Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I have a virus?


  • This topic is locked This topic is locked
23 replies to this topic

#1 StevePRGM

StevePRGM

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 06 January 2013 - 05:29 PM

Problem:
my internet doesn't work correctly
browsing http://www.google.com (only when using IE), returns the following:
设中


您想要查看的站点当前没有默认页。可能正在对它进行升级和配置操作。

请稍后再访问此站点。如果您仍然遇到问题,请与网站的管理员联系。


--------------------------------------------------------------------------------

如果您是网站的管理员,并且认为您是由于错误才收到此消息,请参阅 IIS 帮助中的"启用和禁用动态内容"。

要访问 IIS 帮助
单击开始,然后单击运行。
在打开文本框中,键入 inetmgr。将出现 IIS 管理器。
从帮助菜单,单击帮助主题。
单击Internet 信息服务。

browsing https://www.minecraft.net, gives an un-secure(incorrect) website (IE or Firefox)
logging into the game Minecraft, fails
logging into the AIM network, fails
*note: Using the numeric IP address fixes the google problem for IE, but the minecraft.net problem remains

My system:
Windows XP Professional Version 2002 service pack 3
Firefox 13.0.1 (updating now...)
IE 8.0.6001.18702

=============================
=== what I've done so far ===
=============================
windows firewall off --> on
using @Leurgy's advice (#BleepingComputer)

used DDS.com, results following (dds.txt):

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.10.2
Run by Mike at 20:45:54 on 2003-01-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.375 [GMT -6:00]
.
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\AutoHotkeyL ANSI\AutoHotkey.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\IB Updater\ExtensionUpdaterService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware2\mbamscheduler.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Input Director\IDWinService.exe
C:\Program Files\Input Director\InputDirectorSessionHelper.exe
C:\Program Files\Input Director\InputDirector.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Mike\Desktop\ssftw\ssft.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IE to GetRight Helper: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - c:\program files\getright\xx2gr.dll
BHO: IB Updater: {336D0C35-8A85-403a-B9D2-65C292C39087} - c:\program files\ib updater\Extension32.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] -c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] -"c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Steam] -"c:\program files\steam\Steam.exe" -silent
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [InputDirector] "c:\program files\input director\InputDirector.exe" /hide
mRun: [RTHDCPL] -RTHDCPL.EXE
mRun: [Alcmtr] -ALCMTR.EXE
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [ZoneAlarm Installer] -"c:\program files\checkpoint\install\launcher.exe" "c:\program files\checkpoint\install\install.exe" /r download /c "c:\program files\checkpoint\install\Install.xml" /l /w
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] -"c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\aim.lnk - c:\program files\aim\aim.exe
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\autoho~1.lnk - c:\programming\ahkstuff\AutoHotkey.ahk
StartupFolder: c:\docume~1\mike\startm~1\programs\startup\mousew~1.lnk - c:\documents and settings\mike\application data\microsoft\installer\{d3bc954f-d661-474c-b367-30eb6e56542e}\MyProjectShortcutIcon.exe
StartupFolder: c:\documents and settings\mike\start menu\programs\startup\set.bat
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: DisableCAD = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306626457765
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_38-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{826BDF29-2BE9-42A4-B62E-AA73B93FBE34} : NameServer = 208.67.220.222,208.67.220.220
Notify: AtiExtEvent - Ati2evxx.dll
Hosts: 192.168.1.151 rail00
Hosts: 54.243.82.236 minecraft.net
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mike\application data\mozilla\firefox\profiles\g4mr5ooi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6OyYhpjol4&&i=26&search=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - ExtSQL: 2010-01-17 07:54; [email protected]; c:\documents and settings\mike\application data\mozilla\firefox\profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2011-05-30 11:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - ExtSQL: 2011-06-01 22:34; [email protected]; c:\program files\fiddler2\FiddlerHook
FF - ExtSQL: 2011-09-24 14:31; [email protected]; c:\documents and settings\mike\application data\mozilla\firefox\profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2011-09-24 14:53; {921880f2-a39f-4a30-89e5-c0189b09ebab}; c:\documents and settings\mike\application data\mozilla\firefox\profiles\g4mr5ooi.default\extensions\{921880f2-a39f-4a30-89e5-c0189b09ebab}.xpi
FF - ExtSQL: 2011-09-24 14:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\mike\application data\mozilla\firefox\profiles\g4mr5ooi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-12-25 11:40; {336D0C35-8A85-403a-B9D2-65C292C39087}; c:\program files\ib updater\Firefox
FF - ExtSQL: 2012-12-25 11:40; [email protected]; c:\documents and settings\mike\application data\mozilla\firefox\profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2012-12-25 17:04; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyYhpjol4&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 8c02dc52000000000000001921f78e7e
FF - user.js: extensions.incredibar_i.instlDay - 15699
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1411:40:50
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyYhpjol4
FF - user.js: extensions.incredibar_i.upn2n - 92262683415860562
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10678
FF - user.js: extensions.incredibar_i.ppd - 119
.
============= SERVICES / DRIVERS ===============
.
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-6-9 532224]
R2 IB Updater;IB Updater;c:\program files\ib updater\ExtensionUpdaterService.exe [2012-12-25 188760]
R2 InputDirector;Input Director Service;c:\program files\input director\IDWinService.exe [2010-2-1 36864]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware2\mbamscheduler.exe [2012-12-25 399432]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-10-22 70704]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-27 22856]
R3 ndisptr;Telesoft nDispatcher;c:\windows\system32\drivers\ndisptr.sys [2011-6-6 34304]
R3 RAMDiskXP;RAMDiskXP;c:\windows\system32\drivers\RAMDiskXP.sys [2011-5-5 58368]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2012-12-16 157776]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [2011-8-23 52312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware2\mbamservice.exe [2011-9-27 676936]
S2 trcpxldwk;Shell Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 PsShutdownSvc;PsShutdown;c:\windows\PSSDNSVC.EXE [2012-1-25 87616]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2009-10-22 563760]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-01-02 00:31:34 -------- d-----w- c:\program files\Artemis
2013-01-02 00:29:06 -------- d-----w- c:\program files\Sandboxie
2012-12-26 01:36:00 -------- d-----w- c:\documents and settings\mike\application data\TunkDesign
2012-12-26 01:34:13 -------- d-----w- c:\documents and settings\mike\application data\Copy of .minecraft
2012-12-25 23:04:50 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-12-25 20:43:57 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-25 18:59:27 -------- dc-h--w- c:\windows\ie8
2012-12-25 18:01:06 -------- d-----w- c:\documents and settings\mike\local settings\application data\Java
2012-12-25 18:00:38 -------- d-----w- c:\documents and settings\mike\local settings\application data\Sun
2012-12-25 17:40:43 -------- d-----w- c:\documents and settings\mike\local settings\application data\Google
2012-12-25 17:40:33 -------- d-----w- c:\windows\system32\WNLT
2012-12-25 17:40:28 -------- d-----w- c:\program files\IB Updater
2012-12-25 17:31:22 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-12-05 20:19:49 -------- d-----r- C:\Sandbox
2012-07-15 16:18:28 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-07-15 16:18:24 4220896 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-07-15 16:18:23 192728 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-07-15 16:18:23 124896 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-07-15 16:18:23 115168 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-07-15 16:18:22 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-07-15 16:18:22 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-07-06 18:43:19 201293 ----a-w- C:\ubnldr.exe
2012-07-06 18:39:03 -------- d-----w- C:\preseed
2012-07-06 18:39:03 -------- d-----w- C:\isolinux
2012-07-06 18:39:03 -------- d-----w- C:\casper
2012-07-06 18:39:03 -------- d-----w- C:\.disk
2012-07-06 18:39:02 -------- d-----w- C:\unetbtin
2012-07-04 10:31:14 -------- d-----w- c:\program files\MouseWithoutBorders
2012-06-28 20:21:26 -------- d-sh--w- c:\documents and settings\mike\IECompatCache
2012-06-15 15:23:04 -------- d-----w- c:\documents and settings\all users\Temp
2012-06-10 15:32:29 -------- d-----w- c:\program files\CheckPoint
2012-06-10 15:32:24 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2012-06-06 10:17:19 -------- d-----w- c:\documents and settings\mike\application data\UDP Software
2012-06-04 19:14:07 -------- d-----w- c:\program files\DF LazyNewbPack [0.34.07] [V12]
2012-05-28 10:08:31 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-02 16:20:45 -------- d-----w- c:\program files\MozyHome
2012-04-01 16:17:04 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-02-25 22:32:18 -------- d-----w- c:\program files\Unlocker
2012-02-18 20:38:39 -------- d-----w- c:\program files\IrfanView
2012-02-08 21:17:49 -------- d-----w- c:\program files\Wise PC Doctor
2012-02-07 05:37:02 -------- d-----w- c:\documents and settings\mike\local settings\application data\Deployment
2012-02-07 05:30:53 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-07 05:26:34 -------- d-----w- c:\program files\MSOffice2007
2012-02-07 03:47:30 -------- d-----w- c:\documents and settings\mike\local settings\application data\CrashRpt
2012-02-07 03:46:48 -------- d-----w- C:\KAG
2012-02-05 16:52:35 -------- d-----w- c:\documents and settings\mike\batclient
2012-01-25 23:51:00 87616 ----a-w- c:\windows\PSSDNSVC.EXE
2012-01-25 23:47:57 -------- d-----w- C:\PsTools
2012-01-25 20:48:25 -------- d-----w- C:\Borland
2012-01-03 13:10:44 182672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-01-03 13:10:44 182672 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-12-17 21:09:08 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2011-12-17 19:30:09 -------- d-----w- c:\documents and settings\mike\local settings\application data\Fallout3
2011-12-17 18:12:12 -------- d-----w- c:\windows\system32\xlive
2011-12-15 01:35:54 -------- d-----w- c:\program files\Speccy
2011-12-09 05:02:54 -------- d-----w- C:\_ Tools
2011-12-01 21:04:48 -------- d-----w- C:\Games
2011-11-26 23:29:46 4754944 ----a-w- C:\unetbtin.exe
2011-11-23 04:24:05 -------- d-----w- c:\documents and settings\mike\application data\Individual Software
2011-10-02 20:30:04 -------- d-----w- c:\program files\RPGToolkit3
2011-09-30 17:33:17 -------- d-----w- c:\documents and settings\mike\application data\InfraRecorder
2011-09-30 17:32:24 -------- d-----w- c:\program files\InfraRecorder
2011-09-29 00:00:55 -------- d-----w- c:\program files\War2Combat2
2011-09-28 23:54:29 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-09-28 23:48:27 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-09-28 23:48:27 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-09-28 23:47:22 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-09-28 23:45:42 15453832 ----a-w- c:\windows\system32\xlive.dll
2011-09-28 23:45:42 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2011-09-28 04:37:18 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-28 04:37:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2
2011-09-26 19:11:45 -------- d-----w- c:\program files\RAMDisk
2011-09-26 00:31:50 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2011-09-25 22:51:45 0 ----a-w- c:\documents and settings\mike\pipes.exe
2011-09-24 18:18:23 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-09-24 18:18:23 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-09-24 18:18:23 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-09-23 03:55:45 -------- d-----w- c:\documents and settings\mike\application data\Unity
2011-09-23 03:52:13 -------- d-----w- c:\documents and settings\mike\local settings\application data\Unity
2011-09-22 19:09:03 -------- d-----w- c:\documents and settings\mike\application data\XnView
2011-09-21 16:14:18 -------- d-----w- C:\mysql
2011-09-21 05:04:41 -------- d-----w- c:\program files\common files\Blizzard Entertainment
2011-09-13 19:03:51 -------- d-----w- c:\documents and settings\all users\application data\GetRight
2011-09-13 19:02:17 -------- d-----w- c:\documents and settings\mike\application data\GetRight
2011-09-13 19:02:10 -------- d-----w- c:\program files\GetRight
2011-09-13 18:15:16 59952 ----a-r- c:\windows\system32\vnetinst.dll
2011-09-13 18:15:16 16560 ----a-r- c:\windows\system32\drivers\vmnetadapter.sys
2011-09-13 18:15:10 334384 ----a-w- c:\windows\system32\vmnetdhcp.exe
2011-09-13 18:15:07 395824 ----a-w- c:\windows\system32\vmnat.exe
2011-09-13 18:15:06 26288 ----a-w- c:\windows\system32\drivers\vmnetuserif.sys
2011-09-13 18:15:04 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2011-09-13 18:15:01 760368 ----a-w- c:\windows\system32\vnetlib.dll
2011-09-13 18:14:43 23216 ----a-w- c:\windows\system32\drivers\VMkbd.sys
2011-09-13 18:14:20 -------- d-----w- c:\program files\common files\VMware
2011-09-13 18:14:11 -------- d-----w- c:\program files\VMware
2011-09-13 06:02:30 -------- d-----w- c:\program files\PHP
2011-09-09 19:22:43 -------- d-----w- C:\__ TRANSFER
2011-09-09 19:09:48 -------- d-----w- c:\program files\FileZilla Server
2011-09-03 00:19:05 49664 ----a-w- c:\windows\unvise32.exe
2011-09-03 00:19:01 -------- d-----w- c:\program files\Active Ports
2011-08-31 22:09:09 -------- d-----w- c:\program files\Abyss Web Server
2011-08-31 20:31:51 -------- d-----w- c:\windows\Desktop
2011-08-31 15:36:15 -------- d-----w- c:\program files\FreshDevices
2011-08-29 01:32:56 -------- d-----w- c:\program files\Microsoft XNA
2011-08-28 19:47:00 331776 ----a-w- c:\windows\system32\glew32.dll
2011-08-28 19:35:30 212 ----a-w- c:\windows\ildasmfnt.bin
2011-08-28 06:46:48 -------- d-----w- c:\program files\common files\Steam
2011-08-28 06:46:47 -------- d-----w- c:\program files\Steam
2011-08-28 00:43:52 -------- d-----w- c:\program files\AMD APP
2011-08-28 00:41:10 -------- d-----w- c:\program files\ATI Technologies2
2011-08-27 02:25:38 -------- d-----w- c:\documents and settings\mike\application data\id Software
2011-08-27 02:23:41 -------- d-----w- c:\documents and settings\all users\application data\id Software
2011-08-26 04:08:21 -------- d-----w- c:\windows\.jagex_cache_32
2011-08-23 18:31:59 -------- d-----w- c:\documents and settings\mike\local settings\application data\Help
2011-08-23 18:10:54 52312 ----a-w- c:\windows\system32\drivers\stdriver32.sys
2011-08-23 18:10:54 -------- d-----w- c:\program files\NCH Software
2011-08-23 18:10:52 -------- d-----w- c:\documents and settings\mike\application data\NCH Software
2011-08-07 18:34:56 -------- d-----w- c:\program files\df_31_25_legacy
2011-07-31 04:30:20 -------- d-----w- c:\program files\HashCalc
2011-07-30 04:35:08 -------- d-----w- c:\documents and settings\all users\application data\Blizzard Entertainment
2011-07-28 22:49:12 53760 ----a-w- c:\windows\system32\OVDecode.dll
2011-07-28 22:48:36 13555712 ----a-w- c:\windows\system32\amdocl.dll
2011-07-28 05:30:22 72 ----a-w- c:\documents and settings\mike\application data\microsoft\internet explorer\quick launch\wow\WoW.bat
2011-07-24 16:27:02 -------- d-----w- c:\program files\Audacity
2011-07-23 02:26:00 -------- d-----w- c:\documents and settings\mike\.thumbnails
2011-07-23 00:57:45 -------- d-----w- c:\documents and settings\mike\.gimp-2.6
2011-07-23 00:57:07 -------- d-----w- c:\program files\GIMP-2.0
2011-07-22 23:50:21 -------- d-----w- c:\program files\eSpeak
2011-07-22 20:03:36 -------- d-----w- c:\program files\Sauerbraten
2011-07-22 18:20:26 -------- d-----w- c:\windows\lhsp
2011-07-22 03:38:07 -------- d-----w- c:\program files\TeamViewer
2011-07-22 03:36:04 -------- d-----w- c:\documents and settings\mike\application data\TeamViewer
2011-07-21 22:34:37 -------- d-----w- c:\documents and settings\mike\local settings\application data\Temp
2011-07-21 22:31:10 -------- d-----w- c:\documents and settings\mike\local settings\application data\Adobe
2011-07-21 22:22:10 -------- d-----w- c:\program files\odbg200
2011-07-21 22:17:39 -------- d-----w- c:\program files\odbg110
2011-07-19 17:28:42 -------- d-----w- c:\documents and settings\mike\application data\Internet Chess Club
2011-07-19 17:28:35 -------- d-----w- c:\program files\Internet Chess Club
2011-07-10 23:18:21 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-07-10 23:18:21 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-07-10 23:18:06 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-07-10 23:18:06 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-07-10 20:21:31 -------- d-----w- c:\program files\AutoHotkeyL ANSI
2011-07-06 05:41:56 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-07-06 05:41:56 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-07-06 05:41:56 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-07-06 05:41:56 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-07-06 05:41:56 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-07-06 05:41:55 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-07-06 05:41:55 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-07-06 05:41:55 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-07-06 05:41:54 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-07-06 05:41:54 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-07-06 05:41:54 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-07-06 05:41:54 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-07-06 05:40:11 -------- d-----w- c:\program files\Microsoft DirectX SDK (June 2010)
2011-07-03 23:00:31 -------- d-----w- c:\documents and settings\mike\application data\.minecraft
2011-07-03 22:56:05 -------- d-----w- c:\documents and settings\mike\application data\GetRightToGo
2011-07-03 22:55:49 -------- d-----w- c:\program files\XnView
2011-07-03 17:28:11 -------- d--h--w- c:\windows\PIF
2011-07-01 19:31:35 -------- d-----w- c:\documents and settings\mike\local settings\application data\AOL
2011-07-01 19:31:35 -------- d-----w- c:\documents and settings\mike\local settings\application data\AIM
2011-07-01 19:31:31 -------- d-----w- c:\documents and settings\all users\application data\AIM
2011-07-01 19:31:28 -------- d-----w- c:\program files\AIM
2011-07-01 19:31:26 -------- d-----w- c:\program files\common files\AOL
2011-06-25 20:53:03 -------- d-----w- c:\documents and settings\mike\local settings\application data\Identities
2011-06-22 18:14:56 -------- d-----w- c:\documents and settings\mike\application data\Need for Speed World
2011-06-22 17:27:54 -------- d-----w- c:\documents and settings\mike\local settings\application data\Electronic_Arts_Inc
2011-06-22 17:27:29 -------- d-----w- c:\documents and settings\all users\application data\Electronic Arts
2011-06-18 23:27:25 -------- d-----w- C:\_x Underground
2011-06-18 21:32:03 -------- d-----w- c:\program files\morrow_
2011-06-17 16:54:14 -------- d-----w- c:\documents and settings\mike\local settings\application data\Yahoo
2011-06-17 16:51:50 -------- d-----w- c:\program files\Yahoo!
2011-06-17 00:15:49 -------- d-----w- c:\program files\Process Explorer
2011-06-16 08:34:06 79872 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
2011-06-16 08:34:06 2117632 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
2011-06-11 22:06:39 -------- d-----w- c:\documents and settings\mike\local settings\application data\WMTools Downloaded Files
2011-06-10 04:51:28 -------- d-----w- c:\program files\Stronghold Crusader
2011-06-10 03:41:31 -------- d-----w- c:\program files\BitTorrent
2011-06-10 03:40:26 -------- d-----w- c:\documents and settings\mike\application data\BitTorrent
2011-06-10 03:25:56 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-06-10 03:25:56 -------- d-----w- c:\windows\system32\ZoneLabs
2011-06-10 03:25:54 -------- d-----w- c:\program files\Zone Labs
2011-06-10 03:25:28 -------- d-----w- c:\windows\Internet Logs
2011-06-09 22:44:12 -------- d-----w- c:\documents and settings\mike\application data\Malwarebytes
2011-06-09 22:44:05 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-09 22:44:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-09 01:36:52 -------- d-----w- C:\Eclipse
2011-06-09 01:35:54 -------- d-----w- c:\program files\eclipse
2011-06-08 19:33:41 -------- d-----w- c:\windows\system32\NtmsData
2011-06-08 18:53:10 -------- d-----w- C:\WxTool
2011-06-08 18:48:32 -------- d-----w- C:\_Sound Effects
2011-06-06 22:40:36 34304 ----a-w- c:\windows\system32\drivers\ndisptr.sys
2011-06-04 17:05:55 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-06-04 17:05:55 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-06-04 17:04:55 5600 ----a-w- c:\windows\system32\drivers\WmVirHid.sys
2011-06-04 17:04:55 45504 ----a-w- c:\windows\system32\drivers\WmXlCore.sys
2011-06-04 17:04:55 22240 ----a-w- c:\windows\system32\drivers\WmFilter.sys
2011-06-04 17:04:54 10144 ----a-w- c:\windows\system32\drivers\WmBEnum.sys
2011-06-04 17:04:54 -------- d-----w- c:\program files\common files\Logitech
2011-06-04 17:04:17 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\ctor.dll
2011-06-04 17:04:17 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\DotNetInstaller.exe
2011-06-04 17:04:17 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iscript.dll
2011-06-04 17:04:17 180224 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iuser.dll
2011-06-04 17:04:16 749568 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iKernel.dll
2011-06-04 17:04:00 192644 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\iGdi.dll
2011-06-04 17:03:59 323716 ----a-w- c:\program files\common files\installshield\professional\runtime\10\50\intel32\setup.dll
2011-06-04 03:34:16 -------- d-----w- C:\_Music
2011-06-03 04:16:38 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-06-03 04:12:34 -------- d-----w- C:\Intel
2011-06-02 19:18:08 -------- d-----w- c:\documents and settings\mike\local settings\application data\ATI
2011-06-02 19:17:56 0 ----a-w- c:\windows\ativpsrm.bin
2011-06-02 19:16:20 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-06-02 19:16:20 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-06-02 19:16:20 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-06-02 19:16:20 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-06-02 19:16:20 5697536 ----a-w- c:\windows\system32\aticaldd.dll
2011-06-02 19:16:20 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-06-02 19:16:20 208896 ----a-w- c:\windows\system32\atiadlxx.dll
2011-06-02 19:16:20 18440192 ----a-w- c:\windows\system32\atioglxx.dll
2011-06-02 19:16:20 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-06-02 19:16:20 118784 ----a-w- c:\windows\system32\atibtmon.exe
2011-06-02 19:16:14 -------- d-----w- c:\program files\ATI
2011-06-02 19:15:00 -------- d-----w- C:\ATI
2011-06-02 18:38:37 779704 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-02 18:36:38 -------- d-----w- c:\windows\system32\Adobe
2011-06-02 18:32:15 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 04:48:19 -------- d-----w- c:\program files\VideoLAN
2011-06-02 04:22:57 -------- d-----w- c:\program files\xvi32_221
2011-06-02 03:34:36 -------- d-----w- c:\program files\Fiddler2
2011-06-02 00:19:10 -------- d-----w- c:\program files\War2Combat
2011-05-30 18:02:50 -------- d-----w- c:\documents and settings\mike\application data\springlobby_updater
2011-05-30 17:34:48 -------- d-----w- c:\documents and settings\mike\application data\springsettings
2011-05-30 17:34:29 -------- d-----w- c:\program files\Spring
2011-05-30 17:14:42 -------- d-----w- c:\documents and settings\mike\application data\SpringLobby
2011-05-30 17:13:52 -------- d-----w- c:\program files\SpringLobby
2011-05-30 16:53:05 -------- d-----w- c:\program files\Mplayer
2011-05-30 16:52:44 -------- d-----w- c:\program files\Quake III Arena
2011-05-30 16:52:32 305152 ----a-w- c:\windows\IsUninst.exe
2011-05-30 16:51:14 -------- d-----w- C:\_WinFixes
2011-05-30 16:50:42 -------- d-----w- C:\Chrome
2011-05-30 16:47:14 -------- d-----w- c:\program files\Microsoft SQL Server
2011-05-30 16:46:55 112640 ----a-w- c:\documents and settings\all users\application data\microsoft\vcexpress\9.0\1033\ResourceCache.dll
2011-05-30 16:46:32 416 ----a-w- c:\documents and settings\all users\application data\microsoft\msdn\9.0\1033\ResourceCache.dll
2011-05-30 16:46:26 -------- d-----w- c:\documents and settings\mike\local settings\application data\Microsoft Help
2011-05-30 16:44:36 -------- d-----w- c:\program files\common files\Merge Modules
2011-05-30 16:43:07 -------- d-----w- c:\windows\system32\XPSViewer
2011-05-30 16:42:46 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-05-30 16:42:34 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-05-30 16:42:34 117760 ------w- c:\windows\system32\prntvpt.dll
2011-05-30 16:42:33 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-05-30 16:42:33 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-05-30 16:42:33 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-05-30 16:42:33 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-05-30 16:42:33 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-05-30 16:42:33 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-05-30 16:42:33 -------- d-----w- C:\bb4e187f0f3d4c2f76db05ce
2011-05-30 16:36:25 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-05-30 16:34:47 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-05-29 16:53:00 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-05-29 16:51:46 -------- d-----w- C:\Temp
2011-05-29 04:45:22 -------- d-----w- c:\program files\HydraIRC
2011-05-29 04:25:52 -------- d-----w- c:\program files\TeamSpeak 3 Client
2011-05-29 04:11:15 -------- d-sh--w- c:\documents and settings\mike\PrivacIE
2011-05-29 04:09:27 -------- d-sh--w- c:\documents and settings\mike\IETldCache
2011-05-29 03:01:28 -------- d-----w- c:\program files\Bethesda Softworks
2011-05-29 03:00:46 753664 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iKernel.dll
2011-05-29 03:00:46 69714 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\ctor.dll
2011-05-29 03:00:46 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\DotNetInstaller.exe
2011-05-29 03:00:46 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2011-05-29 03:00:46 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iscript.dll
2011-05-29 03:00:46 184320 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iuser.dll
2011-05-29 03:00:45 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\iGdi.dll
2011-05-29 03:00:44 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\00\intel32\setup.dll
2011-05-29 03:00:16 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-05-29 03:00:07 -------- d-----w- c:\documents and settings\mike\local settings\application data\Oblivion
2011-05-29 02:51:53 -------- d-----w- c:\program files\ATI Technologies
2011-05-29 02:50:52 221184 ------w- c:\program files\common files\installshield\iscript\IScript.dll
2011-05-29 02:50:51 77824 ------w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-05-29 02:50:51 32768 ------w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-05-29 02:50:51 221184 ------w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-05-29 02:50:51 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-05-29 02:50:07 -------- d-----w- C:\cabs
2011-05-29 02:49:51 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-05-29 02:42:46 -------- d-----w- c:\windows\system32\Lang
2011-05-29 02:10:47 -------- d-----w- C:\Programming
2011-05-29 02:09:55 -------- d-----w- C:\_CommonFiles
2011-05-29 01:58:44 -------- d-----w- C:\_SystemFiles
2011-05-29 01:52:53 -------- d-----w- c:\windows\ShellNew
2011-05-29 01:52:53 -------- d-----w- c:\program files\AutoHotkeyL
2011-05-29 01:44:38 -------- d-----w- c:\windows\system32\RTCOM
2011-05-29 01:44:36 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2011-05-29 01:44:36 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2011-05-29 01:44:36 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2011-05-29 01:44:36 4096 ----a-w- c:\windows\system32\ksuser.dll
2011-05-29 01:44:36 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2011-05-29 01:44:36 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2011-05-29 01:44:36 129536 ----a-w- c:\windows\system32\ksproxy.ax
2011-05-29 01:36:09 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2011-05-29 01:36:09 79872 ------w- c:\windows\system32\msxml6r.dll
2011-05-29 01:36:09 1306624 -c----w- c:\windows\system32\dllcache\msxml6.dll
2011-05-29 01:36:09 1306624 ------w- c:\windows\system32\msxml6.dll
2011-05-29 01:36:03 102912 -c----w- c:\windows\system32\dllcache\dpcdll.dll
2011-05-29 01:34:49 -------- d-----w- c:\windows\ServicePackFiles
2011-05-29 01:34:39 294912 ------w- c:\program files\windows media player\dlimport.exe
2011-05-29 01:34:35 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2011-05-29 01:32:34 19569 ----a-w- c:\windows\002847_.tmp
2011-05-29 01:32:30 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-05-29 01:32:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2011-05-29 00:26:39 -------- d-----w- c:\windows\system32\appmgmt
2011-05-28 23:48:03 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-05-28 23:48:03 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-05-28 23:48:03 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-05-28 23:48:03 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-05-28 23:48:03 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-05-28 23:44:52 -------- d-sh--w- c:\documents and settings\mike\UserData
.
==================== Find3M ====================
.
2011-07-28 22:20:10 7084544 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-07-28 22:17:42 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-07-28 21:34:58 3973696 ----a-w- c:\windows\system32\ati3duag.dll
2011-07-28 21:32:10 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-28 21:31:06 303104 ----a-w- c:\windows\system32\ati2dvag.dll
2011-07-28 21:15:32 3166208 ----a-w- c:\windows\system32\ativvaxx.dll
2011-07-28 21:14:02 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-28 21:13:50 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-28 21:13:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-07-28 21:13:34 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-28 21:13:20 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-07-28 21:12:06 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-07-28 21:10:48 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-07-28 21:05:36 704512 ----a-w- c:\windows\system32\atikvmag.dll
2011-07-28 21:00:46 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-07-28 20:59:14 507904 ----a-w- c:\windows\system32\atiok3x2.dll
2011-07-28 20:55:02 876544 ----a-w- c:\windows\system32\ati2cqag.dll
2011-07-28 20:53:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-05-06 02:57:02 58368 ----a-w- c:\windows\system32\drivers\RAMDiskXP.sys
2011-04-26 05:58:12 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-26 05:58:12 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-20 03:10:18 51712 ----a-w- c:\windows\system32\OpenCL.dll
2011-03-04 19:44:14 59888 ------w- c:\windows\system32\pxwma.dll
2011-03-04 19:44:14 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
2011-03-04 19:44:14 133616 ------w- c:\windows\system32\pxafs.dll
2011-03-04 19:44:12 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2011-03-04 19:44:12 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2011-03-04 19:44:12 126448 ------w- c:\windows\system32\pxinsi64.exe
2011-03-04 19:44:12 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-12-23 19:51:34 644400 ----a-w- c:\windows\system32\mscomct2.ocx
2010-08-27 18:32:08 294912 ----a-w- c:\windows\system32\ATIODE.exe
2010-04-27 20:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 20:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2010-03-18 21:47:22 17760 ----a-w- c:\windows\system32\aspnet_counters.dll
2010-03-18 18:16:28 771424 ----a-w- c:\windows\system32\msvcr100_clr0400.dll
2010-03-18 18:16:28 70472 ----a-w- c:\windows\system32\dxva2.dll
2010-03-18 18:16:28 486216 ----a-w- c:\windows\system32\evr.dll
2010-03-18 15:09:00 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-18 15:09:00 49488 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-18 15:09:00 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-03-18 15:09:00 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-03-18 14:15:26 770384 ----a-w- c:\windows\system32\msvcr100.dll
2010-03-18 14:15:26 421200 ----a-w- c:\windows\system32\msvcp100.dll
2009-11-12 01:06:20 1130824 ----a-w- c:\windows\system32\dfshim.dll
2009-10-22 09:45:06 51248 ----a-w- c:\windows\system32\vmnetbridge.dll
2009-10-22 09:45:06 32688 ----a-w- c:\windows\system32\drivers\vmnetbridge.sys
2009-10-22 09:45:02 853936 ----a-w- c:\windows\system32\drivers\vmx86.sys
2009-10-22 09:45:00 70704 ----a-w- c:\windows\system32\drivers\vmci.sys
2009-10-22 09:44:06 14896 ----a-w- c:\windows\system32\drivers\vmparport.sys
2009-10-22 08:47:52 32304 ----a-w- c:\windows\system32\drivers\hcmon.sys
2009-10-22 08:22:38 252464 ----a-w- c:\windows\system32\vmnc.dll
2009-10-12 19:33:00 64960 ----a-w- c:\windows\system32\drivers\stcp2v30.sys
2009-09-24 05:30:08 156488 ----a-w- c:\windows\system32\mscorier.dll
2009-09-04 23:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 23:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 22:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 22:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 22:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 22:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 22:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-08-07 00:24:10 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2009-06-22 15:34:18 45056 ----a-w- c:\windows\system32\ATIODCLI.exe
2009-03-18 22:35:40 26176 ---ha-w- c:\windows\system32\drivers\hamachi.sys
2009-03-16 19:18:32 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2009-03-16 19:18:32 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2009-03-16 19:18:32 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2009-03-09 20:27:22 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-03-09 20:27:22 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2009-03-09 20:27:22 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-03-08 20:22:46 1241088 ------w- c:\windows\system32\ieframe.dll.mui
2009-03-08 20:22:30 49152 ------w- c:\windows\system32\msrating.dll.mui
2009-03-08 20:22:18 2560 ------w- c:\windows\system32\mshta.exe.mui
2009-03-08 20:21:06 4096 ------w- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 20:21:06 10240 ------w- c:\windows\system32\advpack.dll.mui
2009-03-08 20:20:54 81920 ------w- c:\windows\system32\iedkcs32.dll.mui
2009-03-08 10:35:10 385024 ----a-w- c:\windows\system32\html.iec
2009-03-08 10:34:58 914944 ----a-w- c:\windows\system32\wininet.dll
2009-03-08 10:34:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2009-03-08 10:34:30 43008 ----a-w- c:\windows\system32\licmgr10.dll
2009-03-08 10:33:40 18944 ----a-w- c:\windows\system32\corpol.dll
2009-03-08 10:33:06 420352 ----a-w- c:\windows\system32\vbscript.dll
2009-03-08 10:32:56 72704 ----a-w- c:\windows\system32\admparse.dll
2009-03-08 10:32:50 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-03-08 10:31:38 34816 ----a-w- c:\windows\system32\imgutil.dll
2009-03-08 10:31:18 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-03-08 10:31:02 45568 ----a-w- c:\windows\system32\mshta.exe
2009-03-08 10:31:02 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-03-08 10:30:56 66560 ----a-w- c:\windows\system32\tdc.ocx
2009-03-08 10:22:38 156160 ----a-w- c:\windows\system32\msls31.dll
2009-01-08 00:20:38 24576 ----a-w- c:\windows\system32\nlsdl.dll
2009-01-08 00:20:36 26112 ----a-w- c:\windows\system32\idndl.dll
2009-01-08 00:20:36 23552 ----a-w- c:\windows\system32\normaliz.dll
2009-01-08 00:20:18 265720 ----a-w- c:\windows\system32\msdbg2.dll
2008-10-27 15:04:18 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2008-10-27 15:04:16 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2008-10-27 15:04:16 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 15:04:14 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2008-10-15 11:22:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2008-10-15 11:22:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2008-10-15 11:22:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
.
============= FINISH: 20:46:40.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 20,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 08 January 2013 - 09:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#3 StevePRGM

StevePRGM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 08 January 2013 - 03:55 PM

I used Task Manager to remove all the items that I didn't think weren't system processes
Ran ComboFix 3 times here with errors that I fixed...

First: zone-alarm was still on
Fix: shutdown zone-alarm
Second: "Error: check date"
Fix: I corrected the date/time..
Third: You do not appear to be connected to the internet. Kindly connect before clicking 'OK'
Fix: Uninstalled Zone-Alarm
- this rebooted my computer...
(after reboot below)
- Microsoft Windows gave an error after booting up
shown in this image:
Posted Image

..checked the internet...
google.com works..
minecraft.net works..
(this is with zone-alarm off)

Continuing with Combofix!... :)
ran combofix
*oops! i had a window open!?* .. *closed it before the blue console opened...*
I saw a "Microsoft Recovery Console" successful install message
** not same as the picture you showed, here it is..
Posted Image

Got past..
stage_50, deleting files, deleting folders
====================================
== ComboFix's --> C:\ComboFix.txt ==
====================================
ComboFix 13-01-08.01 - Mike 01/08/2013 14:24:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.617 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\desktop
c:\windows\desktop\HoNClient-2.1.6.exe.FDPART
X:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 )))))))))))))))))))))))))))))))
.
.
2013-01-08 20:00 . 2013-01-08 20:00 -------- d-----w- c:\windows\Internet Logs
2013-01-02 00:31 . 2013-01-02 00:33 -------- d-----w- c:\program files\Artemis
2013-01-02 00:29 . 2013-01-02 00:29 -------- d-----w- c:\program files\Sandboxie
2012-12-26 01:36 . 2012-12-26 01:36 -------- d-----w- c:\documents and settings\Mike\Application Data\TunkDesign
2012-12-26 01:34 . 2012-12-26 01:34 -------- d-----w- c:\documents and settings\Mike\Application Data\Copy of .minecraft
2012-12-25 23:04 . 2012-11-28 16:06 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-12-25 20:43 . 2012-11-28 16:35 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-25 18:59 . 2012-12-25 19:00 -------- dc-h--w- c:\windows\ie8
2012-12-25 18:01 . 2012-12-25 18:01 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Java
2012-12-25 18:00 . 2012-12-25 18:00 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Sun
2012-12-25 17:41 . 2012-12-25 17:41 -------- d-----w- c:\program files\Common Files\Java
2012-12-25 17:40 . 2012-12-25 17:40 450 ----a-w- C:\user.js
2012-12-25 17:40 . 2012-12-25 17:40 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Google
2012-12-25 17:40 . 2012-12-25 18:08 -------- d-----w- c:\windows\system32\WNLT
2012-12-25 17:40 . 2012-12-25 17:40 -------- d-----w- c:\program files\IB Updater
2012-12-25 17:31 . 2012-12-25 17:30 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-02 15:59 . 2012-05-28 10:08 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-02 15:59 . 2011-06-02 18:32 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-25 17:30 . 2011-06-02 18:38 779704 ----a-w- c:\windows\system32\deployJava1.dll
2003-01-02 02:43 . 2011-09-24 18:18 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-12-16 545552]
"InputDirector"="c:\program files\Input Director\InputDirector.exe" [2010-02-01 475136]
.
c:\documents and settings\Mike\Start Menu\Programs\Startup\started up
AIM.lnk - c:\program files\AIM\aim.exe [2011-5-3 4321112]
Autohotkey.lnk - c:\programming\AHKStuff\AutoHotkey.ahk [2011-6-8 11660]
set.bat [2013-1-8 16]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\terraria\\Terraria.exe"=
"c:\\Program Files\\Input Director\\InputDirector.exe"=
"c:\\Program Files\\Input Director\\InputDirectorSessionHelper.exe"=
"c:\\Documents and Settings\\Mike\\Desktop\\ssftw\\ssft.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5257:TCP"= 5257:TCP:bqhdzrn
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2011 10:34 AM 717296]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 3:45 AM 70704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/27/2011 10:37 PM 22856]
R3 ndisptr;Telesoft nDispatcher;c:\windows\system32\drivers\ndisptr.sys [6/6/2011 4:40 PM 34304]
R3 RAMDiskXP;RAMDiskXP;c:\windows\system32\drivers\RAMDiskXP.sys [5/5/2011 8:57 PM 58368]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [8/23/2011 12:10 PM 52312]
S2 IB Updater;IB Updater;c:\program files\IB Updater\ExtensionUpdaterService.exe [12/25/2012 11:40 AM 188760]
S2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [2/1/2010 3:37 AM 36864]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware2\mbamscheduler.exe [12/25/2012 12:33 PM 399432]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware2\mbamservice.exe [9/27/2011 10:37 PM 676936]
S2 trcpxldwk;Shell Helper;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S3 PsShutdownSvc;PsShutdown;c:\windows\PSSDNSVC.EXE [1/25/2012 5:51 PM 87616]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 2:47 AM 563760]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trcpxldwk
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-08 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-08-23 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: Interfaces\{826BDF29-2BE9-42A4-B62E-AA73B93FBE34}: NameServer = 208.67.220.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6OyYhpjol4&&i=26&search=
FF - ExtSQL: 2012-12-25 11:40; {336D0C35-8A85-403a-B9D2-65C292C39087}; c:\program files\IB Updater\Firefox
FF - ExtSQL: 2012-12-25 11:40; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2012-12-25 17:04; {CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}; c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0038-ABCDEFFEDCBA}
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6OyYhpjol4&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - 8c02dc52000000000000001921f78e7e
FF - user.js: extensions.incredibar_i.instlDay - 15699
FF - user.js: extensions.incredibar_i.vrsn - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsni - 1.5.11.14
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.11.1411:40
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6OyYhpjol4
FF - user.js: extensions.incredibar_i.upn2n - 92262683415860562
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10678
FF - user.js: extensions.incredibar_i.ppd - 119
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DAEMON Tools Lite - -c:\program files\DAEMON Tools Lite\daemon.exe
HKCU-Run-Steam - -c:\program files\Steam\Steam.exe
HKLM-Run-RTHDCPL - -RTHDCPL.EXE
HKLM-Run-ZoneAlarm Installer - -c:\program files\CheckPoint\Install\Launcher.exe
HKLM-Run-SunJavaUpdateSched - -c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-08 14:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld MySQL"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]
"ServiceDll"="c:\windows\system32\xowyymku.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2013-01-08 14:37:32
ComboFix-quarantined-files.txt 2013-01-08 20:37
.
Pre-Run: 1,511,837,696 bytes free
Post-Run: 4,018,900,992 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ubnldr.mbr="UNetbootin"
.
- - End Of File - - D98FC535AABF6A5FA87B6ABAC9A8D81F

======================================
== security check's --> checkup.txt ==
======================================
Results of screen317's Security Check version 0.99.56
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
Java™ 6 Update 38
Java 7 Update 10
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.3.183.10 Flash Player out of Date!
Adobe Reader 10.1.2 Adobe Reader out of Date!
Mozilla Firefox (17.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 23% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

=======================================
== AdwCleaner's --> AdwCleaner[].txt ==
=======================================
# AdwCleaner v2.105 - Logfile created 01/08/2013 at 14:46:07
# Updated 08/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Mike - Z188
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Mike\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****

Found : IB Updater

***** [Files / Folders] *****

File Found : C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\searchplugins\MyStart Search.xml
File Found : C:\user.js
Folder Found : C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
Folder Found : C:\Program Files\IB Updater
Folder Found : C:\WINDOWS\system32\WNLT

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Headlight
Key Found : HKCU\Software\IB Updater
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Found : HKLM\SOFTWARE\Classes\AppID\{B302A1BD-0157-49FA-90F1-4E94F22C7B4B}
Key Found : HKLM\SOFTWARE\Classes\AppID\Extension.DLL
Key Found : HKLM\SOFTWARE\Classes\Interface\{A36867C6-302D-49FC-9D8E-1EB037B5F1AB}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Found : HKLM\Software\Headlight
Key Found : HKLM\Software\IB Updater
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111981166}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{336D0C35-8A85-403a-B9D2-65C292C39087}_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{336D0C35-8A85-403a-B9D2-65C292C39087}_is1
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\prefs.js

Found : user_pref("browser.newtab.url", "hxxp://mystart.incredibar.com/mb185?a=6OyYhpjol4&i=26");
Found : user_pref("browser.search.defaultenginename", "MyStart Search");
Found : user_pref("extensions.enabledAddons", "ffxtlbr%40incredibar.com:1.5.0,ogjiiexjrk%40ogjiiexjrk.org:2.[...]
Found : user_pref("extensions.incredibar.RadioMyStations", "[{\"id\":\"1010\",\"name\":\"Space Radio Scanner[...]
Found : user_pref("extensions.incredibar.actvtyRptTime", "1357079062885");
Found : user_pref("extensions.incredibar.admin", false);
Found : user_pref("extensions.incredibar.afd-1a2d3abe806f9951da73a33d41fcfc9c", "%7B%22items%22%3A%5B%7B%22i[...]
Found : user_pref("extensions.incredibar.afd-1a2d3abe806f9951da73a33d41fcfc9c_wid", "2521; expires=Wed, 02 J[...]
Found : user_pref("extensions.incredibar.aflt", "orgnl");
Found : user_pref("extensions.incredibar.afterInstallRpt", "sent");
Found : user_pref("extensions.incredibar.cntry", "US");
Found : user_pref("extensions.incredibar.dfltLng", "EN");
Found : user_pref("extensions.incredibar.dfltSrch", false);
Found : user_pref("extensions.incredibar.dfltlng", "en");
Found : user_pref("extensions.incredibar.dfltsrch", "false");
Found : user_pref("extensions.incredibar.did", "10678");
Found : user_pref("extensions.incredibar.envrmnt", "production");
Found : user_pref("extensions.incredibar.excTlbr", false);
Found : user_pref("extensions.incredibar.hdrMd5", "5B7593FB52D5147CBE1B3747817B9D3F");
Found : user_pref("extensions.incredibar.hmpg", false);
Found : user_pref("extensions.incredibar.hrdid", "8c02dc52000000000000001921f78e7e");
Found : user_pref("extensions.incredibar.id", "8c02dc52000000000000001921f78e7e");
Found : user_pref("extensions.incredibar.installerproductid", "26");
Found : user_pref("extensions.incredibar.instlDay", "15699");
Found : user_pref("extensions.incredibar.instlRef", "");
Found : user_pref("extensions.incredibar.instlday", "15699");
Found : user_pref("extensions.incredibar.instlref", "");
Found : user_pref("extensions.incredibar.isDcmntCmplt", true);
Found : user_pref("extensions.incredibar.isdcmntcmplt", "false");
Found : user_pref("extensions.incredibar.keywordurl", "");
Found : user_pref("extensions.incredibar.lastVrsnTs", "1.5.11.1411:40:50");
Found : user_pref("extensions.incredibar.mntrvrsn", "1.2.0");
Found : user_pref("extensions.incredibar.newTab", false);
Found : user_pref("extensions.incredibar.newtab", "false");
Found : user_pref("extensions.incredibar.newtaburl", "");
Found : user_pref("extensions.incredibar.noFFXTlbr", false);
Found : user_pref("extensions.incredibar.ppd", "119");
Found : user_pref("extensions.incredibar.prdct", "incredibar");
Found : user_pref("extensions.incredibar.productid", "26");
Found : user_pref("extensions.incredibar.prtnrId", "Incredibar");
Found : user_pref("extensions.incredibar.prtnrid", "Incredibar");
Found : user_pref("extensions.incredibar.sg", "none");
Found : user_pref("extensions.incredibar.smplGrp", "none");
Found : user_pref("extensions.incredibar.smplgrp", "none");
Found : user_pref("extensions.incredibar.srch", "");
Found : user_pref("extensions.incredibar.srchprvdr", "");
Found : user_pref("extensions.incredibar.tlbrId", "base");
Found : user_pref("extensions.incredibar.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6OyYhpjol4&loc=IB_T[...]
Found : user_pref("extensions.incredibar.tlbrid", "base");
Found : user_pref("extensions.incredibar.tlbrsrchurl", "hxxp://mystart.Incredibar.com/?a=6OyYhpjol4&loc=IB_T[...]
Found : user_pref("extensions.incredibar.upn2", "6OyYhpjol4");
Found : user_pref("extensions.incredibar.upn2n", "92262683415860562");
Found : user_pref("extensions.incredibar.vrsn", "1.5.11.14");
Found : user_pref("extensions.incredibar.vrsnTs", "1.5.11.1411:40:50");
Found : user_pref("extensions.incredibar.vrsni", "1.5.11.14");
Found : user_pref("extensions.incredibar.vrsnts", "1.5.11.1411:40:50");
Found : user_pref("extensions.incredibar_i.aflt", "orgnl");
Found : user_pref("extensions.incredibar_i.dfltLng", "");
Found : user_pref("extensions.incredibar_i.did", "10678");
Found : user_pref("extensions.incredibar_i.excTlbr", false);
Found : user_pref("extensions.incredibar_i.id", "8c02dc52000000000000001921f78e7e");
Found : user_pref("extensions.incredibar_i.installerproductid", "26");
Found : user_pref("extensions.incredibar_i.instlDay", "15699");
Found : user_pref("extensions.incredibar_i.instlRef", "");
Found : user_pref("extensions.incredibar_i.ms_url_id", "");
Found : user_pref("extensions.incredibar_i.newTab", false);
Found : user_pref("extensions.incredibar_i.ppd", "119");
Found : user_pref("extensions.incredibar_i.prdct", "incredibar");
Found : user_pref("extensions.incredibar_i.productid", "26");
Found : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Found : user_pref("extensions.incredibar_i.smplGrp", "none");
Found : user_pref("extensions.incredibar_i.tlbrId", "base");
Found : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6OyYhpjol4&loc=IB[...]
Found : user_pref("extensions.incredibar_i.upn2", "6OyYhpjol4");
Found : user_pref("extensions.incredibar_i.upn2n", "92262683415860562");
Found : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
Found : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1411:40:50");
Found : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");
Found : user_pref("keyword.URL", "hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6OyYhpjol4&&i=26&search="[...]

File : C:\Documents and Settings\Susan\Application Data\Mozilla\Firefox\Profiles\latndkz5.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [7895 octets] - [08/01/2013 14:46:07]

########## EOF - C:\AdwCleaner[R1].txt - [7955 octets] ##########

#4 nasdaq

nasdaq

  • Malware Response Team
  • 20,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 09 January 2013 - 08:45 AM

Remove this old version of Java™ 6 Update 38 using the Add/Remove programs list.

Remove alse these old versions of Flash.
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.3.183.10 Flash Player out of Date!
Adobe Reader 10.1.2 Adobe Reader out of Date!
===

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..

Please post the log and let me know what problem persists.

#5 StevePRGM

StevePRGM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 09 January 2013 - 09:49 AM

..Removed
[./] Java™ 6 Update 38

..Removed
[./] Adobe Flash Player 10 Flash Player
"Adobe Flash Player 10 Plugin"

..Installed latest Flash version
[./]

..Unable to remove
[??] Adobe Flash Player 10.3.183.10 Flash Player
---- I couldn't find this in Add/Remove ----
---- Could it be called "Adobe AIR"? ----

..Removed
[./] Adobe Reader 10.1.2 Adobe Reader
Adobe Reader X (10.1.2)


..Post AdwCleaner[S1].txt

# AdwCleaner v2.105 - Logfile created 01/09/2013 at 08:38:16
# Updated 08/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Mike - Z188
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Mike\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : IB Updater

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\searchplugins\MyStart Search.xml
File Deleted : C:\user.js
Folder Deleted : C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
Folder Deleted : C:\Program Files\IB Updater
Folder Deleted : C:\WINDOWS\system32\WNLT

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\IB Updater
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B302A1BD-0157-49FA-90F1-4E94F22C7B4B}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\Extension.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A36867C6-302D-49FC-9D8E-1EB037B5F1AB}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
Key Deleted : HKLM\Software\Headlight
Key Deleted : HKLM\Software\IB Updater
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111981166}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{336D0C35-8A85-403a-B9D2-65C292C39087}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{336D0C35-8A85-403a-B9D2-65C292C39087}_is1
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\prefs.js

C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\user.js ... Deleted !

Deleted : user_pref("browser.newtab.url", "hxxp://mystart.incredibar.com/mb185?a=6OyYhpjol4&i=26");
Deleted : user_pref("browser.search.defaultenginename", "MyStart Search");
Deleted : user_pref("extensions.enabledAddons", "ffxtlbr%40incredibar.com:1.5.0,ogjiiexjrk%40ogjiiexjrk.org:2.[...]
Deleted : user_pref("extensions.incredibar.RadioMyStations", "[{\"id\":\"1010\",\"name\":\"Space Radio Scanner[...]
Deleted : user_pref("extensions.incredibar.actvtyRptTime", "1357079062885");
Deleted : user_pref("extensions.incredibar.admin", false);
Deleted : user_pref("extensions.incredibar.afd-1a2d3abe806f9951da73a33d41fcfc9c", "%7B%22items%22%3A%5B%7B%22i[...]
Deleted : user_pref("extensions.incredibar.afd-1a2d3abe806f9951da73a33d41fcfc9c_wid", "2521; expires=Wed, 02 J[...]
Deleted : user_pref("extensions.incredibar.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar.afterInstallRpt", "sent");
Deleted : user_pref("extensions.incredibar.cntry", "US");
Deleted : user_pref("extensions.incredibar.dfltLng", "EN");
Deleted : user_pref("extensions.incredibar.dfltSrch", false);
Deleted : user_pref("extensions.incredibar.dfltlng", "en");
Deleted : user_pref("extensions.incredibar.dfltsrch", "false");
Deleted : user_pref("extensions.incredibar.did", "10678");
Deleted : user_pref("extensions.incredibar.envrmnt", "production");
Deleted : user_pref("extensions.incredibar.excTlbr", false);
Deleted : user_pref("extensions.incredibar.hdrMd5", "5B7593FB52D5147CBE1B3747817B9D3F");
Deleted : user_pref("extensions.incredibar.hmpg", false);
Deleted : user_pref("extensions.incredibar.hrdid", "8c02dc52000000000000001921f78e7e");
Deleted : user_pref("extensions.incredibar.id", "8c02dc52000000000000001921f78e7e");
Deleted : user_pref("extensions.incredibar.installerproductid", "26");
Deleted : user_pref("extensions.incredibar.instlDay", "15699");
Deleted : user_pref("extensions.incredibar.instlRef", "");
Deleted : user_pref("extensions.incredibar.instlday", "15699");
Deleted : user_pref("extensions.incredibar.instlref", "");
Deleted : user_pref("extensions.incredibar.isDcmntCmplt", true);
Deleted : user_pref("extensions.incredibar.isdcmntcmplt", "false");
Deleted : user_pref("extensions.incredibar.keywordurl", "");
Deleted : user_pref("extensions.incredibar.lastVrsnTs", "1.5.11.1411:40:50");
Deleted : user_pref("extensions.incredibar.mntrvrsn", "1.2.0");
Deleted : user_pref("extensions.incredibar.newTab", false);
Deleted : user_pref("extensions.incredibar.newtab", "false");
Deleted : user_pref("extensions.incredibar.newtaburl", "");
Deleted : user_pref("extensions.incredibar.noFFXTlbr", false);
Deleted : user_pref("extensions.incredibar.ppd", "119");
Deleted : user_pref("extensions.incredibar.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar.productid", "26");
Deleted : user_pref("extensions.incredibar.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar.prtnrid", "Incredibar");
Deleted : user_pref("extensions.incredibar.sg", "none");
Deleted : user_pref("extensions.incredibar.smplGrp", "none");
Deleted : user_pref("extensions.incredibar.smplgrp", "none");
Deleted : user_pref("extensions.incredibar.srch", "");
Deleted : user_pref("extensions.incredibar.srchprvdr", "");
Deleted : user_pref("extensions.incredibar.tlbrId", "base");
Deleted : user_pref("extensions.incredibar.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6OyYhpjol4&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.tlbrid", "base");
Deleted : user_pref("extensions.incredibar.tlbrsrchurl", "hxxp://mystart.Incredibar.com/?a=6OyYhpjol4&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.upn2", "6OyYhpjol4");
Deleted : user_pref("extensions.incredibar.upn2n", "92262683415860562");
Deleted : user_pref("extensions.incredibar.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar.vrsnTs", "1.5.11.1411:40:50");
Deleted : user_pref("extensions.incredibar.vrsni", "1.5.11.14");
Deleted : user_pref("extensions.incredibar.vrsnts", "1.5.11.1411:40:50");
Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
Deleted : user_pref("extensions.incredibar_i.did", "10678");
Deleted : user_pref("extensions.incredibar_i.excTlbr", false);
Deleted : user_pref("extensions.incredibar_i.id", "8c02dc52000000000000001921f78e7e");
Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
Deleted : user_pref("extensions.incredibar_i.instlDay", "15699");
Deleted : user_pref("extensions.incredibar_i.instlRef", "");
Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
Deleted : user_pref("extensions.incredibar_i.newTab", false);
Deleted : user_pref("extensions.incredibar_i.ppd", "119");
Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar_i.productid", "26");
Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6OyYhpjol4&loc=IB[...]
Deleted : user_pref("extensions.incredibar_i.upn2", "6OyYhpjol4");
Deleted : user_pref("extensions.incredibar_i.upn2n", "92262683415860562");
Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.11.14");
Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.11.1411:40:50");
Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.11.14");
Deleted : user_pref("keyword.URL", "hxxp://mystart.incredibar.com/mb185/?loc=IB_DS&a=6OyYhpjol4&&i=26&search="[...]

File : C:\Documents and Settings\Susan\Application Data\Mozilla\Firefox\Profiles\latndkz5.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [8224 octets] - [09/01/2013 08:38:17]

########## EOF - C:\AdwCleaner[S1].txt - [8284 octets] ##########

Edited by StevePRGM, 09 January 2013 - 10:34 AM.


#6 StevePRGM

StevePRGM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 09 January 2013 - 10:33 AM

Thanks!
I'm guessing that "Adobe Flash Player 10.3.183.10 Flash Player"
was part of the add/remove of "Adobe Flash Player 10 Flash Player"?

All is working :)
I looked at those logs and I am wondering what these are..

1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trcpxldwk

2)
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]
"ServiceDll"="c:\windows\system32\xowyymku.dll"

Edited by StevePRGM, 09 January 2013 - 10:34 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 20,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 09 January 2013 - 11:28 AM

I'm guessing that "Adobe Flash Player 10.3.183.10 Flash Player"
was part of the add/remove of "Adobe Flash Player 10 Flash Player"?


Only Version 11 should be installed. Anything on Version 10.x should be removed.

===

I looked at those logs and I am wondering what these are..
1)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trcpxldwk

2)
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]
"ServiceDll"="c:\windows\system32\xowyymku.dll"


No file was found. Could be from an old infection.

Lets remove it.

Open notepad and copy/paste the text in the quote box below into it:

File::
c:\windows\system32\xowyymku.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know of any remaining issues.

#8 StevePRGM

StevePRGM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 09 January 2013 - 12:41 PM

OK. cool.
I had some programs running while ComboFix was going.. Should I do it over?
I had winAMP running some music and 2 explorer windows open before starting ComboFix
Also, my ATI Catalyst Control Center (video card settings) was open..

After running ComboFix, I noticed these at the end of the log, are these normal? ..caused by WinAMP or explorer's folders or the control center?:
DLLs Loaded Under Running Processes:
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll

=================
ComboFix's log:
=================

ComboFix 13-01-08.01 - Mike 01/09/2013 11:13:27.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.501 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\windows\system32\xowyymku.dll"
.
.
((((((((((((((((((((((((( Files Created from 2012-12-09 to 2013-01-09 )))))))))))))))))))))))))))))))
.
.
2013-01-08 20:00 . 2013-01-08 20:00 -------- d-----w- c:\windows\Internet Logs
2013-01-02 00:31 . 2013-01-02 00:33 -------- d-----w- c:\program files\Artemis
2013-01-02 00:29 . 2013-01-02 00:29 -------- d-----w- c:\program files\Sandboxie
2012-12-26 01:36 . 2012-12-26 01:36 -------- d-----w- c:\documents and settings\Mike\Application Data\TunkDesign
2012-12-26 01:34 . 2012-12-26 01:34 -------- d-----w- c:\documents and settings\Mike\Application Data\Copy of .minecraft
2012-12-25 23:04 . 2012-11-28 16:06 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-12-25 20:43 . 2012-11-28 16:35 93640 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-12-25 18:59 . 2012-12-25 19:00 -------- dc-h--w- c:\windows\ie8
2012-12-25 18:01 . 2012-12-25 18:01 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Java
2012-12-25 18:00 . 2012-12-25 18:00 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Sun
2012-12-25 17:41 . 2012-12-25 17:41 -------- d-----w- c:\program files\Common Files\Java
2012-12-25 17:40 . 2012-12-25 17:40 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Google
2012-12-25 17:31 . 2012-12-25 17:30 859072 ----a-w- c:\windows\system32\npDeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 14:36 . 2012-05-28 10:08 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 14:36 . 2011-06-02 18:32 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-25 17:30 . 2011-06-02 18:38 779704 ----a-w- c:\windows\system32\deployJava1.dll
2003-01-02 02:43 . 2011-09-24 18:18 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\Mike\Start Menu\Programs\Startup\
InputDirector.lnk - c:\program files\Input Director\InputDirector.exe [2010-2-1 475136]
.
c:\documents and settings\Mike\Start Menu\Programs\Startup\started up
AIM.lnk - c:\program files\AIM\aim.exe [2011-5-3 4321112]
Autohotkey.lnk - c:\programming\AHKStuff\AutoHotkey.ahk [2011-6-8 11660]
SbieCtrl.lnk - c:\program files\Sandboxie\SbieCtrl.exe [2012-12-16 545552]
set.bat [2013-1-8 16]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\terraria\\Terraria.exe"=
"c:\\Program Files\\Input Director\\InputDirector.exe"=
"c:\\Program Files\\Input Director\\InputDirectorSessionHelper.exe"=
"c:\\Documents and Settings\\Mike\\Desktop\\ssftw\\ssft.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2011 10:34 AM 717296]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware2\mbamscheduler.exe [12/25/2012 12:33 PM 399432]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 3:45 AM 70704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/27/2011 10:37 PM 22856]
R3 ndisptr;Telesoft nDispatcher;c:\windows\system32\drivers\ndisptr.sys [6/6/2011 4:40 PM 34304]
R3 RAMDiskXP;RAMDiskXP;c:\windows\system32\drivers\RAMDiskXP.sys [5/5/2011 8:57 PM 58368]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [8/23/2011 12:10 PM 52312]
S2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [2/1/2010 3:37 AM 36864]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware2\mbamservice.exe [9/27/2011 10:37 PM 676936]
S2 trcpxldwk;Shell Helper;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S3 PsShutdownSvc;PsShutdown;c:\windows\PSSDNSVC.EXE [1/25/2012 5:51 PM 87616]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 2:47 AM 563760]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trcpxldwk
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-28 14:36]
.
2013-01-08 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-08-23 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: Interfaces\{826BDF29-2BE9-42A4-B62E-AA73B93FBE34}: NameServer = 208.67.220.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - ExtSQL: 2012-12-25 11:40; {336D0C35-8A85-403a-B9D2-65C292C39087}; c:\program files\IB Updater\Firefox
FF - ExtSQL: 2012-12-25 11:40; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-09 11:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld MySQL"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]
"ServiceDll"="c:\windows\system32\xowyymku.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2013-01-09 11:24:42
ComboFix-quarantined-files.txt 2013-01-09 17:24
ComboFix2.txt 2013-01-08 20:37
.
Pre-Run: 4,293,267,456 bytes free
Post-Run: 4,288,765,952 bytes free
.
- - End Of File - - F7E9C5CB251524094638426851EFD51C

#9 nasdaq

nasdaq

  • Malware Response Team
  • 20,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 09 January 2013 - 02:34 PM

I had some programs running while ComboFix was going.. Should I do it over?
I had winAMP running some music and 2 explorer windows open before starting ComboFix
Also, my ATI Catalyst Control Center (video card settings) was open.


I do not think it has interfered as they are Microsoft files.

Please run it again and post a fresh ComboFix log for my review.

Note:

As I had suspected the file was not present on the computer but this item was not removed.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]
"ServiceDll"="c:\windows\system32\xowyymku.dll"


Is spybot or TeaTimer installed on this computer???

Did you reinstall Incredibar or was this not removed when you used the delete option in AdwCleaner?
FF - ExtSQL: 2012-12-25 11:40; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]

How is the computer performing?

#10 StevePRGM

StevePRGM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 09 January 2013 - 04:03 PM

I do not know of Spybot or TeaTimer.

I did not reinstall Incredibar.

The computer is performing as usual.
Before this forum post, there was a recent problem of the CPU-fan
.. not turning on.
I restarted it a couple of times and it worked again.
Recently the fan-speed has changed from constant-set to a dynamic speed...
I took the battery out of the motherboard recently,
.. in order to get the fan working again..
I also noticed the shut-down temperature control was turned to off,
.. after checking it the reboot before and seeing it as on..
.. (while i was trying to get the fan to turn on)
I'm not sure that this was the fix or not...

(on the side)
I've heard that it's good to have an Administrator password..
Is this true?

(back on track)
I ran ComboFix again... The results are following:

ComboFix 13-01-08.01 - Mike 01/01/2003 2:09.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.580 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mike\pipes.exe
c:\windows\system\winspool.drv
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\msgsvc.dll
.
.
((((((((((((((((((((((((( Files Created from 2002-12-01 to 2003-01-01 )))))))))))))))))))))))))))))))
.
.
2012-12-05 20:19 . 2012-12-05 20:19 -------- d-----r- C:\Sandbox
2012-07-06 18:43 . 2012-07-06 18:43 201293 ----a-w- C:\ubnldr.exe
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\preseed
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\isolinux
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\casper
2012-07-06 18:39 . 2012-07-06 18:39 -------- d-----w- C:\.disk
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\unetbtin
2012-02-07 05:29 . 2012-02-07 05:29 -------- d-----r- C:\MSOCache
2012-02-07 03:46 . 2012-02-07 04:24 -------- d-----w- C:\KAG
2012-01-25 23:47 . 2012-01-25 23:48 -------- d-----w- C:\PsTools
2012-01-25 20:48 . 2012-01-25 20:48 -------- d-----w- C:\Borland
2011-12-09 05:02 . 2012-06-16 19:44 -------- d-----w- C:\_ Tools
2011-12-01 21:04 . 2012-02-09 19:40 -------- d-----w- C:\Games
2011-09-21 16:14 . 2011-09-21 16:15 -------- d-----w- C:\mysql
2011-09-09 19:22 . 2011-09-09 22:32 -------- d-----w- C:\__ TRANSFER
2011-06-18 23:27 . 2011-06-18 23:28 -------- d-----w- C:\_x Underground
2011-06-09 01:36 . 2011-06-09 01:36 -------- d-----w- C:\Eclipse
2011-06-08 18:53 . 2011-08-23 18:31 -------- d-----w- C:\WxTool
2011-06-08 18:48 . 2011-06-25 21:18 -------- d-----w- C:\_Sound Effects
2011-06-04 03:34 . 2011-08-30 05:00 -------- d-----w- C:\_Music
2011-06-03 04:12 . 2011-06-03 04:12 -------- d-----w- C:\Intel
2011-06-02 19:15 . 2011-06-02 19:15 -------- d-----w- C:\ATI
2011-05-30 16:51 . 2011-05-30 16:51 -------- d-----w- C:\_WinFixes
2011-05-30 16:50 . 2012-02-09 21:29 -------- d-----w- C:\Chrome
2011-05-30 16:42 . 2011-05-30 16:42 -------- d-----w- C:\bb4e187f0f3d4c2f76db05ce
2011-05-29 16:51 . 2012-12-25 23:31 -------- d-----w- C:\Temp
2011-05-29 02:50 . 2011-05-29 02:50 -------- d-----w- C:\cabs
2011-05-29 02:10 . 2012-01-25 20:53 -------- d-----w- C:\Programming
2011-05-29 02:09 . 2011-06-07 00:18 -------- d-----w- C:\_CommonFiles
2011-05-29 01:58 . 2012-06-28 20:28 -------- d-----w- C:\_SystemFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 10:42 . 2011-05-28 22:22 150528 ----a-w- c:\windows\pchealth\UploadLB\Binaries\uploadm.exe
2008-04-14 10:42 . 2011-05-28 22:22 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2008-04-14 10:42 . 2011-05-28 22:22 769024 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2008-04-14 10:42 . 2011-05-28 22:22 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2008-04-14 10:42 . 2011-05-28 22:22 18432 ----a-w- c:\windows\pchealth\helpctr\binaries\hscupd.exe
2008-04-14 10:42 . 2011-05-28 22:22 726078 ----a-w- c:\windows\srchasst\srchui.dll
2008-04-14 10:42 . 2011-05-28 22:22 58434 ----a-w- c:\windows\srchasst\srchctls.dll
2008-04-14 10:42 . 2004-08-04 12:00 34816 ----a-w- c:\windows\help\sniffpol.dll
2008-04-14 10:42 . 2004-08-04 12:00 33280 ----a-w- c:\windows\help\sstub.dll
2008-04-14 10:42 . 2004-08-04 12:00 279040 ----a-w- c:\windows\help\tshoot.dll
2008-04-14 10:42 . 2011-05-28 22:22 38400 ----a-w- c:\windows\pchealth\helpctr\binaries\pchsvc.dll
2008-04-14 10:42 . 2011-05-28 22:22 102912 ----a-w- c:\windows\pchealth\helpctr\binaries\pchshell.dll
2008-04-14 10:42 . 2011-05-28 22:22 3166208 ----a-w- c:\windows\srchasst\msgr3en.dll
2008-04-14 10:42 . 2011-05-28 22:22 376832 ----a-w- c:\windows\pchealth\helpctr\binaries\msinfo.dll
2008-04-14 10:41 . 2011-05-29 01:35 39424 ------w- c:\windows\apppatch\acadproc.dll
2008-04-14 10:41 . 2004-08-04 12:00 451072 ----a-w- c:\windows\apppatch\aclayers.dll
2008-04-14 10:41 . 2004-08-04 12:00 245248 ----a-w- c:\windows\apppatch\acspecfc.dll
2008-04-14 10:41 . 2004-08-04 12:00 1852928 ----a-w- c:\windows\apppatch\acgenral.dll
2008-04-14 10:41 . 2004-08-04 12:00 141312 ----a-w- c:\windows\apppatch\aclua.dll
2008-04-14 10:41 . 2004-08-04 12:00 116224 ----a-w- c:\windows\apppatch\acxtrnal.dll
2008-04-14 05:15 . 2001-08-17 14:03 25728 ----a-w- c:\windows\system32\drivers\usbcamd2.sys
2008-04-14 05:15 . 2001-08-17 14:03 25600 ----a-w- c:\windows\system32\drivers\usbcamd.sys
2004-08-04 12:00 . 2011-05-28 22:22 35328 ----a-w- c:\windows\pchealth\helpctr\binaries\notiflag.exe
2004-08-04 12:00 . 2011-05-28 22:22 21504 ----a-w- c:\windows\pchealth\helpctr\binaries\brpinfo.dll
2004-08-04 12:00 . 2011-05-28 22:22 99840 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2004-08-04 12:00 . 2011-05-28 22:22 6656 ----a-w- c:\windows\pchealth\helpctr\binaries\HCAppRes.dll
2004-08-04 12:00 . 2004-08-04 12:00 3374640 ----a-w- c:\windows\help\Tours\mmTour\tour.exe
2004-08-04 12:00 . 2004-08-04 12:00 152576 ----a-w- c:\windows\help\bnts.dll
2004-08-04 12:00 . 2001-08-17 22:37 77891 ----a-w- c:\windows\system32\usrmlnka.exe
2004-08-04 12:00 . 2001-08-17 22:37 69700 ----a-w- c:\windows\system32\usrshuta.exe
2004-08-04 12:00 . 2001-08-17 22:37 61508 ----a-w- c:\windows\system32\usrprbda.exe
2004-08-04 12:00 . 2001-08-17 22:36 55296 ----a-w- c:\windows\system32\dvdplay.exe
2004-08-04 12:00 . 2001-08-17 22:36 3200 ----a-w- c:\windows\system32\wowfax.dll
2004-08-04 12:00 . 2001-08-17 22:36 13824 ----a-w- c:\windows\system32\wowfaxui.dll
2004-08-04 12:00 . 2001-08-17 22:36 86073 ----a-w- c:\windows\system32\usrfaxa.dll
2004-08-04 12:00 . 2001-08-17 22:36 8192 ----a-w- c:\windows\system32\tsbyuv.dll
2004-08-04 12:00 . 2001-08-17 22:36 77890 ----a-w- c:\windows\system32\usrdpa.dll
2004-08-04 12:00 . 2001-08-17 22:36 77883 ----a-w- c:\windows\system32\usrrtosa.dll
2004-08-04 12:00 . 2001-08-17 22:36 69699 ----a-w- c:\windows\system32\usrcoina.dll
2004-08-04 12:00 . 2001-08-17 22:36 61500 ----a-w- c:\windows\system32\usrcntra.dll
2004-08-04 12:00 . 2001-08-17 22:36 53305 ----a-w- c:\windows\system32\usrlbva.dll
2004-08-04 12:00 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrvpa.dll
2004-08-04 12:00 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrsdpia.dll
2004-08-04 12:00 . 2001-08-17 22:36 49209 ----a-w- c:\windows\system32\usrv80a.dll
2004-08-04 12:00 . 2001-08-17 22:36 45116 ----a-w- c:\windows\system32\usrvoica.dll
2004-08-04 12:00 . 2001-08-17 22:36 41019 ----a-w- c:\windows\system32\usrsvpia.dll
2004-08-04 12:00 . 2001-08-17 22:36 323641 ----a-w- c:\windows\system32\usrdtea.dll
2004-08-04 12:00 . 2001-08-17 22:36 102457 ----a-w- c:\windows\system32\usrv42a.dll
2004-08-04 12:00 . 2001-08-17 22:36 8192 ----a-w- c:\windows\system32\streamci.dll
2004-08-04 12:00 . 2001-08-17 22:36 72192 ----a-w- c:\windows\system32\sprio800.dll
2004-08-04 12:00 . 2001-08-17 22:36 70656 ----a-w- c:\windows\system32\sprio600.dll
2004-08-04 12:00 . 2001-08-17 22:36 69632 ----a-w- c:\windows\system32\spnike.dll
2004-08-04 12:00 . 2001-08-17 22:36 157696 ----a-w- c:\windows\system32\paqsp.dll
2004-08-04 12:00 . 2001-08-17 22:36 147968 ----a-w- c:\windows\system32\mdwmdmsp.dll
2004-08-04 12:00 . 2001-08-17 14:06 21376 ----a-w- c:\windows\system32\drivers\tsbvcap.sys
2004-08-04 12:00 . 2001-08-17 14:02 262528 ----a-w- c:\windows\system32\drivers\cinemst2.sys
2004-08-04 12:00 . 2001-08-17 14:02 58112 ----a-w- c:\windows\system32\drivers\vdmindvd.sys
2004-08-04 12:00 . 2001-08-17 14:01 51712 ----a-w- c:\windows\system32\drivers\tosdvd.sys
2004-08-04 12:00 . 2001-08-17 13:57 12160 ----a-w- c:\windows\system32\drivers\fsvga.sys
2004-08-04 12:00 . 2001-08-17 13:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2004-08-04 12:00 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\riodrv.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\rio8drv.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\nikedrv.sys
2004-08-04 12:00 . 2001-08-17 13:24 11776 ----a-w- c:\windows\system32\drivers\cpqdap01.sys
2003-01-02 02:43 . 2011-09-24 18:18 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\Mike\Start Menu\Programs\Startup\
InputDirector.lnk - c:\program files\Input Director\InputDirector.exe [2010-2-1 475136]
.
c:\documents and settings\Mike\Start Menu\Programs\Startup\started up
AIM.lnk - c:\program files\AIM\aim.exe [2011-5-3 4321112]
Autohotkey.lnk - c:\programming\AHKStuff\AutoHotkey.ahk [2011-6-8 11660]
SbieCtrl.lnk - c:\program files\Sandboxie\SbieCtrl.exe [2012-12-16 545552]
set.bat [2013-1-8 16]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\terraria\\Terraria.exe"=
"c:\\Program Files\\Input Director\\InputDirector.exe"=
"c:\\Program Files\\Input Director\\InputDirectorSessionHelper.exe"=
"c:\\Documents and Settings\\Mike\\Desktop\\ssftw\\ssft.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2011 10:34 AM 717296]
R2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [2/1/2010 3:37 AM 36864]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware2\mbamscheduler.exe [12/25/2012 12:33 PM 399432]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 3:45 AM 70704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/27/2011 10:37 PM 22856]
R3 ndisptr;Telesoft nDispatcher;c:\windows\system32\drivers\ndisptr.sys [6/6/2011 4:40 PM 34304]
R3 RAMDiskXP;RAMDiskXP;c:\windows\system32\drivers\RAMDiskXP.sys [5/5/2011 8:57 PM 58368]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [8/23/2011 12:10 PM 52312]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware2\mbamservice.exe [9/27/2011 10:37 PM 676936]
S2 trcpxldwk;Shell Helper;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S3 PsShutdownSvc;PsShutdown;c:\windows\PSSDNSVC.EXE [1/25/2012 5:51 PM 87616]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 2:47 AM 563760]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trcpxldwk
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-28 14:36]
.
2013-01-08 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-08-23 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: Interfaces\{826BDF29-2BE9-42A4-B62E-AA73B93FBE34}: NameServer = 208.67.220.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - ExtSQL: 2010-01-17 07:54; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2011-05-30 11:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2011-06-01 22:34; [email protected]; c:\program files\Fiddler2\FiddlerHook
FF - ExtSQL: 2011-09-24 14:31; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2011-09-24 14:53; {921880f2-a39f-4a30-89e5-c0189b09ebab}; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\{921880f2-a39f-4a30-89e5-c0189b09ebab}.xpi
FF - ExtSQL: 2011-09-24 14:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-12-25 11:40; {336D0C35-8A85-403a-B9D2-65C292C39087}; c:\program files\IB Updater\Firefox
FF - ExtSQL: 2012-12-25 11:40; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2003-01-01 02:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld MySQL"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]
"ServiceDll"="c:\windows\system32\xowyymku.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Input Director\InputDirectorSessionHelper.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2003-01-01 02:23:50 - machine was rebooted
ComboFix-quarantined-files.txt 2003-01-01 08:23
ComboFix2.txt 2013-01-09 17:24
ComboFix3.txt 2013-01-08 20:37
.
Pre-Run: 4,289,507,328 bytes free
Post-Run: 4,289,794,048 bytes free
.
- - End Of File - - 1ABD52391B36AB5D53627438854C0B3F

#11 nasdaq

nasdaq

  • Malware Response Team
  • 20,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 09 January 2013 - 04:58 PM

(on the side)
I've heard that it's good to have an Administrator password..
Is this true?


I do not have one. I keep my passwords in a Text File - use Notepad.

Open notepad and copy/paste the text in the quote box below into it:


Firefox::
FF - ExtSQL: 2012-12-25 11:40; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#12 StevePRGM

StevePRGM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 09 January 2013 - 05:46 PM

Strange, it said it fixed the same system file as last time....

Here's the txt file:
ComboFix 13-01-08.01 - Mike 01/01/2003 3:50.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.659 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\msgsvc.dll
.
.
((((((((((((((((((((((((( Files Created from 2002-12-01 to 2003-01-01 )))))))))))))))))))))))))))))))
.
.
2012-12-05 20:19 . 2012-12-05 20:19 -------- d-----r- C:\Sandbox
2012-07-06 18:43 . 2012-07-06 18:43 201293 ----a-w- C:\ubnldr.exe
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\preseed
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\isolinux
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\casper
2012-07-06 18:39 . 2012-07-06 18:39 -------- d-----w- C:\.disk
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\unetbtin
2012-02-07 05:29 . 2012-02-07 05:29 -------- d-----r- C:\MSOCache
2012-02-07 03:46 . 2012-02-07 04:24 -------- d-----w- C:\KAG
2012-01-25 23:47 . 2012-01-25 23:48 -------- d-----w- C:\PsTools
2012-01-25 20:48 . 2012-01-25 20:48 -------- d-----w- C:\Borland
2011-12-09 05:02 . 2012-06-16 19:44 -------- d-----w- C:\_ Tools
2011-12-01 21:04 . 2012-02-09 19:40 -------- d-----w- C:\Games
2011-09-21 16:14 . 2011-09-21 16:15 -------- d-----w- C:\mysql
2011-09-09 19:22 . 2011-09-09 22:32 -------- d-----w- C:\__ TRANSFER
2011-06-18 23:27 . 2011-06-18 23:28 -------- d-----w- C:\_x Underground
2011-06-09 01:36 . 2011-06-09 01:36 -------- d-----w- C:\Eclipse
2011-06-08 18:53 . 2011-08-23 18:31 -------- d-----w- C:\WxTool
2011-06-08 18:48 . 2011-06-25 21:18 -------- d-----w- C:\_Sound Effects
2011-06-04 03:34 . 2011-08-30 05:00 -------- d-----w- C:\_Music
2011-06-03 04:12 . 2011-06-03 04:12 -------- d-----w- C:\Intel
2011-06-02 19:15 . 2011-06-02 19:15 -------- d-----w- C:\ATI
2011-05-30 16:51 . 2011-05-30 16:51 -------- d-----w- C:\_WinFixes
2011-05-30 16:50 . 2012-02-09 21:29 -------- d-----w- C:\Chrome
2011-05-30 16:42 . 2011-05-30 16:42 -------- d-----w- C:\bb4e187f0f3d4c2f76db05ce
2011-05-29 16:51 . 2012-12-25 23:31 -------- d-----w- C:\Temp
2011-05-29 02:50 . 2011-05-29 02:50 -------- d-----w- C:\cabs
2011-05-29 02:10 . 2012-01-25 20:53 -------- d-----w- C:\Programming
2011-05-29 02:09 . 2011-06-07 00:18 -------- d-----w- C:\_CommonFiles
2011-05-29 01:58 . 2012-06-28 20:28 -------- d-----w- C:\_SystemFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 10:42 . 2011-05-28 22:22 150528 ----a-w- c:\windows\pchealth\UploadLB\Binaries\uploadm.exe
2008-04-14 10:42 . 2011-05-28 22:22 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2008-04-14 10:42 . 2011-05-28 22:22 769024 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2008-04-14 10:42 . 2011-05-28 22:22 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2008-04-14 10:42 . 2011-05-28 22:22 18432 ----a-w- c:\windows\pchealth\helpctr\binaries\hscupd.exe
2008-04-14 10:42 . 2011-05-28 22:22 726078 ----a-w- c:\windows\srchasst\srchui.dll
2008-04-14 10:42 . 2011-05-28 22:22 58434 ----a-w- c:\windows\srchasst\srchctls.dll
2008-04-14 10:42 . 2004-08-04 12:00 34816 ----a-w- c:\windows\help\sniffpol.dll
2008-04-14 10:42 . 2004-08-04 12:00 33280 ----a-w- c:\windows\help\sstub.dll
2008-04-14 10:42 . 2004-08-04 12:00 279040 ----a-w- c:\windows\help\tshoot.dll
2008-04-14 10:42 . 2011-05-28 22:22 38400 ----a-w- c:\windows\pchealth\helpctr\binaries\pchsvc.dll
2008-04-14 10:42 . 2011-05-28 22:22 102912 ----a-w- c:\windows\pchealth\helpctr\binaries\pchshell.dll
2008-04-14 10:42 . 2011-05-28 22:22 3166208 ----a-w- c:\windows\srchasst\msgr3en.dll
2008-04-14 10:42 . 2011-05-28 22:22 376832 ----a-w- c:\windows\pchealth\helpctr\binaries\msinfo.dll
2008-04-14 10:41 . 2011-05-29 01:35 39424 ------w- c:\windows\apppatch\acadproc.dll
2008-04-14 10:41 . 2004-08-04 12:00 451072 ----a-w- c:\windows\apppatch\aclayers.dll
2008-04-14 10:41 . 2004-08-04 12:00 245248 ----a-w- c:\windows\apppatch\acspecfc.dll
2008-04-14 10:41 . 2004-08-04 12:00 1852928 ----a-w- c:\windows\apppatch\acgenral.dll
2008-04-14 10:41 . 2004-08-04 12:00 141312 ----a-w- c:\windows\apppatch\aclua.dll
2008-04-14 10:41 . 2004-08-04 12:00 116224 ----a-w- c:\windows\apppatch\acxtrnal.dll
2008-04-14 05:15 . 2001-08-17 14:03 25728 ----a-w- c:\windows\system32\drivers\usbcamd2.sys
2008-04-14 05:15 . 2001-08-17 14:03 25600 ----a-w- c:\windows\system32\drivers\usbcamd.sys
2004-08-04 12:00 . 2011-05-28 22:22 35328 ----a-w- c:\windows\pchealth\helpctr\binaries\notiflag.exe
2004-08-04 12:00 . 2011-05-28 22:22 21504 ----a-w- c:\windows\pchealth\helpctr\binaries\brpinfo.dll
2004-08-04 12:00 . 2011-05-28 22:22 99840 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2004-08-04 12:00 . 2011-05-28 22:22 6656 ----a-w- c:\windows\pchealth\helpctr\binaries\HCAppRes.dll
2004-08-04 12:00 . 2004-08-04 12:00 3374640 ----a-w- c:\windows\help\Tours\mmTour\tour.exe
2004-08-04 12:00 . 2004-08-04 12:00 152576 ----a-w- c:\windows\help\bnts.dll
2004-08-04 12:00 . 2001-08-17 22:37 77891 ----a-w- c:\windows\system32\usrmlnka.exe
2004-08-04 12:00 . 2001-08-17 22:37 69700 ----a-w- c:\windows\system32\usrshuta.exe
2004-08-04 12:00 . 2001-08-17 22:37 61508 ----a-w- c:\windows\system32\usrprbda.exe
2004-08-04 12:00 . 2001-08-17 22:36 55296 ----a-w- c:\windows\system32\dvdplay.exe
2004-08-04 12:00 . 2001-08-17 22:36 3200 ----a-w- c:\windows\system32\wowfax.dll
2004-08-04 12:00 . 2001-08-17 22:36 13824 ----a-w- c:\windows\system32\wowfaxui.dll
2004-08-04 12:00 . 2001-08-17 22:36 86073 ----a-w- c:\windows\system32\usrfaxa.dll
2004-08-04 12:00 . 2001-08-17 22:36 8192 ----a-w- c:\windows\system32\tsbyuv.dll
2004-08-04 12:00 . 2001-08-17 22:36 77890 ----a-w- c:\windows\system32\usrdpa.dll
2004-08-04 12:00 . 2001-08-17 22:36 77883 ----a-w- c:\windows\system32\usrrtosa.dll
2004-08-04 12:00 . 2001-08-17 22:36 69699 ----a-w- c:\windows\system32\usrcoina.dll
2004-08-04 12:00 . 2001-08-17 22:36 61500 ----a-w- c:\windows\system32\usrcntra.dll
2004-08-04 12:00 . 2001-08-17 22:36 53305 ----a-w- c:\windows\system32\usrlbva.dll
2004-08-04 12:00 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrvpa.dll
2004-08-04 12:00 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrsdpia.dll
2004-08-04 12:00 . 2001-08-17 22:36 49209 ----a-w- c:\windows\system32\usrv80a.dll
2004-08-04 12:00 . 2001-08-17 22:36 45116 ----a-w- c:\windows\system32\usrvoica.dll
2004-08-04 12:00 . 2001-08-17 22:36 41019 ----a-w- c:\windows\system32\usrsvpia.dll
2004-08-04 12:00 . 2001-08-17 22:36 323641 ----a-w- c:\windows\system32\usrdtea.dll
2004-08-04 12:00 . 2001-08-17 22:36 102457 ----a-w- c:\windows\system32\usrv42a.dll
2004-08-04 12:00 . 2001-08-17 22:36 8192 ----a-w- c:\windows\system32\streamci.dll
2004-08-04 12:00 . 2001-08-17 22:36 72192 ----a-w- c:\windows\system32\sprio800.dll
2004-08-04 12:00 . 2001-08-17 22:36 70656 ----a-w- c:\windows\system32\sprio600.dll
2004-08-04 12:00 . 2001-08-17 22:36 69632 ----a-w- c:\windows\system32\spnike.dll
2004-08-04 12:00 . 2001-08-17 22:36 157696 ----a-w- c:\windows\system32\paqsp.dll
2004-08-04 12:00 . 2001-08-17 22:36 147968 ----a-w- c:\windows\system32\mdwmdmsp.dll
2004-08-04 12:00 . 2001-08-17 14:06 21376 ----a-w- c:\windows\system32\drivers\tsbvcap.sys
2004-08-04 12:00 . 2001-08-17 14:02 262528 ----a-w- c:\windows\system32\drivers\cinemst2.sys
2004-08-04 12:00 . 2001-08-17 14:02 58112 ----a-w- c:\windows\system32\drivers\vdmindvd.sys
2004-08-04 12:00 . 2001-08-17 14:01 51712 ----a-w- c:\windows\system32\drivers\tosdvd.sys
2004-08-04 12:00 . 2001-08-17 13:57 12160 ----a-w- c:\windows\system32\drivers\fsvga.sys
2004-08-04 12:00 . 2001-08-17 13:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2004-08-04 12:00 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\riodrv.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\rio8drv.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\nikedrv.sys
2004-08-04 12:00 . 2001-08-17 13:24 11776 ----a-w- c:\windows\system32\drivers\cpqdap01.sys
2003-01-02 02:43 . 2011-09-24 18:18 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\Mike\Start Menu\Programs\Startup\
InputDirector.lnk - c:\program files\Input Director\InputDirector.exe [2010-2-1 475136]
.
c:\documents and settings\Mike\Start Menu\Programs\Startup\started up
AIM.lnk - c:\program files\AIM\aim.exe [2011-5-3 4321112]
Autohotkey.lnk - c:\programming\AHKStuff\AutoHotkey.ahk [2011-6-8 11660]
SbieCtrl.lnk - c:\program files\Sandboxie\SbieCtrl.exe [2012-12-16 545552]
set.bat [2013-1-8 16]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\terraria\\Terraria.exe"=
"c:\\Program Files\\Input Director\\InputDirector.exe"=
"c:\\Program Files\\Input Director\\InputDirectorSessionHelper.exe"=
"c:\\Documents and Settings\\Mike\\Desktop\\ssftw\\ssft.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2011 10:34 AM 717296]
R2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [2/1/2010 3:37 AM 36864]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware2\mbamscheduler.exe [12/25/2012 12:33 PM 399432]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 3:45 AM 70704]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/27/2011 10:37 PM 22856]
R3 ndisptr;Telesoft nDispatcher;c:\windows\system32\drivers\ndisptr.sys [6/6/2011 4:40 PM 34304]
R3 RAMDiskXP;RAMDiskXP;c:\windows\system32\drivers\RAMDiskXP.sys [5/5/2011 8:57 PM 58368]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [8/23/2011 12:10 PM 52312]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware2\mbamservice.exe [9/27/2011 10:37 PM 676936]
S2 trcpxldwk;Shell Helper;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S3 PsShutdownSvc;PsShutdown;c:\windows\PSSDNSVC.EXE [1/25/2012 5:51 PM 87616]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 2:47 AM 563760]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trcpxldwk
.
Contents of the 'Scheduled Tasks' folder
.
2003-01-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-28 14:36]
.
2013-01-08 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-08-23 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: Interfaces\{826BDF29-2BE9-42A4-B62E-AA73B93FBE34}: NameServer = 208.67.220.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - ExtSQL: 2010-01-17 07:54; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2011-05-30 11:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2011-06-01 22:34; [email protected]; c:\program files\Fiddler2\FiddlerHook
FF - ExtSQL: 2011-09-24 14:31; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2011-09-24 14:53; {921880f2-a39f-4a30-89e5-c0189b09ebab}; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\{921880f2-a39f-4a30-89e5-c0189b09ebab}.xpi
FF - ExtSQL: 2011-09-24 14:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-12-25 11:40; {336D0C35-8A85-403a-B9D2-65C292C39087}; c:\program files\IB Updater\Firefox
FF - ExtSQL: 2012-12-25 11:40; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2003-01-01 04:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld MySQL"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]
"ServiceDll"="c:\windows\system32\xowyymku.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(472)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Input Director\InputDirectorSessionHelper.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2003-01-01 04:04:29 - machine was rebooted
ComboFix-quarantined-files.txt 2003-01-01 10:04
ComboFix2.txt 2003-01-01 08:23
ComboFix3.txt 2013-01-09 17:24
ComboFix4.txt 2013-01-08 20:37
.
Pre-Run: 4,293,386,240 bytes free
Post-Run: 4,289,130,496 bytes free
.
- - End Of File - - 398718AE4FC820BE086F7830D1F7BF71

#13 nasdaq

nasdaq

  • Malware Response Team
  • 20,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 10 January 2013 - 10:10 AM

Found it.

Open notepad and copy/paste the text in the quote box below into it:


Folder
c:\program files\IB Updater

Driver::
trcpxldwk

Firefox::
FF - ExtSQL: 2012-12-25 11:40; {336D0C35-8A85-403a-B9D2-65C292C39087}; c:\program files\IB Updater\Firefox
FF - ExtSQL: 2012-12-25 11:40; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists

#14 StevePRGM

StevePRGM
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 10 January 2013 - 01:43 PM

I uninstalled a Malware Bytes installation that I wasn't using, after my last post

I believe Input Director has a service that starts up with the system.
(I removed the version I found in start-up, but, once I plugged in the internet,
Input Director made a connection to the other computer.
)
So, the Input Director service was running while ComboFix was running..

The same system file was fixed again...

=== After the drag and drop, ===
=== ComboFix returned the following: ===

ComboFix 13-01-08.01 - Mike 01/01/2003 23:50:02.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.632 [GMT -6:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\msgsvc.dll
.
.
((((((((((((((((((((((((( Files Created from 2002-12-02 to 2003-01-02 )))))))))))))))))))))))))))))))
.
.
2012-12-05 20:19 . 2012-12-05 20:19 -------- d-----r- C:\Sandbox
2012-07-06 18:43 . 2012-07-06 18:43 201293 ----a-w- C:\ubnldr.exe
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\preseed
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\isolinux
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\casper
2012-07-06 18:39 . 2012-07-06 18:39 -------- d-----w- C:\.disk
2012-07-06 18:39 . 2012-07-06 18:43 -------- d-----w- C:\unetbtin
2012-02-07 05:29 . 2012-02-07 05:29 -------- d-----r- C:\MSOCache
2012-02-07 03:46 . 2012-02-07 04:24 -------- d-----w- C:\KAG
2012-01-25 23:47 . 2012-01-25 23:48 -------- d-----w- C:\PsTools
2012-01-25 20:48 . 2012-01-25 20:48 -------- d-----w- C:\Borland
2011-12-09 05:02 . 2012-06-16 19:44 -------- d-----w- C:\_ Tools
2011-12-01 21:04 . 2012-02-09 19:40 -------- d-----w- C:\Games
2011-09-21 16:14 . 2011-09-21 16:15 -------- d-----w- C:\mysql
2011-09-09 19:22 . 2011-09-09 22:32 -------- d-----w- C:\__ TRANSFER
2011-06-18 23:27 . 2011-06-18 23:28 -------- d-----w- C:\_x Underground
2011-06-09 01:36 . 2011-06-09 01:36 -------- d-----w- C:\Eclipse
2011-06-08 18:53 . 2011-08-23 18:31 -------- d-----w- C:\WxTool
2011-06-08 18:48 . 2011-06-25 21:18 -------- d-----w- C:\_Sound Effects
2011-06-04 03:34 . 2011-08-30 05:00 -------- d-----w- C:\_Music
2011-06-03 04:12 . 2011-06-03 04:12 -------- d-----w- C:\Intel
2011-06-02 19:15 . 2011-06-02 19:15 -------- d-----w- C:\ATI
2011-05-30 16:51 . 2011-05-30 16:51 -------- d-----w- C:\_WinFixes
2011-05-30 16:50 . 2012-02-09 21:29 -------- d-----w- C:\Chrome
2011-05-30 16:42 . 2011-05-30 16:42 -------- d-----w- C:\bb4e187f0f3d4c2f76db05ce
2011-05-29 16:51 . 2012-12-25 23:31 -------- d-----w- C:\Temp
2011-05-29 02:50 . 2011-05-29 02:50 -------- d-----w- C:\cabs
2011-05-29 02:10 . 2012-01-25 20:53 -------- d-----w- C:\Programming
2011-05-29 02:09 . 2011-06-07 00:18 -------- d-----w- C:\_CommonFiles
2011-05-29 01:58 . 2012-06-28 20:28 -------- d-----w- C:\_SystemFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 10:42 . 2011-05-28 22:22 150528 ----a-w- c:\windows\pchealth\UploadLB\Binaries\uploadm.exe
2008-04-14 10:42 . 2011-05-28 22:22 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2008-04-14 10:42 . 2011-05-28 22:22 769024 ----a-w- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2008-04-14 10:42 . 2011-05-28 22:22 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2008-04-14 10:42 . 2011-05-28 22:22 18432 ----a-w- c:\windows\pchealth\helpctr\binaries\hscupd.exe
2008-04-14 10:42 . 2011-05-28 22:22 726078 ----a-w- c:\windows\srchasst\srchui.dll
2008-04-14 10:42 . 2011-05-28 22:22 58434 ----a-w- c:\windows\srchasst\srchctls.dll
2008-04-14 10:42 . 2004-08-04 12:00 34816 ----a-w- c:\windows\help\sniffpol.dll
2008-04-14 10:42 . 2004-08-04 12:00 33280 ----a-w- c:\windows\help\sstub.dll
2008-04-14 10:42 . 2004-08-04 12:00 279040 ----a-w- c:\windows\help\tshoot.dll
2008-04-14 10:42 . 2011-05-28 22:22 38400 ----a-w- c:\windows\pchealth\helpctr\binaries\pchsvc.dll
2008-04-14 10:42 . 2011-05-28 22:22 102912 ----a-w- c:\windows\pchealth\helpctr\binaries\pchshell.dll
2008-04-14 10:42 . 2011-05-28 22:22 3166208 ----a-w- c:\windows\srchasst\msgr3en.dll
2008-04-14 10:42 . 2011-05-28 22:22 376832 ----a-w- c:\windows\pchealth\helpctr\binaries\msinfo.dll
2008-04-14 10:41 . 2011-05-29 01:35 39424 ------w- c:\windows\apppatch\acadproc.dll
2008-04-14 10:41 . 2004-08-04 12:00 451072 ----a-w- c:\windows\apppatch\aclayers.dll
2008-04-14 10:41 . 2004-08-04 12:00 245248 ----a-w- c:\windows\apppatch\acspecfc.dll
2008-04-14 10:41 . 2004-08-04 12:00 1852928 ----a-w- c:\windows\apppatch\acgenral.dll
2008-04-14 10:41 . 2004-08-04 12:00 141312 ----a-w- c:\windows\apppatch\aclua.dll
2008-04-14 10:41 . 2004-08-04 12:00 116224 ----a-w- c:\windows\apppatch\acxtrnal.dll
2008-04-14 05:15 . 2001-08-17 14:03 25728 ----a-w- c:\windows\system32\drivers\usbcamd2.sys
2008-04-14 05:15 . 2001-08-17 14:03 25600 ----a-w- c:\windows\system32\drivers\usbcamd.sys
2004-08-04 12:00 . 2011-05-28 22:22 35328 ----a-w- c:\windows\pchealth\helpctr\binaries\notiflag.exe
2004-08-04 12:00 . 2011-05-28 22:22 21504 ----a-w- c:\windows\pchealth\helpctr\binaries\brpinfo.dll
2004-08-04 12:00 . 2011-05-28 22:22 99840 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpHost.exe
2004-08-04 12:00 . 2011-05-28 22:22 6656 ----a-w- c:\windows\pchealth\helpctr\binaries\HCAppRes.dll
2004-08-04 12:00 . 2004-08-04 12:00 3374640 ----a-w- c:\windows\help\Tours\mmTour\tour.exe
2004-08-04 12:00 . 2004-08-04 12:00 152576 ----a-w- c:\windows\help\bnts.dll
2004-08-04 12:00 . 2001-08-17 22:37 77891 ----a-w- c:\windows\system32\usrmlnka.exe
2004-08-04 12:00 . 2001-08-17 22:37 69700 ----a-w- c:\windows\system32\usrshuta.exe
2004-08-04 12:00 . 2001-08-17 22:37 61508 ----a-w- c:\windows\system32\usrprbda.exe
2004-08-04 12:00 . 2001-08-17 22:36 55296 ----a-w- c:\windows\system32\dvdplay.exe
2004-08-04 12:00 . 2001-08-17 22:36 3200 ----a-w- c:\windows\system32\wowfax.dll
2004-08-04 12:00 . 2001-08-17 22:36 13824 ----a-w- c:\windows\system32\wowfaxui.dll
2004-08-04 12:00 . 2001-08-17 22:36 86073 ----a-w- c:\windows\system32\usrfaxa.dll
2004-08-04 12:00 . 2001-08-17 22:36 8192 ----a-w- c:\windows\system32\tsbyuv.dll
2004-08-04 12:00 . 2001-08-17 22:36 77890 ----a-w- c:\windows\system32\usrdpa.dll
2004-08-04 12:00 . 2001-08-17 22:36 77883 ----a-w- c:\windows\system32\usrrtosa.dll
2004-08-04 12:00 . 2001-08-17 22:36 69699 ----a-w- c:\windows\system32\usrcoina.dll
2004-08-04 12:00 . 2001-08-17 22:36 61500 ----a-w- c:\windows\system32\usrcntra.dll
2004-08-04 12:00 . 2001-08-17 22:36 53305 ----a-w- c:\windows\system32\usrlbva.dll
2004-08-04 12:00 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrvpa.dll
2004-08-04 12:00 . 2001-08-17 22:36 49211 ----a-w- c:\windows\system32\usrsdpia.dll
2004-08-04 12:00 . 2001-08-17 22:36 49209 ----a-w- c:\windows\system32\usrv80a.dll
2004-08-04 12:00 . 2001-08-17 22:36 45116 ----a-w- c:\windows\system32\usrvoica.dll
2004-08-04 12:00 . 2001-08-17 22:36 41019 ----a-w- c:\windows\system32\usrsvpia.dll
2004-08-04 12:00 . 2001-08-17 22:36 323641 ----a-w- c:\windows\system32\usrdtea.dll
2004-08-04 12:00 . 2001-08-17 22:36 102457 ----a-w- c:\windows\system32\usrv42a.dll
2004-08-04 12:00 . 2001-08-17 22:36 8192 ----a-w- c:\windows\system32\streamci.dll
2004-08-04 12:00 . 2001-08-17 22:36 72192 ----a-w- c:\windows\system32\sprio800.dll
2004-08-04 12:00 . 2001-08-17 22:36 70656 ----a-w- c:\windows\system32\sprio600.dll
2004-08-04 12:00 . 2001-08-17 22:36 69632 ----a-w- c:\windows\system32\spnike.dll
2004-08-04 12:00 . 2001-08-17 22:36 157696 ----a-w- c:\windows\system32\paqsp.dll
2004-08-04 12:00 . 2001-08-17 22:36 147968 ----a-w- c:\windows\system32\mdwmdmsp.dll
2004-08-04 12:00 . 2001-08-17 14:06 21376 ----a-w- c:\windows\system32\drivers\tsbvcap.sys
2004-08-04 12:00 . 2001-08-17 14:02 262528 ----a-w- c:\windows\system32\drivers\cinemst2.sys
2004-08-04 12:00 . 2001-08-17 14:02 58112 ----a-w- c:\windows\system32\drivers\vdmindvd.sys
2004-08-04 12:00 . 2001-08-17 14:01 51712 ----a-w- c:\windows\system32\drivers\tosdvd.sys
2004-08-04 12:00 . 2001-08-17 13:57 12160 ----a-w- c:\windows\system32\drivers\fsvga.sys
2004-08-04 12:00 . 2001-08-17 13:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2004-08-04 12:00 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\riodrv.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\rio8drv.sys
2004-08-04 12:00 . 2001-08-17 13:24 12032 ----a-w- c:\windows\system32\drivers\nikedrv.sys
2004-08-04 12:00 . 2001-08-17 13:24 11776 ----a-w- c:\windows\system32\drivers\cpqdap01.sys
2003-01-02 02:43 . 2011-09-24 18:18 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\terraria\\Terraria.exe"=
"c:\\Program Files\\Input Director\\InputDirector.exe"=
"c:\\Program Files\\Input Director\\InputDirectorSessionHelper.exe"=
"c:\\Documents and Settings\\Mike\\Desktop\\ssftw\\ssft.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/30/2011 10:34 AM 717296]
R2 InputDirector;Input Director Service;c:\program files\Input Director\IDWinService.exe [2/1/2010 3:37 AM 36864]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 3:45 AM 70704]
R3 ndisptr;Telesoft nDispatcher;c:\windows\system32\drivers\ndisptr.sys [6/6/2011 4:40 PM 34304]
R3 RAMDiskXP;RAMDiskXP;c:\windows\system32\drivers\RAMDiskXP.sys [5/5/2011 8:57 PM 58368]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [8/23/2011 12:10 PM 52312]
S2 trcpxldwk;Shell Helper;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:00 AM 14336]
S3 PsShutdownSvc;PsShutdown;c:\windows\PSSDNSVC.EXE [1/25/2012 5:51 PM 87616]
S3 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 2:47 AM 563760]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
trcpxldwk
.
Contents of the 'Scheduled Tasks' folder
.
2003-01-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-28 14:36]
.
2013-01-08 c:\windows\Tasks\debutShakeIcon.job
- c:\program files\NCH Software\Debut\debut.exe [2011-08-23 18:11]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: Interfaces\{826BDF29-2BE9-42A4-B62E-AA73B93FBE34}: NameServer = 208.67.220.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - ExtSQL: 2010-01-17 07:54; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2011-05-30 11:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2011-06-01 22:34; [email protected]; c:\program files\Fiddler2\FiddlerHook
FF - ExtSQL: 2011-09-24 14:31; [email protected]; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\[email protected]
FF - ExtSQL: 2011-09-24 14:53; {921880f2-a39f-4a30-89e5-c0189b09ebab}; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\{921880f2-a39f-4a30-89e5-c0189b09ebab}.xpi
FF - ExtSQL: 2011-09-24 14:53; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\g4mr5ooi.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2003-01-02 00:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld MySQL"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\trcpxldwk]
"ServiceDll"="c:\windows\system32\xowyymku.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(1960)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Input Director\InputDirectorSessionHelper.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2003-01-02 00:03:59 - machine was rebooted
ComboFix-quarantined-files.txt 2003-01-02 06:03
ComboFix2.txt 2003-01-01 10:04
ComboFix3.txt 2003-01-01 08:23
ComboFix4.txt 2013-01-09 17:24
ComboFix5.txt 2003-01-02 05:48
.
Pre-Run: 4,256,030,720 bytes free
Post-Run: 4,250,062,848 bytes free
.
- - End Of File - - 9A67FE36812EE854AC88994E224F38FB

#15 nasdaq

nasdaq

  • Malware Response Team
  • 20,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:54 PM

Posted 10 January 2013 - 01:52 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    msgsvc.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users