Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Protection.exe


  • This topic is locked This topic is locked
17 replies to this topic

#1 avjunkie

avjunkie

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 08 March 2009 - 12:03 AM

I can't seem to find out if this is really a problem or not. I would appreciate any help with this or anything else that looks out of place. My computer seems ok most of the time, but I have been getting a lot more freeze ups while browsing and sometimes when I search I get redirected to ad sites. I have had Stop Errors and blue screens a couple of times lately too. Here is my log file. Thanks in advance for your assistance.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Kevin at 23:49:59.68 on Sat 03/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2657 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\TurboHddUsb\TurboHddUsb.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Pando] "c:\program files\pando networks\pando\Pando.exe" /Minimized
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TurboHddUsb] c:\program files\turbohddusb\TurboHddUsb.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196407357375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-10-22 11840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-22 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-18 27656]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2008-9-3 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-10-22 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-10-22 151297]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-1 298264]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2008-10-28 598856]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-10-22 52032]
R3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2008-9-3 17792]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-03-07 23:48 <DIR> --d----- C:\SDFix
2009-03-07 23:32 <DIR> --d----- c:\program files\Trend Micro
2009-03-04 17:24 <DIR> --d----- C:\HT PDFs
2009-02-10 16:35 <DIR> --d----- c:\docume~1\kevin\applic~1\AJ SQUARE INC
2009-02-10 16:35 4,096 a------- c:\windows\d3dx.dat
2009-02-09 19:09 <DIR> --d----- c:\documents and settings\kevin\uspy

==================== Find3M ====================

2009-02-01 23:07 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-01 23:07 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 20:05 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 00:45 92,064 a------- c:\documents and settings\kevin\mqdmmdm.sys
2008-12-07 00:45 79,328 a------- c:\documents and settings\kevin\mqdmserd.sys
2008-12-07 00:45 66,656 a------- c:\documents and settings\kevin\mqdmbus.sys
2008-12-07 00:45 25,600 a------- c:\documents and settings\kevin\usbsermptxp.sys
2008-12-07 00:45 22,768 a------- c:\documents and settings\kevin\usbsermpt.sys
2008-12-07 00:45 9,232 a------- c:\documents and settings\kevin\mqdmmdfl.sys
2008-12-07 00:45 6,208 a------- c:\documents and settings\kevin\mqdmcmnt.sys
2008-12-07 00:45 5,936 a------- c:\documents and settings\kevin\mqdmwhnt.sys
2008-12-07 00:45 4,048 a------- c:\documents and settings\kevin\mqdmcr.sys
2008-09-30 09:20 60,968 a------- c:\documents and settings\kevin\GoToAssistDownloadHelper.exe
2008-06-09 19:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060920080610\index.dat

============= FINISH: 23:50:15.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:15 AM

Posted 20 March 2009 - 04:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 avjunkie

avjunkie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 22 March 2009 - 08:00 PM

I can't seem to find out if searchprotection.exe is really a problem or not. I would appreciate any help with this or anything else that looks out of place. My computer seems ok most of the time, but I have been getting a lot more freeze ups while browsing and sometimes when I search I get redirected to ad sites. I have had Stop Errors and blue screens a couple of times lately too. Here is my most current log file. Thanks in advance for your assistance.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Kevin at 20:55:42.09 on Sun 03/22/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2587 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\TurboHddUsb\TurboHddUsb.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Pando Networks\Pando\Pando.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Kevin\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Pando] "c:\program files\pando networks\pando\Pando.exe" /Minimized
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [dscactivate] c:\dell\dsca.exe 3
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TurboHddUsb] c:\program files\turbohddusb\TurboHddUsb.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196407357375
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-10-22 11840]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-22 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-18 27656]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2008-9-3 7040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-10-22 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-10-22 151297]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-2 298264]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2008-10-28 598856]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-10-22 52032]
R3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2008-9-3 17792]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-03-08 00:48 <DIR> --d----- C:\SDFix
2009-03-08 00:32 <DIR> --d----- c:\program files\Trend Micro
2009-03-04 18:24 <DIR> --d----- C:\HT PDFs

==================== Find3M ====================

2009-03-10 08:40 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-10 17:35 4,096 a------- c:\windows\d3dx.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-02 00:07 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-02 00:07 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-07 01:45 92,064 a------- c:\documents and settings\kevin\mqdmmdm.sys
2008-12-07 01:45 79,328 a------- c:\documents and settings\kevin\mqdmserd.sys
2008-12-07 01:45 66,656 a------- c:\documents and settings\kevin\mqdmbus.sys
2008-12-07 01:45 25,600 a------- c:\documents and settings\kevin\usbsermptxp.sys
2008-12-07 01:45 22,768 a------- c:\documents and settings\kevin\usbsermpt.sys
2008-12-07 01:45 9,232 a------- c:\documents and settings\kevin\mqdmmdfl.sys
2008-12-07 01:45 6,208 a------- c:\documents and settings\kevin\mqdmcmnt.sys
2008-12-07 01:45 5,936 a------- c:\documents and settings\kevin\mqdmwhnt.sys
2008-12-07 01:45 4,048 a------- c:\documents and settings\kevin\mqdmcr.sys
2008-09-30 10:20 60,968 a------- c:\documents and settings\kevin\GoToAssistDownloadHelper.exe
2008-06-09 20:36 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060920080610\index.dat

============= FINISH: 20:56:06.31 ===============

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,496 posts
  • ONLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:15 AM

Posted 23 March 2009 - 11:15 AM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Also I need you to go to the administration tools in XP. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side and click on System. Then up at the top click on Action and then click on Save Events As, type in system as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 avjunkie

avjunkie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 23 March 2009 - 12:01 PM

Thank you for your help. I have included the log from Malwarebytes, but for some reason I can not zip the system log or application log. I have WinRar, but it keeps telling me there are no files to archive. I ran HiJack This and Combo Fix a couple of weeks ago, but I did not select anything from those scans to remove. It looked over my head, so I posted on this forum to see if someone who knows about it can help me.

Malwarebytes' Anti-Malware 1.34
Database version: 1888
Windows 5.1.2600 Service Pack 3

3/23/2009 12:39:14 PM
mbam-log-2009-03-23 (12-39-14).txt

Scan type: Quick Scan
Objects scanned: 79699
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Hoov

Hoov

  • Malware Response Team
  • 3,496 posts
  • ONLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:15 AM

Posted 23 March 2009 - 06:23 PM

Can you go to c:\qoobox and open the log file (a text file) and paste the contents here. And just for future reference, combofix should never be run without the guidance of someone trained in using it. You can really hose your system.

As for the two log files, I have sent you a private message with instructions on what to do with them.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 avjunkie

avjunkie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 23 March 2009 - 06:43 PM

There are 4 .txt files in c:\qoobox. They are Add-Remove Programs.txt, ComboFix2.txt, ComboFix3.txt, and ComboFix-quarantined-files.txt. Do you need them all?

#8 Hoov

Hoov

  • Malware Response Team
  • 3,496 posts
  • ONLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:15 AM

Posted 23 March 2009 - 07:33 PM

These two ComboFix2.txt, ComboFix3.txt
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 avjunkie

avjunkie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 23 March 2009 - 08:03 PM

ComboFix 08-10-22.02 - Kevin 2008-10-22 22:58:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2531 [GMT -4:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 )))))))))))))))))))))))))))))))
.

2008-10-22 20:58 . 2008-10-22 20:58 <DIR> d-------- C:\Program Files\Avira
2008-10-22 20:58 . 2008-10-22 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-20 21:54 . 2008-10-20 21:54 <DIR> d-------- C:\Program Files\MSECache
2008-10-17 07:03 . 2008-10-17 07:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-17 07:03 . 2008-10-19 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 16:19 . 2008-10-16 16:19 <DIR> d-------- C:\Program Files\gnzwuze
2008-10-16 16:19 . 2008-10-21 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vghunqry
2008-10-15 20:12 . 2008-08-14 06:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 20:12 . 2008-08-14 06:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 20:12 . 2008-08-14 05:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 20:12 . 2008-08-14 05:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 20:12 . 2008-09-15 08:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 20:12 . 2008-09-08 06:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-14 22:13 . 2008-10-14 22:13 262,144 --a------ C:\ntuser.dat
2008-10-12 22:39 . 2008-10-12 22:40 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\vlc
2008-10-12 22:38 . 2008-10-12 22:38 <DIR> d-------- C:\Program Files\VideoLAN
2008-09-30 15:49 . 2008-09-30 15:49 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-30 15:49 . 2008-09-30 15:49 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-09-30 15:45 . 2008-09-30 15:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-30 15:45 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-09-30 15:45 . 2007-02-27 14:31 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-09-30 15:44 . 2008-09-30 15:44 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-09-30 15:41 . 2008-09-30 15:42 <DIR> d-------- C:\Program Files\Avanquest update
2008-09-30 15:41 . 2008-04-13 14:45 26,112 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-09-30 15:41 . 2008-04-13 14:45 26,112 --a------ C:\WINDOWS\system32\dllcache\usbser.sys
2008-09-30 15:40 . 2008-09-30 15:45 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-09-30 15:40 . 2008-09-30 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-30 15:40 . 2008-09-30 15:40 92,064 --a------ C:\Documents and Settings\Kevin\mqdmmdm.sys
2008-09-30 15:40 . 2008-09-30 15:40 79,328 --a------ C:\Documents and Settings\Kevin\mqdmserd.sys
2008-09-30 15:40 . 2008-09-30 15:40 66,656 --a------ C:\Documents and Settings\Kevin\mqdmbus.sys
2008-09-30 15:40 . 2008-09-30 15:40 25,600 --a------ C:\Documents and Settings\Kevin\usbsermptxp.sys
2008-09-30 15:40 . 2008-09-30 15:40 22,768 --a------ C:\Documents and Settings\Kevin\usbsermpt.sys
2008-09-30 15:40 . 2008-09-30 15:40 9,232 --a------ C:\Documents and Settings\Kevin\mqdmmdfl.sys
2008-09-30 15:40 . 2008-09-30 15:40 6,208 --a------ C:\Documents and Settings\Kevin\mqdmcmnt.sys
2008-09-30 15:40 . 2008-09-30 15:40 5,936 --a------ C:\Documents and Settings\Kevin\mqdmwhnt.sys
2008-09-30 15:40 . 2008-09-30 15:40 4,048 --a------ C:\Documents and Settings\Kevin\mqdmcr.sys
2008-09-30 10:20 . 2008-09-30 10:20 60,968 --a------ C:\Documents and Settings\Kevin\GoToAssistDownloadHelper.exe
2008-09-29 21:45 . 2008-10-15 17:14 <DIR> d-------- C:\Program Files\Swarm Gold

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 23:39 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-22 18:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 13:04 --------- d-----w C:\Documents and Settings\Kevin\Application Data\U3
2008-10-17 01:55 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-10-16 20:18 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-16 20:18 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-10-15 13:09 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Yahoo!
2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-02 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-09-30 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-20 15:08 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Tunebite
2008-09-20 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-09-20 01:07 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-09-20 01:06 --------- d-----w C:\Program Files\RapidSolution
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 19:28 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Flood Light Games
2008-09-14 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-09-09 23:53 --------- d-----w C:\Program Files\Hide and Secret 2 - Cliffhanger Castle
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-06 03:30 241,704 ------w C:\WINDOWS\system32\dllcache\wgaLogon.dll
2008-09-06 03:29 917,032 ------w C:\WINDOWS\system32\dllcache\WgaTray.exe
2008-09-05 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-09-05 22:36 --------- d-----w C:\Program Files\Safari Island Deluxe
2008-09-05 22:06 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Ludia
2008-09-05 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-09-05 22:05 --------- d-----w C:\Program Files\The Price Is Right
2008-09-05 16:37 --------- d-----w C:\Documents and Settings\Kevin\Application Data\ForgottenRiddles
2008-09-04 17:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2008-09-04 16:46 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Ahead
2008-09-04 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-09-04 16:00 --------- d-----w C:\Program Files\Common Files\Ahead
2008-09-04 15:59 --------- d-----w C:\Program Files\Nero
2008-09-04 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-04 02:43 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Roxio
2008-09-04 02:21 --------- d-----w C:\Program Files\DVD Shrink
2008-09-04 02:03 7,040 ----a-w C:\WINDOWS\system32\drivers\FNETURPX.SYS
2008-09-04 02:03 17,792 ----a-w C:\WINDOWS\system32\drivers\FNETTBOH.SYS
2008-09-04 02:03 --------- d-----w C:\Program Files\TurboHddUsb
2008-09-04 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FNET
2008-09-03 14:05 --------- d-----w C:\Program Files\Ice Cream Dee Lites
2008-09-03 13:59 --------- d-----w C:\Program Files\eGames
2008-09-02 16:41 --------- d-----w C:\Program Files\LeeGTs Games
2008-09-01 14:39 --------- d-----w C:\Documents and Settings\Kevin\Application Data\iWin
2008-09-01 03:18 --------- d-----w C:\Program Files\Pirateville
2008-08-31 20:44 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Legends of pirates
2008-08-31 01:34 --------- d-----w C:\Program Files\Forgotten Riddles - The Mayan Princess
2008-08-29 23:26 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-27 08:24 3,593,216 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-06-10 00:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060920080610\index.dat
.

------- Sigcheck -------

2004-08-04 06:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-10-16 16:18 507904 3969440ba384d35317dbbdeeaae641ce C:\WINDOWS\system32\winlogon.exe

2004-08-04 06:00 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
2008-10-16 16:18 295424 63999d0abd8dabfd76a9c07f6e104868 C:\WINDOWS\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-07-25 6591816]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"Search Protection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-27 8429568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2006-10-03 221184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 385024]
"TurboHddUsb"="C:\Program Files\TurboHddUsb\TurboHddUsb.exe" [2008-09-03 3327488]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-10-16 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MntWin"= {6280B887-A416-F4C4-5581-0BA044BAC6EA} - C:\Program Files\gnzwuze\MntWin.dll [2008-10-16 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-16 21:55 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"57885:TCP"= 57885:TCP:Pando P2P TCP Listening Port
"57885:UDP"= 57885:UDP:Pando P2P UDP Listening Port

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 FNETURPX;FNETURPX;C:\WINDOWS\system32\drivers\FNETURPX.SYS [2008-09-03 7040]
R3 FNETTBOH;FNETTBOH;C:\WINDOWS\system32\drivers\FNETTBOH.SYS [2008-09-03 17792]
S2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\X]
\Shell\AutoRun\command - X:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6a675f8-790d-11dd-a2e9-001aa09fb8d6}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{582610B8-E496-4813-993C-4B027173FE38}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\opw5ts4p.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 22:58:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-22 22:59:45
ComboFix-quarantined-files.txt 2008-10-23 02:59:41
ComboFix2.txt 2008-10-23 02:52:08

Pre-Run: 95,662,518,272 bytes free
Post-Run: 95,647,424,512 bytes free

209 --- E O F --- 2008-10-22 03:21:53



ComboFix 08-10-22.02 - Kevin 2008-10-22 22:44:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2529 [GMT -4:00]
Running from: C:\Documents and Settings\Kevin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kevin\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2008-09-23 to 2008-10-23 )))))))))))))))))))))))))))))))
.

2008-10-22 20:58 . 2008-10-22 20:58 <DIR> d-------- C:\Program Files\Avira
2008-10-22 20:58 . 2008-10-22 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-10-20 21:54 . 2008-10-20 21:54 <DIR> d-------- C:\Program Files\MSECache
2008-10-17 07:03 . 2008-10-17 07:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-17 07:03 . 2008-10-19 23:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-16 16:19 . 2008-10-16 16:19 <DIR> d-------- C:\Program Files\gnzwuze
2008-10-16 16:19 . 2008-10-21 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vghunqry
2008-10-15 20:12 . 2008-08-14 06:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 20:12 . 2008-08-14 06:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 20:12 . 2008-08-14 05:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 20:12 . 2008-08-14 05:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-15 20:12 . 2008-09-15 08:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 20:12 . 2008-09-08 06:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-14 22:13 . 2008-10-14 22:13 262,144 --a------ C:\ntuser.dat
2008-10-12 22:39 . 2008-10-12 22:40 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\vlc
2008-10-12 22:38 . 2008-10-12 22:38 <DIR> d-------- C:\Program Files\VideoLAN
2008-09-30 15:49 . 2008-09-30 15:49 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-30 15:49 . 2008-09-30 15:49 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-09-30 15:45 . 2008-09-30 15:45 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-30 15:45 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-09-30 15:45 . 2007-02-27 14:31 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-09-30 15:44 . 2008-09-30 15:44 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-09-30 15:41 . 2008-09-30 15:42 <DIR> d-------- C:\Program Files\Avanquest update
2008-09-30 15:41 . 2008-04-13 14:45 26,112 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2008-09-30 15:41 . 2008-04-13 14:45 26,112 --a------ C:\WINDOWS\system32\dllcache\usbser.sys
2008-09-30 15:40 . 2008-09-30 15:45 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-09-30 15:40 . 2008-09-30 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-09-30 15:40 . 2008-09-30 15:40 92,064 --a------ C:\Documents and Settings\Kevin\mqdmmdm.sys
2008-09-30 15:40 . 2008-09-30 15:40 79,328 --a------ C:\Documents and Settings\Kevin\mqdmserd.sys
2008-09-30 15:40 . 2008-09-30 15:40 66,656 --a------ C:\Documents and Settings\Kevin\mqdmbus.sys
2008-09-30 15:40 . 2008-09-30 15:40 25,600 --a------ C:\Documents and Settings\Kevin\usbsermptxp.sys
2008-09-30 15:40 . 2008-09-30 15:40 22,768 --a------ C:\Documents and Settings\Kevin\usbsermpt.sys
2008-09-30 15:40 . 2008-09-30 15:40 9,232 --a------ C:\Documents and Settings\Kevin\mqdmmdfl.sys
2008-09-30 15:40 . 2008-09-30 15:40 6,208 --a------ C:\Documents and Settings\Kevin\mqdmcmnt.sys
2008-09-30 15:40 . 2008-09-30 15:40 5,936 --a------ C:\Documents and Settings\Kevin\mqdmwhnt.sys
2008-09-30 15:40 . 2008-09-30 15:40 4,048 --a------ C:\Documents and Settings\Kevin\mqdmcr.sys
2008-09-30 10:20 . 2008-09-30 10:20 60,968 --a------ C:\Documents and Settings\Kevin\GoToAssistDownloadHelper.exe
2008-09-29 21:45 . 2008-10-15 17:14 <DIR> d-------- C:\Program Files\Swarm Gold

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 23:39 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-22 18:48 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-21 13:04 --------- d-----w C:\Documents and Settings\Kevin\Application Data\U3
2008-10-17 01:55 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-10-16 20:18 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-16 20:18 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-10-15 13:09 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Yahoo!
2008-10-03 17:41 6,066,176 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2008-10-02 17:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\PCPitstop
2008-09-30 19:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-20 15:08 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Tunebite
2008-09-20 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\RapidSolution
2008-09-20 01:07 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-09-20 01:06 --------- d-----w C:\Program Files\RapidSolution
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-14 19:28 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Flood Light Games
2008-09-14 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Flood Light Games
2008-09-09 23:53 --------- d-----w C:\Program Files\Hide and Secret 2 - Cliffhanger Castle
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-06 03:30 241,704 ------w C:\WINDOWS\system32\dllcache\wgaLogon.dll
2008-09-06 03:29 917,032 ------w C:\WINDOWS\system32\dllcache\WgaTray.exe
2008-09-05 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-09-05 22:36 --------- d-----w C:\Program Files\Safari Island Deluxe
2008-09-05 22:06 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Ludia
2008-09-05 22:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ludia
2008-09-05 22:05 --------- d-----w C:\Program Files\The Price Is Right
2008-09-05 16:37 --------- d-----w C:\Documents and Settings\Kevin\Application Data\ForgottenRiddles
2008-09-04 17:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead
2008-09-04 16:46 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Ahead
2008-09-04 16:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-09-04 16:00 --------- d-----w C:\Program Files\Common Files\Ahead
2008-09-04 15:59 --------- d-----w C:\Program Files\Nero
2008-09-04 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-04 02:43 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Roxio
2008-09-04 02:21 --------- d-----w C:\Program Files\DVD Shrink
2008-09-04 02:03 7,040 ----a-w C:\WINDOWS\system32\drivers\FNETURPX.SYS
2008-09-04 02:03 17,792 ----a-w C:\WINDOWS\system32\drivers\FNETTBOH.SYS
2008-09-04 02:03 --------- d-----w C:\Program Files\TurboHddUsb
2008-09-04 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\FNET
2008-09-03 14:05 --------- d-----w C:\Program Files\Ice Cream Dee Lites
2008-09-03 13:59 --------- d-----w C:\Program Files\eGames
2008-09-02 16:41 --------- d-----w C:\Program Files\LeeGTs Games
2008-09-01 14:39 --------- d-----w C:\Documents and Settings\Kevin\Application Data\iWin
2008-09-01 03:18 --------- d-----w C:\Program Files\Pirateville
2008-08-31 20:44 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Legends of pirates
2008-08-31 01:34 --------- d-----w C:\Program Files\Forgotten Riddles - The Mayan Princess
2008-08-29 23:26 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-27 08:24 3,593,216 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-25 08:38 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-08-25 08:37 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-08-23 05:56 635,848 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-08-23 05:54 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 16:46 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-06-10 00:36 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060920080610\index.dat
.

------- Sigcheck -------

2004-08-04 06:00 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2008-04-13 20:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-10-16 16:18 507904 3969440ba384d35317dbbdeeaae641ce C:\WINDOWS\system32\winlogon.exe

2004-08-04 06:00 295424 b60c877d16d9c880b952fda04adf16e6 C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll
2008-04-13 20:12 295424 ff3477c03be7201c294c35f684b3479f C:\WINDOWS\ServicePackFiles\i386\termsrv.dll
2008-10-16 16:18 295424 63999d0abd8dabfd76a9c07f6e104868 C:\WINDOWS\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"Pando"="C:\Program Files\Pando Networks\Pando\Pando.exe" [2008-07-25 6591816]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"Search Protection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-05-27 8429568]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"Lexmark 1200 Series"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2006-10-03 221184]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 385024]
"TurboHddUsb"="C:\Program Files\TurboHddUsb\TurboHddUsb.exe" [2008-09-03 3327488]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-10-16 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MntWin"= {6280B887-A416-F4C4-5581-0BA044BAC6EA} - C:\Program Files\gnzwuze\MntWin.dll [2008-10-16 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-10-16 21:55 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\Pando Networks\\Pando\\pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"57885:TCP"= 57885:TCP:Pando P2P TCP Listening Port
"57885:UDP"= 57885:UDP:Pando P2P UDP Listening Port

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 FNETURPX;FNETURPX;C:\WINDOWS\system32\drivers\FNETURPX.SYS [2008-09-03 7040]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R3 FNETTBOH;FNETTBOH;C:\WINDOWS\system32\drivers\FNETTBOH.SYS [2008-09-03 17792]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\X]
\Shell\AutoRun\command - X:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6a675f8-790d-11dd-a2e9-001aa09fb8d6}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{582610B8-E496-4813-993C-4B027173FE38}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-webact - C:\WINDOWS\system32\hsdebwto.exe
ShellExecuteHooks-{5BACC17E-BDF7-405B-BC68-ECB506395118} - (no file)
MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\opw5ts4p.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 22:47:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-10-22 22:52:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-23 02:52:02

Pre-Run: 95,067,357,184 bytes free
Post-Run: 95,682,617,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

245 --- E O F --- 2008-10-22 03:21:53

#10 Hoov

Hoov

  • Malware Response Team
  • 3,496 posts
  • ONLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:15 AM

Posted 23 March 2009 - 08:41 PM

DO you remember what the stop codes from the BSOD's have been? How often do you get them?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 avjunkie

avjunkie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 23 March 2009 - 08:48 PM

No, unfortunately I did not write them down. That doesn't happen too often, maybe twice a month.

#12 Hoov

Hoov

  • Malware Response Team
  • 3,496 posts
  • ONLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:15 AM

Posted 23 March 2009 - 09:06 PM

So your biggest problem is with the freezing up of the browser?

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.

In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Test out your browser and see if it still freezes. Also if you get a BSOD, write down the stop code and the program file name.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 avjunkie

avjunkie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 23 March 2009 - 09:38 PM

Thank you. I will keep a close watch on it. Just out of curiosity, I posted this originally to find out if search protection.exe is malware or spyware. Have you heard of this before? Is it a problem? I appreciate your time.

#14 Hoov

Hoov

  • Malware Response Team
  • 3,496 posts
  • ONLINE
  •  
  • Location:Mikado Michigan
  • Local time:02:15 AM

Posted 23 March 2009 - 09:49 PM

That is hard to say. The title that you put down, and the file you keep using is Search Protection.exe with a space between the two words. The best that I can find out about that is yes it is a virus.

But in looking through your log I believe you are asking about SearchProtection.exe with no space. In which case it is a Legitimate program that appears to be the yahoo equivalent of the search protection that AVG provides. Except if I read it right, the yahoo version works only on its search engine, whereas the AVG one works with the most popular search engines.

Does that answer your question? :thumbup2:
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 avjunkie

avjunkie
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:15 AM

Posted 23 March 2009 - 09:54 PM

Yes it does. Thank you for your help. Do I need to do any final scans or submit a new log file?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users