Hello,
I have (had I hope) a trojan virus on my computer, it stole my ftp passwords and uploaded iframe malware to my website. I am now trying to clean the trojan off my computer.
I read and performed your 8 step virus/malware removal guide. Can some one tell me if I got rid of the bug. Hear are the logs (copy & pasted like it says):
mbam log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4438
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/16/2010 11:40:40 PM
mbam-log-2010-08-16 (23-40-40).txt
Scan type: Quick scan
Objects scanned: 125574
Time elapsed: 6 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{f1fabe79-25fc-46de-8c5a-2c6db9d64333} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f1fabe79-25fc-46de-8c5a-2c6db9d64333} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Error Repair Professional (Rogue.ErrorRepairProfessional) -> Quarantined and deleted successfully.
C:\Program Files\Error Repair Professional\Backups (Rogue.ErrorRepairProfessional) -> Quarantined and deleted successfully.
C:\Program Files\Error Repair Professional\startbug (Rogue.ErrorRepairProfessional) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
gmer log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-16 23:59:06
Windows 5.1.2600 Service Pack 3
Running: nmd9tk45.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kfgoraob.sys
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\drivers\tiumflt.sys entry point in "init" section [0xF798DD00]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9BA0360, 0x1DF4AD, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\gticard.sys entry point in "init" section [0xB9B43B20]
init C:\WINDOWS\system32\drivers\tiumfwl.sys entry point in "init" section [0xBA0214C0]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 16:41:15.13 on Tue 08/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1521 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Sapro Systems WinCalendar\WinCalendar_SysTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VueSoft\VueMinder\VueMinder.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.vending-la.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Trellian BHO Impl: {24180b00-2eb6-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trellian &Toolbar: {71aaabe5-1f0f-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
TB: Alexa: {ea582743-9076-4178-9aa6-7393fdf4d5ce} - c:\program files\alexa toolbar\AlxTB2.9.39.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Microsoft CommBand: {4d5c8c2a-d075-11d0-b416-00c04fb90376} - %SystemRoot%\system32\browseui.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe /q /c"
uRun: [VueMinder] "c:\program files\vuesoft\vueminder\VueMinder.exe" 1
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter with srx utility\lcu.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Alexa Web Search... - http://tbar.alexa.com/9.0.0.31/contextmenu/search.htm
IE: Get Alexa Data... - http://tbar.alexa.com/9.0.0.31/contextmenu/sitedata.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: See Related Links... - http://tbar.alexa.com/9.0.0.31/contextmenu/related.htm
IE: Write a Review... - http://tbar.alexa.com/9.0.0.31/contextmenu/review.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
============= SERVICES / DRIVERS ===============
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-3-17 15328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-15 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-15 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-15 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-17 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-3-17 220128]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]
S2 gupdate1c9fc22e6a7840;Google Update Service (gupdate1c9fc22e6a7840);c:\program files\google\update\GoogleUpdate.exe [2009-7-3 133104]
=============== Created Last 30 ================
2010-08-17 06:31:48 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-08-17 06:31:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 06:31:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-17 06:31:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 06:31:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 04:15:21 6236 ----a-w- c:\documents and settings\user\.recently-used.xbel
2010-08-08 23:22:10 0 d-----w- c:\docume~1\user\applic~1\FastStone
2010-08-08 23:21:21 0 d-----w- c:\program files\FastStone Capture
2010-08-08 00:47:26 0 d-----w- c:\program files\common files\Macrovision Shared
2010-08-08 00:46:59 0 d-----w- c:\program files\Rosetta Stone
2010-08-08 00:46:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
==================== Find3M ====================
2010-07-19 02:14:32 17130 ----a-w- c:\windows\system32\nvModes.dat
2010-07-17 15:41:22 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-17 15:41:20 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 15:40:33 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-05-17 04:20:16 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-17 04:20:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050420090511\index.dat
2009-05-17 04:20:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051620090517\index.dat
============= FINISH: 16:41:50.24 ===============
THANK YOU IN ADVANCE FOR ANY HELP!
FRANK
I have (had I hope) a trojan virus on my computer, it stole my ftp passwords and uploaded iframe malware to my website. I am now trying to clean the trojan off my computer.
I read and performed your 8 step virus/malware removal guide. Can some one tell me if I got rid of the bug. Hear are the logs (copy & pasted like it says):
mbam log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4438
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/16/2010 11:40:40 PM
mbam-log-2010-08-16 (23-40-40).txt
Scan type: Quick scan
Objects scanned: 125574
Time elapsed: 6 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{f1fabe79-25fc-46de-8c5a-2c6db9d64333} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f1fabe79-25fc-46de-8c5a-2c6db9d64333} (Adware.Alexa) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Error Repair Professional (Rogue.ErrorRepairProfessional) -> Quarantined and deleted successfully.
C:\Program Files\Error Repair Professional\Backups (Rogue.ErrorRepairProfessional) -> Quarantined and deleted successfully.
C:\Program Files\Error Repair Professional\startbug (Rogue.ErrorRepairProfessional) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
gmer log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-16 23:59:06
Windows 5.1.2600 Service Pack 3
Running: nmd9tk45.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kfgoraob.sys
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\drivers\tiumflt.sys entry point in "init" section [0xF798DD00]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9BA0360, 0x1DF4AD, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\gticard.sys entry point in "init" section [0xB9B43B20]
init C:\WINDOWS\system32\drivers\tiumfwl.sys entry point in "init" section [0xBA0214C0]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 16:41:15.13 on Tue 08/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1521 [GMT -7:00]
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Sapro Systems WinCalendar\WinCalendar_SysTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VueSoft\VueMinder\VueMinder.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.vending-la.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Trellian BHO Impl: {24180b00-2eb6-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Trellian &Toolbar: {71aaabe5-1f0f-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
TB: Alexa: {ea582743-9076-4178-9aa6-7393fdf4d5ce} - c:\program files\alexa toolbar\AlxTB2.9.39.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: Microsoft CommBand: {4d5c8c2a-d075-11d0-b416-00c04fb90376} - %SystemRoot%\system32\browseui.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe /q /c"
uRun: [VueMinder] "c:\program files\vuesoft\vueminder\VueMinder.exe" 1
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter with srx utility\lcu.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Alexa Web Search... - http://tbar.alexa.com/9.0.0.31/contextmenu/search.htm
IE: Get Alexa Data... - http://tbar.alexa.com/9.0.0.31/contextmenu/sitedata.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: See Related Links... - http://tbar.alexa.com/9.0.0.31/contextmenu/related.htm
IE: Write a Review... - http://tbar.alexa.com/9.0.0.31/contextmenu/review.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
============= SERVICES / DRIVERS ===============
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2010-3-17 15328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-15 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-15 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-15 243024]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-17 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-17 308136]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2010-3-17 220128]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-10-23 76160]
S2 gupdate1c9fc22e6a7840;Google Update Service (gupdate1c9fc22e6a7840);c:\program files\google\update\GoogleUpdate.exe [2009-7-3 133104]
=============== Created Last 30 ================
2010-08-17 06:31:48 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
2010-08-17 06:31:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 06:31:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-17 06:31:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 06:31:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 04:15:21 6236 ----a-w- c:\documents and settings\user\.recently-used.xbel
2010-08-08 23:22:10 0 d-----w- c:\docume~1\user\applic~1\FastStone
2010-08-08 23:21:21 0 d-----w- c:\program files\FastStone Capture
2010-08-08 00:47:26 0 d-----w- c:\program files\common files\Macrovision Shared
2010-08-08 00:46:59 0 d-----w- c:\program files\Rosetta Stone
2010-08-08 00:46:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Rosetta Stone
==================== Find3M ====================
2010-07-19 02:14:32 17130 ----a-w- c:\windows\system32\nvModes.dat
2010-07-17 15:41:22 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-17 15:41:20 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-17 15:40:33 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-05-17 04:20:16 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-05-17 04:20:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050420090511\index.dat
2009-05-17 04:20:16 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009051620090517\index.dat
============= FINISH: 16:41:50.24 ===============
THANK YOU IN ADVANCE FOR ANY HELP!
FRANK