Free Malware Removal Forum

[NonSuch]

Similar to the following problem http://www.malwareremoval.com/forum/vie ... 11&t=47979, whenever I search google, the link I click on often goes to a completely unrelated website. Also, tabs open itself with the following link hxxp://media2.tmlatn.com/images/default ... d/404.html in Firefox

Hijack This info:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:35:25, on 28/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS.0\System32\smss.exe
D:\WINDOWS.0\system32\winlogon.exe
D:\WINDOWS.0\system32\services.exe
D:\WINDOWS.0\system32\lsass.exe
D:\WINDOWS.0\system32\nvsvc32.exe
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\System32\svchost.exe
D:\WINDOWS.0\system32\spoolsv.exe
D:\WINDOWS.0\Explorer.EXE
D:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
D:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
D:\WINDOWS.0\system32\RUNDLL32.EXE
D:\WINDOWS.0\RTHDCPL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS.0\system32\ctfmon.exe
D:\Program Files\Philips\GoGear OPUS Device Manager\GoGear_OPUS_DeviceManager.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS.0\system32\CTSvcCDA.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\system32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS.0\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {04E28BBF-FA52-40FD-90A8-1BD3B2F0AD64} - D:\WINDOWS.0\System32\dpnwsock32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - D:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] D:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [nwiz] D:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] D:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS.0\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] D:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = D:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Philips GoGear OPUS Device Manager.lnk = D:\Program Files\Philips\GoGear OPUS Device Manager\GoGear_OPUS_DeviceManager.exe
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8942.cab
O20 - AppInit_DLLs: D:\WINDOWS.0\System32\btpanui32.dll
O20 - Winlogon Notify: d8bdf464720 - D:\WINDOWS.0\System32\btpanui32.dll
O20 - Winlogon Notify: __c003BA21 - D:\WINDOWS.0\system32\__c003BA21.dat
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS.0\system32\CTSvcCDA.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - D:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - D:\Program Files\Kodak\AiO\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS.0\system32\nvsvc32.exe

--
End of file - 8130 bytes

Uninstall list

Adobe Acrobat 5.0
Adobe Flash Player Plugin
aiofw
aioprnt
aioscnnr
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
C4USelfUpdater
center
Creative Jukebox Driver
Creative MediaSource
Creative NOMAD Jukebox Zen Xtra
Debut Video Capture Software
EZ Vinyl Converter 2.0.0 by MixMeister
Football Manager 2009
FoxyTunes for Firefox
Free M4a to MP3 Converter 6.1
Google Gears
Google Talk (remove only)
Google Update Helper
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 16
KODAK All-in-One Printer Software
ksDIP
LimeWire 5.3.6
Malwarebytes' Anti-Malware
Media Converter for Philips
MediaMonkey 3.1
Messenger Plus! Live
Microsoft .NET Framework 2.0
Microsoft Choice Guard
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.5)
MSVCRT
NavNet
NVIDIA Drivers
NVIDIA nView Desktop Manager
OPUS Device Manager
Pixillion Image Converter
PreReq
Prism Video Converter
QuickTime
Realtek High Definition Audio Driver
Segoe UI
Sky Broadband
SopCast 3.2.4
Spotify
Steam
Veetle TV 0.9.15
VideoPad Video Editor
VoiceOver Kit
Winamp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
WinRAR archiver

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[deltalima]

Hi wrighty,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me.

Please note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

[deltalima]

Hi wrighty,

P2P Advisory!
IMPORTANT There are signs of one or more P2P (Peer to Peer) File Sharing Programs installed on your computer.
LimeWire 5.3.6

As long as you have the P2P program(s) installed, per Forum Policy, I can offer you no further assitance.
If you choose NOT to remove the program(s)...indicate that in your next reply and this topic will be closed.
Otherwise, please perform the following steps:
Remove P2P Program(s)

1. Click on Start > Control Panel and double click on Add/Remove Programs.
2. Locate the following program:
   LimeWire 5.3.6
3. Click on the Change/Remove button to uninstall it.
   Repeat steps 2 and 3 for each program listed.
4. When the program(s) have been uninstalled... Close Add/Remove Programs. Close Control Panel.

Start HijackThis.

1. If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
2. From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
   When completed...Notepad will open with the new "hijackthis.log" file contents.

Copy/paste the entire (hijackthis.log) file contents in your next reply.

By using any form of P2P networking to download files you can anticipate infestations of malware to occur. The P2P program
itself, may be safe but the files may not... use P2P at your own risk! Keep in mind that this practice may be the source of your current malware infestation.
References... siting risk factors, using P2P programs: Malware: Help prevent the Infection and How to Prevent the Online Invasion of Spyware and Adware

No Anti-virus Software Installed!
Looking over your log ... there is NO evidence of anti-virus software installed.. This puts you at serious risk.
Anti-virus software will help detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories.

To protect your computer from infection...download a (free for personal use) anti-virus program from one these reliable vendors.

1. Antivir PersonalEdition Classic- Superior detection, the "free" version has no email scan.
2. avast! 4 Home Edition - Excellent detection, the freeware version includes email scanning.
3. Microsoft Security Essentials ** - New, from Microsoft, with email scanning, easy to install, easy to use.
   ** Your PC must run genuine Windows to install Microsoft Security Essentials.

Installing a new AV product.
Do NOT unistall any existing anti-virus product yet!

1. Download the new Anti-virus product to your computer.
2. Save any work. Close all applications, especially your Internet connection.
3. Uninstall any existing anti-virus product... Use the AV uninstall option if available.
4. Reboot your computer, if not done during the uninstall.
5. Install the new AV product... following installation instructions.
6. Check for updates to the new AV product, if not done during install setup.
7. Run a full scan of your computer.

Please post the log from the full Antivirus scan and a new HijackThis log in your next reply.

[wrighty]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:48:08, on 04/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS.0\System32\smss.exe
D:\WINDOWS.0\system32\winlogon.exe
D:\WINDOWS.0\system32\services.exe
D:\WINDOWS.0\system32\lsass.exe
D:\WINDOWS.0\system32\nvsvc32.exe
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\System32\svchost.exe
D:\WINDOWS.0\system32\spoolsv.exe
D:\WINDOWS.0\Explorer.EXE
D:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
D:\WINDOWS.0\system32\RUNDLL32.EXE
D:\WINDOWS.0\RTHDCPL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS.0\system32\ctfmon.exe
D:\Program Files\Philips\GoGear OPUS Device Manager\GoGear_OPUS_DeviceManager.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS.0\system32\CTSvcCDA.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\system32\MsPMSPSv.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Avira\AntiVir Desktop\avcenter.exe
D:\Program Files\Avira\AntiVir Desktop\avscan.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {04E28BBF-FA52-40FD-90A8-1BD3B2F0AD64} - D:\WINDOWS.0\System32\dataclen32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - D:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] D:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [nwiz] D:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] D:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS.0\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] D:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Philips GoGear OPUS Device Manager.lnk = D:\Program Files\Philips\GoGear OPUS Device Manager\GoGear_OPUS_DeviceManager.exe
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8942.cab
O20 - AppInit_DLLs: D:\WINDOWS.0\System32\btpanui32.dll
O20 - Winlogon Notify: d8bdf464720 - D:\WINDOWS.0\System32\btpanui32.dll
O20 - Winlogon Notify: __c0029F10 - D:\WINDOWS.0\system32\__c0029F10.dat
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS.0\system32\CTSvcCDA.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - D:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - D:\Program Files\Kodak\AiO\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS.0\system32\nvsvc32.exe

--
End of file - 8547 bytes

-----------------------------------



Avira AntiVir Personal
Report file date: Monday, January 04, 2010 13:25

Scanning for 1499119 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : EVEREST

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 13:24:18
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 13:24:18
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 13:24:18
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 13:24:18
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 13:24:18
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 13:24:18
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 13:24:18
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 13:24:18
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 13:24:18
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 13:24:18
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 13:24:18
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 13:24:18
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 13:24:19
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 13:24:19
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 13:24:19
VBASE016.VDF : 7.10.1.224 183296 Bytes 12/14/2009 13:24:19
VBASE017.VDF : 7.10.1.247 182272 Bytes 12/15/2009 13:24:20
VBASE018.VDF : 7.10.2.30 198144 Bytes 12/21/2009 13:24:20
VBASE019.VDF : 7.10.2.63 187392 Bytes 12/24/2009 13:24:20
VBASE020.VDF : 7.10.2.93 195072 Bytes 12/29/2009 13:24:21
VBASE021.VDF : 7.10.2.94 2048 Bytes 12/29/2009 13:24:21
VBASE022.VDF : 7.10.2.95 2048 Bytes 12/29/2009 13:24:21
VBASE023.VDF : 7.10.2.96 2048 Bytes 12/29/2009 13:24:21
VBASE024.VDF : 7.10.2.97 2048 Bytes 12/29/2009 13:24:21
VBASE025.VDF : 7.10.2.98 2048 Bytes 12/29/2009 13:24:21
VBASE026.VDF : 7.10.2.99 2048 Bytes 12/29/2009 13:24:21
VBASE027.VDF : 7.10.2.100 2048 Bytes 12/29/2009 13:24:21
VBASE028.VDF : 7.10.2.101 2048 Bytes 12/29/2009 13:24:21
VBASE029.VDF : 7.10.2.102 2048 Bytes 12/29/2009 13:24:21
VBASE030.VDF : 7.10.2.103 2048 Bytes 12/29/2009 13:24:21
VBASE031.VDF : 7.10.2.115 162304 Bytes 1/4/2010 13:24:21
Engineversion : 8.2.1.122
AEVDF.DLL : 8.1.1.2 106867 Bytes 11/8/2009 07:38:52
AESCRIPT.DLL : 8.1.3.4 586105 Bytes 1/4/2010 13:24:24
AESCN.DLL : 8.1.3.0 127348 Bytes 1/4/2010 13:24:24
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 07:38:44
AERDL.DLL : 8.1.3.4 479605 Bytes 1/4/2010 13:24:23
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 07:38:40
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 07:38:38
AEHEUR.DLL : 8.1.0.189 2195833 Bytes 1/4/2010 13:24:23
AEHELP.DLL : 8.1.9.0 237943 Bytes 1/4/2010 13:24:22
AEGEN.DLL : 8.1.1.82 369014 Bytes 1/4/2010 13:24:22
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.9.1 180598 Bytes 1/4/2010 13:24:22
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 14:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: d:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, January 04, 2010 13:25

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gasfkyewmttapq\main
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gasfkyewmttapq\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gasfkyewmttapq\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gasfkyewmttapq\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gasfkyewmttapq\imagepath
[INFO] The registry entry is invisible.
'64677' objects were checked, '5' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'ACService.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'GoGear_OPUS_DeviceManager.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'EKIJ5000MUI.exe' - '1' Module(s) have been scanned
Scan process 'googletalk.exe' - '1' Module(s) have been scanned
Scan process 'winampa.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Module is infected -> 'D:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe'
Scan process 'UnlockerAssistant.exe' - '1' Module(s) have been scanned
Scan process 'GoogleCrashHandler.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'lsass.exe' has been terminated
D:\Documents and Settings\Administrator\Application Data\SystemProc\lsass.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4ba2ed2c.qua'!

46 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\' <FACTORY_IMAGE>
C:\autoexec.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'D:\'
D:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
D:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\19\1ff80313-27683780
[0] Archive type: ZIP
--> myf/y/AppletX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.S Java virus
--> myf/y/PayloadX.class
[DETECTION] Contains recognition pattern of the JAVA/OpenStream.AD Java virus
D:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\36\738d5864-618a7f9a
[0] Archive type: ZIP
--> myf/y/AppletX.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.S Java virus
--> myf/y/PayloadX.class
[DETECTION] Contains recognition pattern of the JAVA/OpenStream.AD Java virus
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\Cache\2FBFE1E1d01
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
D:\Documents and Settings\Administrator\Local Settings\Temp\108.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\10B.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\11.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\12.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\15.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\16.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\18.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\19.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\1A.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\1C.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\1E.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\1F.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\20.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\22.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\234.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\23A.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\24.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\26.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\27.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
--> ProgramFilesDir/pc.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
--> ProgramFilesDir/agent.exe
[DETECTION] Is the TR/Agent.556032.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\28.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\29.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\2C.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\2D.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\2E.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\2F.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\31.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\33.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\34.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\35.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\36.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\3A.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\3B.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\3C.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\3E.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\41.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\42.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\44.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\5.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\6.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\7.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\9.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\D.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\D7.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\E.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\E1.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\E5.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
--> ProgramFilesDir/pc.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
--> ProgramFilesDir/agent.exe
[DETECTION] Is the TR/Agent.556032.1 Trojan
D:\Documents and Settings\Administrator\Local Settings\Temp\F.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4HI5F4J5\update4303[1].exe
[DETECTION] Is the TR/Dropper.Gen Trojan
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH41EVK9\update4303[1].exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
D:\Documents and Settings\NetworkService\Local Settings\Temp\gasfkyqrabvtntic.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
D:\WINDOWS.0\system32\camocx32.dll
[DETECTION] Is the TR/Dldr.Agent.jzx Trojan
D:\WINDOWS.0\system32\cfgmgr3232.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\clbcatex32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\cmcfg3232.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\cnvfat32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\ctl3dv232.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\D3DCompiler_3432.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\D3DCompiler_3732.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dataclen32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dbnmpntw32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dgsetup32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dimsroam32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\diskcopy32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dmdskmgr32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dmocx32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dot3clnt32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dot3svc32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dpcdll32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dpnwsock32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\dpwsock32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\ds16gt32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\EKIJCOINST0432.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\fdco132.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\gasfkyciqjlbbg.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
D:\WINDOWS.0\system32\hidserv32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\HMTCD32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\ieencode32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
D:\WINDOWS.0\system32\SysWoW32\wu48737854v0
[0] Archive type: ZIP
--> patch.exe
[DETECTION] Is the TR/Drop.Agent.hnr Trojan
D:\WINDOWS.0\system32\SysWoW32\wu48737854v2
[0] Archive type: ZIP
--> patch.exe
[DETECTION] Is the TR/Drop.Agent.HE Trojan
D:\WINDOWS.0\system32\SysWoW32\_u48737854v0
[0] Archive type: ZIP
--> patch.[lucid].exe
[DETECTION] Contains recognition pattern of the WORM/Nugg.CL worm
D:\WINDOWS.0\system32\SysWoW32\_u48737854v1
[0] Archive type: ZIP
--> patch.FOFF.exe
[DETECTION] Contains recognition pattern of the WORM/Nugg.CM worm
D:\WINDOWS.0\system32\SysWoW32\_u48737854v2
[0] Archive type: ZIP
--> patch.by.CORE.exe
[DETECTION] Contains recognition pattern of the WORM/Nugg.CN worm
D:\WINDOWS.0\system32\SysWoW32\_u48737854v3
[0] Archive type: ZIP
--> patch.tmg.exe
[DETECTION] Contains recognition pattern of the WORM/Nugg.CO worm

Beginning disinfection:
C:\autoexec.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4bb5ffaa.qua'!
D:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\19\1ff80313-27683780
[NOTE] The file was moved to '4ba7ff9c.qua'!
D:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\36\738d5864-618a7f9a
[NOTE] The file was moved to '4b79ff69.qua'!
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\Cache\2FBFE1E1d01
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4b83ff7c.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\108.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b79ff66.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\10B.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b83ff66.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\11.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b6fff67.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\12.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff68.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff69.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff6a.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\15.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b6fff6b.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\16.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b6fff6c.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\18.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff6e.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\19.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff6f.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\1A.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b6fff78.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\1C.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff7a.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\1E.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b6fff7c.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\1F.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b6fff7d.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\20.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4668e810.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\22.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4667e02a.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\234.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b75ff6a.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\23A.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b82ff6a.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\24.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4664c9f4.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\26.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff6d.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\27.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4662b947.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\28.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b6fff70.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\29.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff71.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\2C.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff7b.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\2D.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '467e9a35.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\2E.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '467d926e.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\2F.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4b6fff7e.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\31.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '467b83ca.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\33.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '467a7b04.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\34.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4679735d.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\35.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '46786c96.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\36.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '467764b0.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\3A.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '46765cf3.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\3B.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4675542c.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\3C.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '46744c65.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\3E.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4673459f.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\41.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '46723dc4.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\42.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4671351d.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\44.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '46702d57.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\5.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4bb5ff68.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\6.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '46941ea1.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\7.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '469716f9.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '46960e31.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\9.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4bb5ff69.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\D.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4693ff82.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\D7.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '4b6fff72.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\E.tmp
[DETECTION] Is the TR/Drop.BHO.BL.1 Trojan
[NOTE] The file was moved to '469def12.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\E1.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4648f7dd.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\E5.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4645df79.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temp\F.tmp
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4bb5ff6a.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4HI5F4J5\update4303[1].exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4ba5ffac.qua'!
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SH41EVK9\update4303[1].exe
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to '4612105d.qua'!
D:\Documents and Settings\NetworkService\Local Settings\Temp\gasfkyqrabvtntic.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4bb4ff9d.qua'!
D:\WINDOWS.0\system32\camocx32.dll
[DETECTION] Is the TR/Dldr.Agent.jzx Trojan
[NOTE] The file was moved to '4baeff9d.qua'!
D:\WINDOWS.0\system32\cfgmgr3232.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4ba8ffa2.qua'!
D:\WINDOWS.0\system32\clbcatex32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4ba3ffa8.qua'!
D:\WINDOWS.0\system32\cmcfg3232.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4ba4ffa9.qua'!
D:\WINDOWS.0\system32\cnvfat32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bb7ffaa.qua'!
D:\WINDOWS.0\system32\ctl3dv232.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4badffb0.qua'!
D:\WINDOWS.0\system32\D3DCompiler_3432.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4b85ff6f.qua'!
D:\WINDOWS.0\system32\D3DCompiler_3732.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '58a74650.qua'!
D:\WINDOWS.0\system32\dataclen32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bb5ff9d.qua'!
D:\WINDOWS.0\system32\dbnmpntw32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bafff9e.qua'!
D:\WINDOWS.0\system32\dgsetup32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bb4ffa3.qua'!
D:\WINDOWS.0\system32\dimsroam32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4baeffa5.qua'!
D:\WINDOWS.0\system32\diskcopy32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bb4ffa5.qua'!
D:\WINDOWS.0\system32\dmdskmgr32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4ba5ffa9.qua'!
D:\WINDOWS.0\system32\dmocx32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bb0ffa9.qua'!
D:\WINDOWS.0\system32\dot3clnt32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bb5ffab.qua'!
D:\WINDOWS.0\system32\dot3svc32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '468e3724.qua'!
D:\WINDOWS.0\system32\dpcdll32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4ba4ffac.qua'!
D:\WINDOWS.0\system32\dpnwsock32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bafffac.qua'!
D:\WINDOWS.0\system32\dpwsock32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4bb8ffac.qua'!
D:\WINDOWS.0\system32\ds16gt32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4b72ffaf.qua'!
D:\WINDOWS.0\system32\EKIJCOINST0432.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4b8aff87.qua'!
D:\WINDOWS.0\system32\fdco132.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4ba4ffa0.qua'!
D:\WINDOWS.0\system32\gasfkyciqjlbbg.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '46f6009e.qua'!
D:\WINDOWS.0\system32\hidserv32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4ba5ffa5.qua'!
D:\WINDOWS.0\system32\HMTCD32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4b95ff89.qua'!
D:\WINDOWS.0\system32\ieencode32.dll
[DETECTION] Is the TR/BHO.Agent.BJ Trojan
[NOTE] The file was moved to '4ba6ffa1.qua'!
D:\WINDOWS.0\system32\SysWoW32\wu48737854v0
[NOTE] The file was moved to '4b75ffb1.qua'!
D:\WINDOWS.0\system32\SysWoW32\wu48737854v2
[NOTE] The file was moved to '463cd202.qua'!
D:\WINDOWS.0\system32\SysWoW32\_u48737854v0
[NOTE] The file was moved to '4b75ffb2.qua'!
D:\WINDOWS.0\system32\SysWoW32\_u48737854v1
[NOTE] The file was moved to '584b340b.qua'!
D:\WINDOWS.0\system32\SysWoW32\_u48737854v2
[NOTE] The file was moved to '584a2c33.qua'!
D:\WINDOWS.0\system32\SysWoW32\_u48737854v3
[NOTE] The file was moved to '583524fb.qua'!


End of the scan: Monday, January 04, 2010 14:46
Used time: 43:41 Minute(s)

The scan has been done completely.

14537 Scanned directories
338062 Files were scanned
98 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
91 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
337963 Files not concerned
3475 Archives were scanned
1 Warnings
92 Notes
64677 Objects were scanned with rootkit scan
5 Hidden objects were found

[deltalima]

Hi wrighty,

In view of the number of viruses and Trojans detected I must warn you that we may never be able to guarantee that the machine is fully clean.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
• Save any unsaved work. TFC will close all open application windows.
• Double-click TFC.exe to run the program.
• Click the Start button in the bottom left of TFC
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot

Malwarebytes Anti-Malware:

• Please run Malwarebytes Antimalware
• Select the Update tab and click Update Now
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please post that log in your next reply.

The log can also be found here:

1. Launch Malwarebytes' Anti-Malware
2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Run Combofix:

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures, if not, then follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Once installed, you should see the following message:

The recovery console was successfuly installed.
Click ‘YES’ to continue scanning for malware
Click ‘NO’ for exit

Click the YES button.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your “drive access” light. If it is flashing, Combofix is still at work.

When finished ComboFix will produce a log file.

Please download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Run Gmer again and click on the Rootkit tab.
• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log , a new HijackThis log, the Combofix log and the log from the Malwarebytes scan in your next reply.

[wrighty]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-04 21:43:48
Windows 5.1.2600 Service Pack 3
Running: foezn5s4.exe; Driver: D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwldapob.sys


---- System - GMER 1.0.15 ----

SSDT ADFA9FC6 ZwCreateKey
SSDT ADFA9FBC ZwCreateThread
SSDT ADFA9FCB ZwDeleteKey
SSDT ADFA9FD5 ZwDeleteValueKey
SSDT ADFA9FDA ZwLoadKey
SSDT ADFA9FA8 ZwOpenProcess
SSDT ADFA9FAD ZwOpenThread
SSDT ADFA9FE4 ZwReplaceKey
SSDT ADFA9FDF ZwRestoreKey
SSDT ADFA9FD0 ZwSetValueKey
SSDT ADFA9FB7 ZwTerminateProcess

Code \??\D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? ijuukafp.sys The system cannot find the file specified. !
.text D:\WINDOWS.0\system32\DRIVERS\nv4_mini.sys section is writeable [0xB70EE380, 0x3DF545, 0xE8000020]
? D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? D:\WINDOWS.0\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\explorer.exe [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT D:\WINDOWS.0\explorer.exe[2476] @ D:\WINDOWS.0\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB777BD] D:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

-----------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45:28, on 04/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
D:\WINDOWS.0\System32\smss.exe
D:\WINDOWS.0\system32\winlogon.exe
D:\WINDOWS.0\system32\services.exe
D:\WINDOWS.0\system32\lsass.exe
D:\WINDOWS.0\system32\nvsvc32.exe
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\System32\svchost.exe
D:\WINDOWS.0\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS.0\system32\CTSvcCDA.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Kodak\AiO\center\KodakSvc.exe
D:\WINDOWS.0\RTHDCPL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Google\Google Talk\googletalk.exe
D:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\WINDOWS.0\system32\ctfmon.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\system32\MsPMSPSv.exe
D:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS.0\System32\svchost.exe
D:\WINDOWS.0\system32\notepad.exe
D:\WINDOWS.0\explorer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\uninstall\helper.exe
D:\WINDOWS.0\system32\NOTEPAD.EXE
D:\WINDOWS.0\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - D:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UnlockerAssistant] D:\Program Files\Unlocker\UnlockerAssistant.exe -H
O4 - HKLM\..\Run: [nwiz] D:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] D:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Philips GoGear OPUS Device Manager.lnk = D:\Program Files\Philips\GoGear OPUS Device Manager\GoGear_OPUS_DeviceManager.exe
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS.0\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8942.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS.0\system32\CTSvcCDA.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - D:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - D:\Program Files\Kodak\AiO\center\KodakSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - D:\WINDOWS.0\system32\nvsvc32.exe

--
End of file - 7842 bytes

-----------------------

ComboFix 10-01-04.01 - Administrator 04/01/2010 21:29:19.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2455 [GMT 0:00]
Running from: d:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\xcrashdump.dat
d:\documents and settings\Administrator\Application Data\02000000aaafdd86720C.manifest
d:\documents and settings\Administrator\Application Data\02000000aaafdd86720O.manifest
d:\documents and settings\Administrator\Application Data\02000000aaafdd86720P.manifest
d:\documents and settings\Administrator\Application Data\02000000aaafdd86720S.manifest
d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\extensions\{54c9efd9-cac6-40bb-9ca4-37ffa67ce996}
d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\extensions\{54c9efd9-cac6-40bb-9ca4-37ffa67ce996}\chrome.manifest
d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\extensions\{54c9efd9-cac6-40bb-9ca4-37ffa67ce996}\chrome\xulcache.jar
d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\extensions\{54c9efd9-cac6-40bb-9ca4-37ffa67ce996}\defaults\preferences\xulcache.js
d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\extensions\{54c9efd9-cac6-40bb-9ca4-37ffa67ce996}\install.rdf
d:\documents and settings\Administrator\Application Data\SystemProc
d:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
d:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
d:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
d:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
d:\windows.0\system32\0RFE8TvaJc5qwWZ.vbs
d:\windows.0\system32\1787794179
d:\windows.0\system32\4OTx9.vbs
d:\windows.0\system32\86C2Y.vbs
d:\windows.0\system32\9mX52Ha.vbs
d:\windows.0\system32\ETmRs5FjmTYLl.vbs
d:\windows.0\system32\ftlmtiVrbUvZI.vbs
d:\windows.0\system32\fZ9DKtlSA1IbXqG.vbs
d:\windows.0\system32\h825EOL68PP6e.vbs
d:\windows.0\system32\hhhzZmF.vbs
d:\windows.0\system32\JTYHE3y.vbs
d:\windows.0\system32\NkxAK.vbs
d:\windows.0\system32\o9qFM.vbs
d:\windows.0\system32\oc4wOkV.vbs
d:\windows.0\system32\OJ8rS.vbs
d:\windows.0\system32\RfTMlH7xkCxo3EE.vbs
d:\windows.0\system32\RGcB8wOOcklG2Mq.vbs
d:\windows.0\system32\Rn3N09M.vbs
d:\windows.0\system32\sysinfo.exe
d:\windows.0\system32\tb2fbMT.vbs
d:\windows.0\system32\tzlWrnMArJgGVOc.vbs
d:\windows.0\system32\unrar.exe
d:\windows.0\system32\Ve4i26cbAAZrsfJ.vbs
d:\windows.0\system32\Wg6pM84.vbs
d:\windows.0\system32\z3HCcz7.vbs
d:\windows.0\system32\zd4wbeYqMd9OMKs.vbs

.
((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2010-01-04 21:17 . 2010-01-04 21:17 5061520 ----a-w- d:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-04 13:22 . 2009-07-28 15:33 55656 ----a-w- d:\windows.0\system32\drivers\avgntflt.sys
2010-01-04 13:22 . 2009-03-30 09:33 96104 ----a-w- d:\windows.0\system32\drivers\avipbb.sys
2010-01-04 13:22 . 2009-02-13 11:29 22360 ----a-w- d:\windows.0\system32\drivers\avgntmgr.sys
2010-01-04 13:22 . 2009-02-13 11:17 45416 ----a-w- d:\windows.0\system32\drivers\avgntdd.sys
2010-01-04 13:22 . 2010-01-04 13:22 -------- d-----w- d:\program files\Avira
2010-01-04 13:22 . 2010-01-04 13:22 -------- d-----w- d:\documents and settings\All Users\Application Data\Avira
2009-12-28 18:21 . 2009-12-28 18:21 -------- d-----w- d:\program files\Trend Micro
2009-12-27 12:27 . 2009-12-27 12:27 -------- d-----w- d:\documents and settings\Administrator\Application Data\Philips
2009-12-27 12:26 . 2009-12-27 12:26 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\ArcSoft
2009-12-27 12:26 . 2009-12-27 14:33 -------- d-----w- d:\documents and settings\Administrator\Application Data\ArcSoft
2009-12-27 12:25 . 2009-12-27 12:26 -------- d-----w- d:\documents and settings\All Users\Application Data\ArcSoft
2009-12-27 12:25 . 2003-02-21 04:42 348160 ----a-w- d:\windows.0\system32\msvcr71.dll
2009-12-27 12:25 . 2009-12-27 12:25 -------- d-----w- d:\program files\Common Files\ArcSoft
2009-12-27 12:25 . 2009-12-27 12:25 -------- d-----w- d:\program files\ArcSoft
2009-12-27 12:25 . 2004-05-04 11:53 1645320 ----a-w- d:\windows.0\system32\gdiplus.dll
2009-12-27 12:25 . 2003-03-18 22:14 499712 ----a-r- d:\windows.0\system32\msvcp71.dll
2009-12-27 12:24 . 2009-12-27 12:24 -------- d-----w- d:\program files\Philips
2009-12-27 12:23 . 2009-12-27 12:23 -------- d-----w- d:\documents and settings\Administrator\Application Data\InstallShield
2009-12-26 21:52 . 2009-12-26 23:19 -------- d-----w- d:\program files\Windows Live Safety Center
2009-12-23 19:36 . 2009-12-23 19:36 -------- d-----w- d:\documents and settings\Administrator\Application Data\NCH Software
2009-12-23 19:36 . 2009-12-27 12:28 -------- d-----w- d:\documents and settings\All Users\Application Data\NCH Software
2009-12-23 19:36 . 2009-12-27 12:28 -------- d-----w- d:\program files\NCH Software
2009-12-21 18:59 . 2009-12-21 19:10 -------- d-----w- d:\program files\Movavi Video Converter 9
2009-12-21 18:59 . 2009-12-21 18:59 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-12-13 13:18 . 2009-08-25 01:30 13312 ----a-w- d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 21:17 . 2009-09-11 16:25 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-01-04 21:00 . 2009-09-12 15:00 -------- d-----w- d:\documents and settings\Administrator\Application Data\Spotify
2010-01-04 13:30 . 2009-10-21 22:21 -------- d-----w- d:\program files\LimeWire
2010-01-04 13:13 . 2009-10-21 22:27 -------- d-----w- d:\documents and settings\Administrator\Application Data\LimeWire
2009-12-30 14:55 . 2009-09-11 16:25 38224 ----a-w- d:\windows.0\system32\drivers\mbamswissarmy.sys
2009-12-30 14:54 . 2009-09-11 16:25 19160 ----a-w- d:\windows.0\system32\drivers\mbam.sys
2009-12-28 14:57 . 2009-09-20 19:52 -------- d-----w- d:\program files\Paint Shop Pro 7
2009-12-27 12:26 . 2009-09-11 17:20 -------- d--h--w- d:\program files\InstallShield Installation Information
2009-12-21 01:46 . 2009-10-27 15:30 -------- d-----w- d:\program files\Steam
2009-12-05 15:06 . 2009-12-05 15:06 -------- d-----w- d:\program files\Veetle
2009-11-18 14:46 . 2009-11-18 14:29 -------- d-----w- d:\program files\MixMeister EZ Vinyl Converter
2009-11-17 15:26 . 2009-11-17 15:23 -------- d-----w- d:\program files\Hot Keyboard Pro
2009-11-17 15:26 . 2009-11-17 15:26 -------- d-----w- d:\documents and settings\Administrator\Application Data\Hot Keyboard
2009-11-11 00:23 . 2009-11-11 00:23 -------- d-----w- d:\program files\Sky Broadband
2009-11-08 12:49 . 2009-11-08 12:49 14728 ---ha-w- d:\windows.0\system32\mlfcache.dat
2009-11-02 01:56 . 2009-11-02 01:56 1925024 ----a-w- d:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-21 22:22 . 2009-10-21 22:22 411368 ----a-w- d:\windows.0\system32\deploytk.dll
2009-10-21 22:21 . 2009-10-21 22:21 152576 ----a-w- d:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
.

------- Sigcheck -------

[-] 2008-12-30 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . d:\windows.0\system32\drivers\tcpip.sys


d:\windows.0\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="d:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"nwiz"="d:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvMediaCenter"="d:\windows.0\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="d:\windows.0\system32\NvCpl.dll" [2009-08-17 13877248]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"googletalk"="d:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Conime"="d:\windows.0\system32\conime.exe" [2008-04-14 27648]
"EKIJ5000StatusMonitor"="d:\windows.0\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-10-21 149280]
"ArcSoft Connection Service"="d:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"avgnt"="d:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-04-14 99840]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
Philips GoGear OPUS Device Manager.lnk - d:\program files\Philips\GoGear OPUS Device Manager\GoGear_OPUS_DeviceManager.exe [2009-12-27 1402232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\Spotify\\spotify.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"d:\\Program Files\\Steam\\SteamApps\\common\\football manager 2009\\fm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery
"9323:TCP"= 9323:TCP:EKDiscovery

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;d:\program files\Avira\AntiVir Desktop\sched.exe [04/01/2010 13:22 108289]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;d:\program files\Kodak\AiO\Center\EKDiscovery.exe [04/05/2009 11:15 279960]
R2 KodakSvc;Kodak AiO Device Service;d:\program files\Kodak\AiO\Center\KodakSvc.exe [17/04/2009 11:08 32768]
S1 drqiimfd;drqiimfd;\??\d:\windows.0\system32\drivers\drqiimfd.sys --> d:\windows.0\system32\drivers\drqiimfd.sys [?]
S1 uhpwlxpj;uhpwlxpj;\??\d:\windows.0\system32\drivers\uhpwlxpj.sys --> d:\windows.0\system32\drivers\uhpwlxpj.sys [?]
S2 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [14/09/2009 00:33 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32
.
Contents of the 'Scheduled Tasks' folder

2009-12-21 d:\windows.0\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-01-04 d:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 00:32]

2010-01-04 d:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-09-14 00:32]

2009-12-23 d:\windows.0\Tasks\videopadSevenDaysInit.job
- d:\program files\NCH Software\VideoPad\videopad.exe [2009-12-23 19:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sky.com
uInternet Settings,ProxyOverride = *.local
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
FF - ProfilePath - d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.oleole.com/blogs/arseblog
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&o ... &gfns=1&q=
FF - component: d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: d:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t0evfd4i.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - component: d:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: d:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\program files\Veetle\Player\npvlc.dll
FF - plugin: d:\program files\Veetle\plugins\npVeetle.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{04E28BBF-FA52-40FD-90A8-1BD3B2F0AD64} - d:\windows.0\System32\dataclen32.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-04 21:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-04 21:33:47
ComboFix-quarantined-files.txt 2010-01-04 21:33

Pre-Run: 368,662,368,256 bytes free
Post-Run: 368,641,916,928 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

- - End Of File - - 884329024B6B049978D722F91C8EBC5C

-------------------------

Malwarebytes' Anti-Malware 1.43
Database version: 3493
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

04/01/2010 21:21:20
mbam-log-2010-01-04 (21-21-20).txt

Scan type: Quick Scan
Objects scanned: 100444
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS.0\system32\btpanui32.dll (Trojan.Tracur) -> Delete on reboot.
D:\WINDOWS.0\system32\__c0029F10.dat (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\d8bdf464720 (Trojan.Tracur) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0029f10 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyewmttapq (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: d:\windows.0\system32\btpanui32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\btpanui32.dll -> Delete on reboot.

Folders Infected:
D:\WINDOWS.0\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
D:\WINDOWS.0\system32\btpanui32.dll (Trojan.Tracur) -> Delete on reboot.
D:\WINDOWS.0\system32\__c0029F10.dat (Trojan.Vundo) -> Delete on reboot.
D:\Documents and Settings\Administrator\My Documents\downloads\QuickTime_Update_KB673901.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c002D096.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c0066B6E.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c006F366.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00ABDE6.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00AF216.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00E93D8.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00F3383.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\mi48737854v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\mi48737854v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\mi48737854v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\mu48737854v5 (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\mu48737854v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\wu48737854v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\wu48737854v1 (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\wu48737854v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\wu48737854v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\wu48737854v3 (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\SysWoW32\wu48737854v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00137A4.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c003BA21.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c0048749.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c0055D10.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c005B93C.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c0070C67.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c0074304.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00A6A50.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00B1C1C.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00B5524.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00DDB0C.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00DF151.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00E9DDF.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00EBD85.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\system32\__c00FB58A.dat (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS.0\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

The Google problem no longer persists and the tab opening by itself also appears to have stopped after following the steps so far.

[deltalima]

Hi wrighty,

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steals personal information, etc.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

[NonSuch]

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.