Malwarebytes removal of System Guard

Anyone have any luck getting Malwarebytes to run once System Guard starts locking up the PC? I did as much manual removal as I can, but the PC is now at the point where it pretty much slows to a stop on boot. Don't get the bogus System Center or System Guard scan windows anymore, but I can't seem to get the PC to run the removal tool.

Any help would be greatly appreciated!

Matt

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Umm, I did mention I can't get anything to run/install, right?

Yes, but atleast we tried. Lets do a rootkit scan.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Flashes briefly, then the system hangs again. I notice that Symantec Corp. Edition 10 keeps finding more Trojans whenever I try to run anything else, mostly "m.exe". It quarantines them, but I'm guessing this crap virus is trying to reintall them?

I also can't download directly, as the manual methods for removal detailed in this forum apparently hosed my IE, so I've had to tranfer from a thumb drive to the infected machine. So far, it won't let me finish the copy fomr the thumb drive to the infected machine to run it there. I have scanned the thumb drive each time I do a "transfer" and so far it comes up clean, but if I can't run it from the thumb drive and can't copy it to the infected machine, what options do I have left?

Lets try this. These aren't .exe files, so hopefully the malware won't notice, but I suspect it will do, but see if you can run them anyway.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

It (DDS) will let me save the attach.txt but will not allow me to cut and paste the DDS notepad display.

In fact, once it runs, the DDS notepad almost immediately goes into "Not Responding" mode

Can you try booting to safe mode and try DDS there? if DDS will run, then great. Remember to save the log file.

Also, see if the avenger will run in safe mode.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

No to both, nor will it run Malwarebytes. Been there, tried that, same results

Lets give Dr.web a try.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  
• Back at the main window, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
  

administrator.exe;c:\documents and settings\administrator;Trojan.DownLoad.28430;Deleted.;
mousehook.dll;c:\documents and settings\administrator\local settings\temp;Trojan.Click.24603;Deleted.;
lwucese.dll;c:\windows;Probably Trojan.Packed.453;Incurable.Moved.;
userinit.exe;c:\windows\system32;Trojan.DownLoad.28002;Cured.;
00203187.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.1596;Deleted.;
00599937.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.1634;Deleted.;
00605265.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.1596;Deleted.;
12670921.FIL;C:\$VAULT$.AVG;Trojan.DownLoad.29330;Deleted.;
mousehook.dll;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.Click.24603;Deleted.;
rsyncini.exe;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.DownLoad.138;Deleted.;
pifccddur[1].txt;C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9VQKR0EO;Trojan.DownLoad.28017;Deleted.;
lsp[1].exe;C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DL4F1TVW;Trojan.DownLoad.28002;Incurable.Moved.;
04680004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
04680006.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
0468000B.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
0468000D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
0B600000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.Virut.56;Incurable.Moved.;
0B640001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Spambot.4117;Incurable.Moved.;
0B640002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Win32.HLLW.Siggen.56;Deleted.;
0B640004.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Spambot.4117;Incurable.Moved.;
0C440000.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Virtumod.854;Deleted.;
0C440001.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Juan.78;Deleted.;
0C440002.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine;Trojan.Juan.78;Deleted.;
4DFE9D1B.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680000;Win32.Virut.56;Incurable.Moved.;
4DFE9D1C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680000;Win32.Virut.56;Incurable.Moved.;
4DFE9D1D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680000;Win32.Virut.56;Incurable.Moved.;
4DFE9D1D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680001;Trojan.Fakealert.3952;Deleted.;
4DFEA2C6.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680009;Trojan.Fakealert.3952;Deleted.;
4BFE9128.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600001;Win32.Virut.56;Incurable.Moved.;
4BFE9144.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600001;Win32.Virut.56;Incurable.Moved.;
4BFE9146.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600001;Win32.Virut.56;Incurable.Moved.;
4BFE913F.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600002;Win32.Virut.56;Incurable.Moved.;
4BFE9146.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600003;Win32.Virut.56;Incurable.Moved.;
4BFE914C.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600004;Win32.Virut.56;Incurable.Moved.;
4BFE9152.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600005;Win32.Virut.56;Incurable.Moved.;
4BFE9158.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600006;Win32.Virut.56;Incurable.Moved.;
4BFE915D.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600007;Trojan.DownLoad.29917;Deleted.;
4BFE9163.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600008;Win32.Virut.56;Incurable.Moved.;
4BFE9169.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B600009;Win32.Virut.56;Incurable.Moved.;
A0013012.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP139;Trojan.DownLoad.29330;Deleted.;
A0013370.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP146;Trojan.Virtumod.1596;Deleted.;
A0014020.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP148;Trojan.Virtumod.1634;Deleted.;
A0014021.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP148;Trojan.Virtumod.1596;Deleted.;
A0015226.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP150;Trojan.Virtumod.854;Deleted.;
A0015417.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Virtumod.854;Deleted.;
A0015419.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Juan.78;Deleted.;
A0015429.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Juan.78;Deleted.;
A0016262.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Adware.Bho.433;Incurable.Moved.;
A0016273.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Juan.78;Deleted.;
A0016275.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Juan.78;Deleted.;
A0016333.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Packed.365;Deleted.;
A0016375.dll;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Virtumod.855;Deleted.;
A0017369.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017370.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017371.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017372.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017376.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017378.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017378.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.DownLoad.28002;Incurable.Moved.;
A0017379.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017380.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017387.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0017388.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0019420.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0019421.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0019422.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0019423.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Fakealert.3952;Deleted.;
A0019424.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Win32.Virut.56;Cured.;
A0022438.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.Fakealert.3952;Deleted.;
A0035429.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.DownLoad.28430;Deleted.;
A0035430.exe;C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP151;Trojan.DownLoad.28002;Incurable.Moved.;
CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Moved.;
belzv.dll;C:\WINDOWS\system32;Trojan.Proxy.3351;Deleted.;
ssqOEWpo.dll.vir;C:\WINDOWS\system32;Trojan.Virtumod.855;Deleted.;
vumer.dll;C:\WINDOWS\system32;Adware.Bho.421;Incurable.Moved.;
userinit.exe;C:\WINDOWS\system32\dllcache;Trojan.DownLoad.28002;Incurable.Moved.;
uninstall.exe;F:\Program Files\nickarcade;Adware.Xbarre;Incurable.Moved.;

Hello.
I hate to say this, but your machine is in a bad state, you may or may not have Virut.
See here, info about Virut:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

See if you can get DDS to run now, but if you read the link above, Virut cannot be fixed, so as of this point right now, you machine has a 50/50 chance of getting through this.

If DDS will run, post the log.

BTW,

Still can't get Avenger to run, flashes a message I can't see/read, then goes away. Still can't get SP3 to reload either, though it gets further now (I get all the way to the "I Agree" button before the window closes)

Got DDS to fnish this time. Here's the log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 12:59:31.62 on Tue 02/24/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: c:\windows\system32\vcar3sdu3yaj3.dll: {c5af42a3-94f3-42bd-f634-3604832c897d} - c:\windows\system32\vcar3sdu3yaj3.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AIM] f:\program files\aim95\aim.exe -cnetwait.odl
uRun: [jsg8jfgfdfhfhf] c:\docume~1\admini~1\locals~1\temp\winlognn.exe
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [systemguard] c:\program files\system guard 2009\systemguard.exe
mRun: [jsg8jfgfdfhfhf] c:\docume~1\admini~1\locals~1\temp\winlognn.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - f:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://coupons.smartsource.com/download/cscmv5X.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208847179875
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.34.13/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Filter: text/html - {7f7ed156-d6e6-419d-b6ff-089e5de7a891} -
Notify: AtiExtEvent - Ati2evxx.dll
Notify: feadeabecabe - c:\windows\system32\feadeabecabe.dll
Notify: jkkLDVpP - jkkLDVpP.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: tuilop.dll
SSODL: InternetConnection - {F25B3DC9-206F-494C-A7B4-CD2456517FEB} - c:\documents and settings\all users\application data\microsoft\network\dlls\mblltjwuvp.dll
SSODL: ieModule - {06AE1439-C4BF-4556-8F42-ECFB2F8A186E} - c:\documents and settings\all users\application data\microsoft\network\dlls\ieModule.dll
STS: c:\windows\system32\vcar3sdu3yaj3.dll: {c5af42a3-94f3-42bd-f634-3604832c897d} - c:\windows\system32\vcar3sdu3yaj3.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkLDVpP.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqOEWpo

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-23 14:05 --d----- c:\documents and settings\administrator\DoctorWeb
2009-02-23 12:28 --d----- C:\9ade2a2f59a28c98afb767
2009-02-23 12:06 --d----- C:\c6b2265a2f8bc7c547d1c866f10bab
2009-02-20 11:01 --d----- C:\ff5b1b855e7cb4d65a398f319b7a6405
2009-02-20 10:07 --d-h--- c:\windows\system32\GroupPolicy
2009-02-20 08:08 --d----- C:\56b876dd32dfc4c8a341d9706a182e
2009-02-20 06:32 179 a------- C:\handle.dat
2009-02-19 15:33 30,208 a------- c:\windows\system32\UACneqhswuy.dll
2009-02-19 15:33 15,000 a------- c:\windows\system32\vcar3sdu3yaj3.dll
2009-02-19 15:33 56,320 a------- c:\windows\system32\drivers\UACavsbmasb.sys
2009-02-19 15:33 1 a------- c:\windows\system32\uniq.tll
2009-02-19 15:33 10 a------- c:\windows\system32\kr_done1
2009-02-19 15:33 72,704 a------- c:\windows\system32\wgjnoxny.dll
2009-02-19 13:23 0 a------- c:\windows\vpc32.INI
2009-02-19 13:18 123,488 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-19 13:18 91,856 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-19 13:17 --d----- c:\program files\Symantec
2009-02-19 13:17 --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-19 13:17 --d----- c:\program files\Symantec AntiVirus
2009-02-16 10:22 1,589,401 ---sh--- c:\windows\system32\qbcuikfj.ini
2009-02-15 16:05 1,583,467 ---sh--- c:\windows\system32\qnmmxird.ini
2009-02-14 20:03 --d----- c:\program files\directx
2009-02-14 15:03 3,684 a--sh--- c:\windows\system32\opWEOqss.ini2
2009-02-14 15:03 3,684 a--sh--- c:\windows\system32\opWEOqss.ini
2009-02-13 17:01 --d----- c:\program files\LEGO Media
2009-02-04 09:49 --d-hr-- C:\$VAULT$.AVG
2009-01-31 18:42 --d----- c:\program files\Common

==================== Find3M ====================

2009-02-20 07:07 5,632 a------- c:\windows\system32\cisvc.exe
2009-02-20 07:07 224,768 a------- c:\windows\system32\dmadmin.exe
2009-02-20 07:07 6,144 a------- c:\windows\system32\msdtc.exe
2009-02-20 06:17 14,336 a------- c:\windows\system32\svchost.exe
2009-02-20 06:16 65,536 a------- c:\windows\system32\HPZinw12.exe
2009-02-20 06:16 24,576 -------- c:\windows\system32\userinit.exe
2009-02-20 06:14 13,312 a------- c:\windows\system32\lsass.exe
2009-02-20 06:14 108,032 a------- c:\windows\system32\services.exe
2009-02-20 06:14 502,272 a------- c:\windows\system32\winlogon.exe
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 12:59:48.39 ===============