419843192CCAEEE113DBBE9D80BBBF

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by Belahzur on 25th January 2010, 9:48 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by jonathancunliffe on 26th January 2010, 7:22 am

Hi,

I think we may now be clear. That's fantastic.

Regards,

Jonathan


Malwarebytes' Anti-Malware 1.44
Database version: 3639
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

26/01/2010 07:21
mbam-log-2010-01-26 (07-21-27).txt

Scan type: Quick Scan
Objects scanned: 117332
Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by Belahzur on 26th January 2010, 6:19 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by jonathancunliffe on 26th January 2010, 8:46 pm

Hi,

I did the uninstall. The machine is running much better now thanks.

The only thing I still did seem to get was an Avast warning of a redirect trojan when using Google Chrome (when typing a search into the address bar).

This was saying the file was in Apps Data\Temp for my user.

I deleted everything out of temp. I also uninstalled Chrome, did a virus check/malware check, then reinstalled Chrome (which happened to then instlall a newer version of Chrome).

Since then I have had one trigger of the Avast checker with this redirect error, again from the temp folder. But it is not happening often like it did before. It has happened once only in say the last 6 hours...

Do you think I could still have a remnant of the redirect trojan (the warning is as per my original posts).

Let me know your thoughts. I think we are either 99.9% there or 100% there - would just be good to know about this last warning - whether it is still a threat or not.

Thanks,

Jonathan

jonathancunliffe
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-01-20
OS OS : Windows Vista
Points Points : 25268
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan that I cannot remove

Post by Belahzur on 27th January 2010, 1:47 am

Lets clean out temp files.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum