Search Engine Results Lead To Other Sites

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Search Engine Results Lead To Other Sites

#1 dhillen

New Member

Group: Members
Posts: 14
Joined: 26-June 09

Posted 04 April 2011 - 04:27 PM

Hello my name is Derek and the reason I am posting is because last night after my brother was using my computer, it started acting odd. The problems I have encountered are Pop-Ups, warning messages telling me my computer is infected, and when I click on a ling through Yahoo or Google it directs me to other sites. So far I've run AVG Free, Spybot, & Malewarebytes; all of which found Trojans so I deleted them. The warning messages have gone away but I am still getting the Pop-Ups (even when I am not on the computer) as well as the re-directs. Thank you for any help! I am willing to give you any additional information you may need. I ran Hijack This and here is the log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:22:24 PM, on 4/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Owner\Desktop\HJT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Dtaqep] rundll32.exe "C:\WINDOWS\adacalolac.dll",Startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OE1FSC1STlhCRC1HTVlIRi1CU0xTUi1aSzNGRS1QRU1CUg"&"inst=NzYtNjg5ODc5MTczLUJBKzEtS1YzKzctWEwrMS1UNC1GUDkrNi1TVDErMi1CQVI5RysxLVRCOSsyLUZMKzktWE8zNisxLUY5TTdDKzUtRjlNMTBCKzItRDM4MUwrNg"&"prod=94"&"ver=10.0.1204
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\Owner\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
O8 - Extra context menu item: Free YouTube to Mp3 Converter - C:\Documents and Settings\Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - http://mywebcast.cc/tvants/tvants.cab
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 8203 bytes

#2 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,393
Joined: 16-May 10
Gender:Male

Posted 04 April 2011 - 04:48 PM

Hello and welcome. Please follow these guidelines while we work on your PC:

Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Any underlined text in my posts indicates a clickable link.
If you have any questions at all, please stop and ask before proceeding.

Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif

Disable any script blocking protection (How to Disable your Security Programs)
Double click DDS icon to run the tool (may take up to 3 minutes to run)
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.

---------------------------------------------------

Post the contents of the DDS.txt report in your next reply
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Download GMER Rootkit Scanner from here to your desktop.

Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you have trouble running GEMR:

Make sure that your security software is disabled
Uncheck the box next to "Files" this time also
If you still can't run it, try in the Safe Mode

Please include the following in your next post:

DDS.txt and Attach.txt logs

GMER log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#3 dhillen

New Member

Group: Members
Posts: 14
Joined: 26-June 09

Posted 04 April 2011 - 07:03 PM

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 18:53:16.68 on Mon 04/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.167 [GMT -4:00]
.
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Zune\ZuneBusEnum.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/
uSearch Page =
uSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Dtaqep] rundll32.exe "c:\windows\adacalolac.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OE1FSC1STlhCRC1HTVlIRi1CU0xTUi1aSzNGRS1QRU1CUg"&"inst=NzYtNjg5ODc5MTczLUJBKzEtS1YzKzctWEwrMS1UNC1GUDkrNi1TVDErMi1CQVI5RysxLVRCOSsyLUZMKzktWE8zNisxLUY5TTdDKzUtRjlNMTBCKzItRDM4MUwrNg"&"prod=94"&"ver=10.0.1204
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: &Search - ?p=ZJfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\owner\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\owner\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - hxxp://mywebcast.cc/tvants/tvants.cab
DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\pzd49ed4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\pzd49ed4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\pzd49ed4.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-11-2 95592]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-9-30 66048]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-30 363344]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 26192]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-12-30 20952]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2010-6-8 167808]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2010-6-8 13532]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-4 136176]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-7-1 69692]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-30 38224]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2006-6-29 2383152]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
.
=============== Created Last 30 ================
.
2011-04-04 08:04:46 -------- d--h--w- C:\$AVG
2011-04-04 07:01:34 -------- d-----w- c:\windows\system32\drivers\AVG
2011-04-03 23:18:05 0 ----a-w- c:\windows\Uhuwid.bin
2011-04-03 23:18:03 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\{3061F544-2679-42CF-8CFC-CCABAEE668C2}
2011-04-03 23:05:53 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\TVU Networks
2011-04-03 23:05:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\TVU Networks
2011-04-03 23:05:51 -------- d-----w- c:\documents and settings\owner\LocalLow
2011-04-03 22:28:11 -------- d-----w- C:\2355220a384d6b49eb3fdbae
2011-03-23 19:59:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-23 19:59:00 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-23 19:59:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-23 19:59:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-23 19:59:00 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-23 19:59:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-03-23 19:58:59 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-23 19:58:59 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
.
==================== Find3M ====================
.
2011-04-03 07:00:00 356352 ----a-w- c:\windows\system32\wpdsp.dll
2011-04-03 06:58:58 290816 ----a-w- c:\windows\system32\dtsac3source.ax
2011-04-03 06:57:43 77824 ----a-w- c:\windows\system32\cliconfg.dll
2011-04-03 06:41:27 81920 ----a-w- c:\docume~1\owner\applic~1\ezpinst.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380815AS rev.3.AAC -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82CC4439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82cca7d0]; MOV EAX, [0x82cca84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82CDC3D0]
3 CLASSPNP[0xF86E2FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\000000a3[0x82D01650]
5 ACPI[0xF83B0620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82D01030]
\Driver\atapi[0x82D12808] -> IRP_MJ_CREATE -> 0x82CC4439
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV DS, BX; MOV ES, BX; MOV SI, 0x200; MOV CX, SI; CLD ; REP MOVSB ; JMP FAR 0x7a0:0xa3; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST380815AS______________________________3.AAC___#5&37fb79bb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x82CC427F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:55:36.31 ===============

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-04 19:57:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST380815AS rev.3.AAC
Running: tpct46lp.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwlcifow.sys

---- System - GMER 1.0.15 ----

SSDT spru.sys ZwCreateKey [0xF83F10E0]
SSDT spru.sys ZwEnumerateKey [0xF840FDA4]
SSDT spru.sys ZwEnumerateValueKey [0xF8410132]
SSDT spru.sys ZwOpenKey [0xF83F10C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF88646C0]
SSDT spru.sys ZwQueryKey [0xF841020A]
SSDT spru.sys ZwQueryValueKey [0xF841008A]
SSDT spru.sys ZwSetValueKey [0xF841029C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF8864770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF8864810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF88648B0]

INT 0x62 ? 82DDCBF8
INT 0x63 ? 82DDBBF8
INT 0x73 ? 82DDBBF8
INT 0x83 ? 82DDCBF8
INT 0x83 ? 82DDCBF8
INT 0x83 ? 82DDBBF8
INT 0x83 ? 82DDCBF8
INT 0xB4 ? 82DDBBF8

---- Kernel code sections - GMER 1.0.15 ----

? xrhf.sys The system cannot find the file specified. !
? spru.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F7F568AC 5 Bytes JMP 82DDB1D8
? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E000A
.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009F000A
.text C:\WINDOWS\System32\svchost.exe[1180] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009D000C
.text C:\WINDOWS\System32\svchost.exe[1180] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02E6000A
.text C:\WINDOWS\System32\svchost.exe[1180] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 02E7000A
.text C:\WINDOWS\System32\svchost.exe[1180] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 02E8000A
.text C:\WINDOWS\System32\svchost.exe[1180] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\wuauclt.exe[1364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 010E000A
.text C:\WINDOWS\system32\wuauclt.exe[1364] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 010F000A
.text C:\WINDOWS\system32\wuauclt.exe[1364] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DC000C
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3328] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10699777 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3328] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10699709 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3328] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104C7C37 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3328] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104C823A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0146000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0147000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0145000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82DCA1F8

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 82D701F8
Device \Driver\usbuhci \Device\USBPDO-1 82D701F8
Device \Driver\usbuhci \Device\USBPDO-2 82D701F8
Device \Driver\usbuhci \Device\USBPDO-3 82D701F8
Device \Driver\usbehci \Device\USBPDO-4 82D711F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{FFD17D9D-CA78-47CF-B166-B6B6696C4D0D} 8237E1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 82DDD1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82DDD1F8
Device \Driver\Cdrom \Device\CdRom0 82DDE1F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 82CC427F
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F834DB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82CC427F
Device \Driver\atapi \Device\Ide\IdePort0 [F834DB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82CC427F
Device \Driver\atapi \Device\Ide\IdePort1 [F834DB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 82CC427F
Device \Driver\atapi \Device\Ide\IdePort2 [F834DB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8237E1F8
Device \Driver\NetBT \Device\NetbiosSmb 8237E1F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 82D701F8
Device \Driver\usbuhci \Device\USBFDO-1 82D701F8
Device \Driver\usbuhci \Device\USBFDO-2 82D701F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8237C1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8237C1F8
Device \Driver\usbuhci \Device\USBFDO-3 82D701F8
Device \Driver\Ftdisk \Device\FtControl 82DDD1F8
Device \Driver\usbehci \Device\USBFDO-4 82D711F8
Device \FileSystem\Cdfs \Cdfs 82B631F8
Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskST380815AS______________________________3.AAC___#5&37fb79bb&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----

Attached File(s)

Attach.txt (11.88K)
Number of downloads: 1

#4 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,393
Joined: 16-May 10
Gender:Male

Posted 04 April 2011 - 08:58 PM

dhillen:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Add/Remove Programs or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.

Double click to run AppRemover
Follow the prompts to remove AVG
Reboot

Once you've removed AVG with this tool please continue with these instructions

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

ComboFix log

This post has been edited by RPMcMurphy: 04 April 2011 - 09:03 PM

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#5 dhillen

New Member

Group: Members
Posts: 14
Joined: 26-June 09

Posted 05 April 2011 - 03:37 PM

ComboFix 11-04-05.01 - Owner 04/05/2011 16:15:56.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.199 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\20101031020720.log
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.ico
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\WINDOWS
c:\windows\adacalolac.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))
.
.
2011-04-04 19:19 . 2011-04-04 19:19 -------- d-----w- c:\program files\Google
2011-04-04 08:04 . 2011-04-04 08:04 -------- d-----w- C:\$AVG
2011-04-04 04:29 . 2011-04-04 04:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-04-04 04:03 . 2011-04-04 04:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-03 23:18 . 2011-04-04 06:50 0 ----a-w- c:\windows\Uhuwid.bin
2011-04-03 23:18 . 2011-04-03 23:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}
2011-04-03 23:05 . 2011-04-03 23:05 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\TVU Networks
2011-04-03 23:05 . 2011-04-03 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2011-04-03 23:05 . 2011-04-03 23:05 -------- d-----w- c:\documents and settings\Owner\LocalLow
2011-04-03 22:28 . 2011-04-03 22:28 -------- d-----w- C:\2355220a384d6b49eb3fdbae
2011-03-23 19:59 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-23 19:59 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-23 19:59 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-23 19:59 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-23 19:59 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-23 19:59 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-23 19:58 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-23 19:58 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-03 07:00 . 2004-08-11 16:45 356352 ----a-w- c:\windows\system32\wpdsp.dll
2011-04-03 06:59 . 2004-08-11 16:45 331776 ----a-w- c:\windows\system32\wpdmtpdr.dll
2011-04-03 06:59 . 2007-08-15 06:24 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-04-03 06:59 . 2004-08-11 16:45 4096 ----a-w- c:\windows\system32\WMVADVE.DLL
2011-04-03 06:59 . 2004-08-11 16:45 4096 ----a-w- c:\windows\system32\WMVADVD.dll
2011-04-03 06:59 . 2009-11-02 19:03 348160 ----a-w- c:\windows\system32\WMAFile.dll
2011-04-03 06:59 . 2006-05-07 01:24 233472 ----a-w- c:\windows\system32\webcheck(2).dll
2011-04-03 06:59 . 2004-08-11 16:45 4096 ----a-w- c:\windows\system32\wdfapi.dll
2011-04-03 06:59 . 2010-03-20 08:00 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2011-04-03 06:59 . 2008-08-26 22:11 987136 ----a-w- c:\windows\system32\VSFilter.dll
2011-04-03 06:59 . 2005-07-26 13:56 53248 ----a-w- c:\windows\system32\vp7dec_settings.cpl
2011-04-03 06:59 . 2005-07-26 13:56 233472 ----a-w- c:\windows\system32\vp7dec.ax
2011-04-03 06:59 . 2004-12-10 09:06 327680 ----a-w- c:\windows\system32\vp6dec.ax
2011-04-03 06:59 . 2004-12-10 09:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2011-04-03 06:59 . 2004-02-17 10:11 53248 ----a-w- c:\windows\system32\vp6dec_settings.cpl
2011-04-03 06:59 . 2006-07-01 04:21 28672 ----a-w- c:\windows\system32\verclsid.exe
2011-04-03 06:59 . 2009-09-29 15:41 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2011-04-03 06:59 . 2007-08-10 02:24 122880 ----a-w- c:\windows\system32\Uci32107.dll
2011-04-03 06:59 . 2006-03-17 19:49 368640 ----a-w- c:\windows\system32\twnlib4.dll
2011-04-03 06:59 . 2010-03-28 00:28 20480 ----a-w- c:\windows\system32\SysRestore.dll
2011-04-03 06:59 . 2009-11-02 19:03 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2011-04-03 06:59 . 2009-06-14 16:48 28672 ----a-w- c:\windows\system32\systray.ocx
2011-04-03 06:59 . 2009-05-01 20:02 200704 ----a-w- c:\windows\system32\ssldivx.dll
2011-04-03 06:59 . 2006-05-07 01:24 8192 ----a-w- c:\windows\system32\tssoft32.acm
2011-04-03 06:59 . 2006-05-07 01:24 90112 ----a-w- c:\windows\system32\sqlsrv32.rll
2011-04-03 06:59 . 2006-05-07 01:24 442368 ----a-w- c:\windows\system32\sqlsrv32.dll
2011-04-03 06:59 . 2010-05-19 20:59 552960 ----a-w- c:\windows\system32\splitter.ax
2011-04-03 06:59 . 2008-03-01 17:04 217088 ----a-w- c:\windows\system32\skjpeg40.dll
2011-04-03 06:59 . 2006-05-07 01:24 86016 ----a-w- c:\windows\system32\sl_anet.acm
2011-04-03 06:59 . 2002-09-21 07:42 122880 ----a-w- c:\windows\system32\ShellvRTF.dll
2011-04-03 06:59 . 2010-06-04 02:10 36864 ----a-w- c:\windows\system32\RtlGina2.dll
2011-04-03 06:59 . 2010-06-04 02:10 344064 ----a-w- c:\windows\system32\SCMLib.dll
2011-04-03 06:59 . 2007-08-10 01:55 282624 ----a-w- c:\windows\system32\RTSndMgr.cpl
2011-04-03 06:59 . 2007-03-22 03:48 102400 ----a-w- c:\windows\system32\SampleGrabber.ax
2011-04-03 06:59 . 2004-04-27 15:03 49152 ----a-w- c:\windows\system32\RLOFRDec.ax
2011-04-03 06:59 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-04-03 06:59 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-04-03 06:59 . 2008-11-06 15:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2011-04-03 06:59 . 2010-10-31 06:14 61440 ----a-w- c:\windows\system32\pthswmcp.dll
2011-04-03 06:59 . 2007-05-01 17:15 323584 ----a-w- c:\windows\system32\osMPEGVidDec.ax
2011-04-03 06:59 . 2004-04-20 22:00 172032 ----a-w- c:\windows\system32\OptimFROG.dll
2011-04-03 06:59 . 2009-09-29 15:45 57344 ----a-r- c:\windows\system32\NeroBurnRights.cpl
2011-04-03 06:59 . 2009-09-29 15:41 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2011-04-03 06:59 . 2006-06-29 00:59 24576 ----a-w- c:\windows\system32\nlsdl.dll
2011-04-03 06:59 . 2007-08-28 16:00 626688 ----a-w- c:\windows\system32\msvcr80.dll
2011-04-03 06:59 . 2007-08-28 16:00 548864 ----a-w- c:\windows\system32\msvcp80.dll
2011-04-03 06:59 . 2007-08-10 01:59 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-04-03 06:59 . 2003-08-27 20:43 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-03 06:59 . 2003-02-22 01:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-03 06:59 . 2009-03-08 18:22 49152 ----a-w- c:\windows\system32\msrating.dll.mui
2011-04-03 06:59 . 2008-02-14 01:56 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-04-03 06:59 . 2006-05-07 01:24 1355776 ----a-w- c:\windows\system32\msvbvm50.dll
2011-04-03 06:59 . 2006-05-07 01:36 118784 ----a-w- c:\windows\system32\msg723.acm
2011-04-03 06:59 . 2006-05-07 01:36 188416 ----a-w- c:\windows\system32\msh261.drv
2011-04-03 06:59 . 2004-08-04 08:56 294912 ----a-w- c:\windows\system32\msh263.drv
2011-04-03 06:59 . 2007-08-28 16:00 1101824 ----a-w- c:\windows\system32\mfc80.dll
2011-04-03 06:59 . 2008-02-14 01:56 974848 ----a-w- c:\windows\system32\mfc70.dll
2011-04-03 06:59 . 2007-08-10 02:24 94208 ----a-w- c:\windows\system32\mdmxsdk.dll
2011-04-03 06:59 . 2007-08-10 02:16 20480 ----a-w- c:\windows\system32\Marker32.exe
2011-04-03 06:59 . 2010-06-04 02:10 1069056 ----a-w- c:\windows\system32\libeay32.dll
2011-04-03 06:59 . 2009-05-01 20:02 1044480 ----a-w- c:\windows\system32\libdivx.dll
2011-04-03 06:59 . 2010-04-03 21:33 311296 ----a-w- c:\windows\system32\LEXBCES.EXE
2011-04-03 06:59 . 2010-04-03 21:33 200704 ----a-w- c:\windows\system32\LEXLMPM.DLL
2011-04-03 06:59 . 2010-04-03 21:33 147456 ----a-w- c:\windows\system32\LEXBCE.DLL
2011-04-03 06:59 . 2008-09-24 20:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-04-03 06:59 . 2006-05-07 01:24 98304 ----a-w- c:\windows\system32\L3CODECX.AX
2011-04-03 06:59 . 2010-12-30 10:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-03 06:59 . 2006-05-07 01:24 65536 ----a-w- c:\windows\system32\jgsh400.dll
2011-04-03 06:59 . 2006-04-17 13:37 3956736 ----a-w- c:\windows\system32\IVIVIDEO.ax
2011-04-03 06:59 . 2006-07-01 06:30 49152 ----a-w- c:\windows\system32\install.dll
2011-04-03 06:59 . 2008-07-04 14:23 802816 ----a-w- c:\windows\system32\imagXRA7.dll
2011-04-03 06:59 . 2008-07-04 14:23 258048 ----a-w- c:\windows\system32\imagXR7.dll
2011-04-03 06:59 . 2008-07-04 14:23 1757184 ----a-w- c:\windows\system32\imagX7.dll
2011-04-03 06:59 . 2009-09-29 15:41 569344 ----a-w- c:\windows\system32\imagr5.dll
2011-04-03 06:59 . 2009-09-29 15:41 544768 ----a-w- c:\windows\system32\imagx5.dll
2011-04-03 06:59 . 2007-08-10 01:54 2363392 ----a-w- c:\windows\system32\iglicd32.dll
2011-04-03 06:59 . 2007-08-10 01:54 364544 ----a-w- c:\windows\system32\igxpun.exe
2011-04-03 06:59 . 2006-05-07 01:24 16384 ----a-w- c:\windows\system32\imaadp32.acm
2011-04-03 06:59 . 2007-08-10 01:54 172032 ----a-w- c:\windows\system32\igfxrita.lrc
2011-04-03 06:59 . 2007-08-10 01:54 167936 ----a-w- c:\windows\system32\igfxrfra.lrc
2011-04-03 06:59 . 2007-08-10 01:54 159744 ----a-w- c:\windows\system32\igfxrsve.lrc
2011-04-03 06:59 . 2007-08-10 01:54 155648 ----a-w- c:\windows\system32\igfxrtrk.lrc
2011-04-03 06:59 . 2007-08-10 01:54 147456 ----a-w- c:\windows\system32\igfxrtha.lrc
2011-04-03 06:59 . 2007-08-10 01:54 139264 ----a-w- c:\windows\system32\igfxrheb.lrc
2011-04-03 06:59 . 2007-08-10 01:54 114688 ----a-w- c:\windows\system32\igfxrkor.lrc
2011-04-03 06:59 . 2007-08-10 01:54 114688 ----a-w- c:\windows\system32\igfxrjpn.lrc
2011-04-03 06:59 . 2007-08-10 01:54 454656 ----a-w- c:\windows\system32\igldev32.dll
2011-04-03 06:59 . 2007-08-10 01:54 3276800 ----a-w- c:\windows\system32\igfxress.dll
2011-04-03 06:59 . 2007-08-10 01:54 192512 ----a-w- c:\windows\system32\igfxsrvc.exe
2011-04-03 06:59 . 2007-08-10 01:54 172032 ----a-w- c:\windows\system32\igfxrnld.lrc
2011-04-03 06:59 . 2007-08-10 01:54 167936 ----a-w- c:\windows\system32\igfxrhun.lrc
2011-04-03 06:59 . 2007-08-10 01:54 163840 ----a-w- c:\windows\system32\igfxrrus.lrc
2011-04-03 06:59 . 2007-08-10 01:54 163840 ----a-w- c:\windows\system32\igfxrptg.lrc
2011-04-03 06:59 . 2007-08-10 01:54 163840 ----a-w- c:\windows\system32\igfxrptb.lrc
2011-04-03 06:59 . 2007-08-10 01:54 163840 ----a-w- c:\windows\system32\igfxrplk.lrc
2011-04-03 06:59 . 2007-08-10 01:54 159744 ----a-w- c:\windows\system32\igfxrnor.lrc
2011-04-03 06:59 . 2007-08-10 01:54 159744 ----a-w- c:\windows\system32\igfxrfin.lrc
2011-04-03 06:59 . 2007-08-10 01:54 106496 ----a-w- c:\windows\system32\igfxzoom.exe
2011-04-03 06:59 . 2007-08-10 02:27 155648 ----a-w- c:\windows\system32\igfxres.dll
2011-04-03 06:59 . 2007-08-10 01:54 159744 ----a-w- c:\windows\system32\igfxrdan.lrc
2011-03-18 17:53 . 2011-03-23 19:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-12 03:16 . 2008-01-12 03:16 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
.
2007-08-10 02:08 . 2006-11-16 23:04 2348584 c:\program files\BigFix\bak\bigfix.exe
.
2007-09-28 04:10 . 2007-09-28 04:10 122880 c:\program files\CyberLink\Power2Go\bak\CLMLSvc.exe
.
2007-09-29 21:53 . 2007-09-29 21:53 2680104 c:\program files\CyberLink\Power2Go\bak\Power2GoExpress.exe
.
2007-08-10 01:59 . 2006-11-23 22:10 56928 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe
.
2007-08-10 01:59 . 2006-11-29 19:22 58928 c:\program files\CyberLink\PowerDVD\Language\bak\Language.exe
.
2006-10-13 22:01 . 2006-10-13 22:01 277296 c:\program files\Microsoft LifeCam\bak\LifeExp.exe
2006-10-13 22:01 . 2006-10-13 22:01 277296 c:\program files\Microsoft LifeCam\LifeExp.exe
.
2008-02-01 04:13 . 2008-02-01 04:13 385024 c:\program files\QuickTime\bak\qttask.exe
2010-11-29 22:38 . 2011-04-03 06:50 421888 c:\program files\QuickTime\QTTask.exe
.
2007-07-13 23:19 . 2007-07-13 23:19 5252936 c:\program files\Spare Backup\bak\SpareBackup.exe
.
2007-12-20 15:16 . 2007-12-20 15:16 37376 c:\program files\Winamp\bak\winampa.exe
2009-07-01 16:37 . 2009-07-01 16:37 37888 c:\program files\Winamp\winampa.exe
.
2006-06-29 23:55 . 2006-10-13 22:04 994096 c:\windows\bak\vVX6000.exe
2006-10-13 22:04 . 2006-10-13 22:04 994096 c:\windows\vVX6000.exe
.
2006-05-07 01:24 . 2004-08-04 20:00 15360 c:\windows\system32\bak\ctfmon.exe
2006-05-07 01:24 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe
.
2007-08-10 01:54 . 2006-10-06 04:13 114688 c:\windows\system32\bak\hkcmd.exe
.
2007-08-10 01:54 . 2006-10-06 04:10 94208 c:\windows\system32\bak\igfxpers.exe
.
2007-08-10 01:54 . 2006-10-06 04:11 98304 c:\windows\system32\bak\igfxtray.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2011-04-03 212992]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-13 16132608]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
"Dtaqep"="c:\windows\adacalolac.dll" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-04-03 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2010-6-3 1261568]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2010-6-8 745472]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AvgUninstallURL]
start http: [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-05-21 15:36 3824472 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
c:\program files\Lexmark 1200 Series\lxczbmgr.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2006-10-13 22:01 277296 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-04-03 06:50 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX6000]
2006-10-13 22:04 994096 ----a-w- c:\windows\vVX6000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager-110309-193829"=3 (0x3)
"RichVideo"=2 (0x2)
"MSCamSvc"=2 (0x2)
"LexBceS"=2 (0x2)
"avg9emc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NETGEAR\\WG111v2\\WG111v2.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/2/2009 2:37 PM 721904]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [11/2/2009 2:36 PM 95592]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/30/2009 1:54 PM 66048]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/30/2010 1:10 AM 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/30/2010 1:10 AM 20952]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [6/8/2010 12:54 AM 167808]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [6/8/2010 12:54 AM 13532]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2011 3:20 PM 136176]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [7/1/2006 1:44 AM 69692]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/30/2010 1:10 AM 38224]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/29/2006 7:56 PM 2383152]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:19]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - hxxp://mywebcast.cc/tvants/tvants.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pzd49ed4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=hp
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
AddRemove-{E7269FD6-34EA-4617-8752-6739AA384080} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{E7269~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 16:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-05 16:29:13
ComboFix-quarantined-files.txt 2011-04-05 20:29
ComboFix2.txt 2009-07-06 16:20
.
Pre-Run: 4,066,234,368 bytes free
Post-Run: 9,214,308,352 bytes free
.
- - End Of File - - A657B352D5B50E5573724A61E1827DD5

#6 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,393
Joined: 16-May 10
Gender:Male

Posted 05 April 2011 - 03:56 PM

dhillen:

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://www.bleepingcomputer.com/forums/topic389132.html
File::
c:\windows\Uhuwid.bin
DirLook::
c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}
C:\2355220a384d6b49eb3fdbae
Folder::
c:\program files\Adobe\Reader 8.0\Reader\bak
c:\program files\BigFix\bak
c:\program files\CyberLink\Power2Go\bak
c:\program files\CyberLink\PowerDVD\bak
c:\program files\CyberLink\PowerDVD\Language\bak
c:\program files\Microsoft LifeCam\bak
c:\program files\Spare Backup\bak
c:\windows\bak
c:\windows\system32\bak
c:\program files\QuickTime\bak
c:\program files\Winamp\bak
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dtaqep"=-
Collect::
c:\windows\adacalolac.dll

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Uncheck any entries from C:\System Volume Information or C:\Qoobox
Make sure that everything else is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

ComboFix log

MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#7 dhillen

New Member

Group: Members
Posts: 14
Joined: 26-June 09

Posted 05 April 2011 - 09:47 PM

ComboFix 11-04-05.02 - Owner 04/05/2011 22:18:09.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.237 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
FILE ::
"c:\windows\Uhuwid.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}
c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}\install.rdf
c:\program files\Adobe\Reader 8.0\Reader\bak
c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
c:\program files\BigFix\bak
c:\program files\BigFix\bak\bigfix.exe
c:\program files\CyberLink\Power2Go\bak
c:\program files\CyberLink\Power2Go\bak\CLMLSvc.exe
c:\program files\CyberLink\Power2Go\bak\Power2GoExpress.exe
c:\program files\CyberLink\PowerDVD\bak
c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe
c:\program files\CyberLink\PowerDVD\Language\bak
c:\program files\CyberLink\PowerDVD\Language\bak\Language.exe
c:\program files\Microsoft LifeCam\bak
c:\program files\Microsoft LifeCam\bak\LifeExp.exe
c:\program files\QuickTime\bak
c:\program files\QuickTime\bak\qttask.exe
c:\program files\Spare Backup\bak
c:\program files\Spare Backup\bak\SpareBackup.exe
c:\program files\Winamp\bak
c:\program files\Winamp\bak\winampa.exe
c:\windows\bak
c:\windows\bak\vVX6000.exe
c:\windows\system32\bak
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\bak\hkcmd.exe
c:\windows\system32\bak\igfxpers.exe
c:\windows\system32\bak\igfxtray.exe
c:\windows\Uhuwid.bin
.
.
((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))
.
.
2011-04-04 19:19 . 2011-04-04 19:19 -------- d-----w- c:\program files\Google
2011-04-04 08:04 . 2011-04-04 08:04 -------- d-----w- C:\$AVG
2011-04-04 04:29 . 2011-04-04 04:29 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-04-04 04:03 . 2011-04-04 04:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-03 23:05 . 2011-04-03 23:05 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\TVU Networks
2011-04-03 23:05 . 2011-04-03 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2011-04-03 23:05 . 2011-04-03 23:05 -------- d-----w- c:\documents and settings\Owner\LocalLow
2011-04-03 22:28 . 2011-04-03 22:28 -------- d-----w- C:\2355220a384d6b49eb3fdbae
2011-03-23 19:59 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-03-23 19:59 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-03-23 19:59 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-03-23 19:59 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-03-23 19:59 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-03-23 19:59 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-03-23 19:58 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-03-23 19:58 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-03 07:00 . 2004-08-11 16:45 356352 ----a-w- c:\windows\system32\wpdsp.dll
2011-04-03 06:59 . 2004-08-11 16:45 331776 ----a-w- c:\windows\system32\wpdmtpdr.dll
2011-04-03 06:59 . 2007-08-15 06:24 221184 ----a-w- c:\windows\system32\wmpns.dll
2011-04-03 06:59 . 2004-08-11 16:45 4096 ----a-w- c:\windows\system32\WMVADVE.DLL
2011-04-03 06:59 . 2004-08-11 16:45 4096 ----a-w- c:\windows\system32\WMVADVD.dll
2011-04-03 06:59 . 2009-11-02 19:03 348160 ----a-w- c:\windows\system32\WMAFile.dll
2011-04-03 06:59 . 2006-05-07 01:24 233472 ----a-w- c:\windows\system32\webcheck(2).dll
2011-04-03 06:59 . 2004-08-11 16:45 4096 ----a-w- c:\windows\system32\wdfapi.dll
2011-04-03 06:59 . 2010-03-20 08:00 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2011-04-03 06:59 . 2008-08-26 22:11 987136 ----a-w- c:\windows\system32\VSFilter.dll
2011-04-03 06:59 . 2005-07-26 13:56 53248 ----a-w- c:\windows\system32\vp7dec_settings.cpl
2011-04-03 06:59 . 2005-07-26 13:56 233472 ----a-w- c:\windows\system32\vp7dec.ax
2011-04-03 06:59 . 2004-12-10 09:06 327680 ----a-w- c:\windows\system32\vp6dec.ax
2011-04-03 06:59 . 2004-12-10 09:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2011-04-03 06:59 . 2004-02-17 10:11 53248 ----a-w- c:\windows\system32\vp6dec_settings.cpl
2011-04-03 06:59 . 2006-07-01 04:21 28672 ----a-w- c:\windows\system32\verclsid.exe
2011-04-03 06:59 . 2009-09-29 15:41 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2011-04-03 06:59 . 2007-08-10 02:24 122880 ----a-w- c:\windows\system32\Uci32107.dll
2011-04-03 06:59 . 2006-03-17 19:49 368640 ----a-w- c:\windows\system32\twnlib4.dll
2011-04-03 06:59 . 2010-03-28 00:28 20480 ----a-w- c:\windows\system32\SysRestore.dll
2011-04-03 06:59 . 2009-11-02 19:03 40960 ----a-w- c:\windows\system32\SSubTmr6.dll
2011-04-03 06:59 . 2009-06-14 16:48 28672 ----a-w- c:\windows\system32\systray.ocx
2011-04-03 06:59 . 2009-05-01 20:02 200704 ----a-w- c:\windows\system32\ssldivx.dll
2011-04-03 06:59 . 2006-05-07 01:24 8192 ----a-w- c:\windows\system32\tssoft32.acm
2011-04-03 06:59 . 2006-05-07 01:24 90112 ----a-w- c:\windows\system32\sqlsrv32.rll
2011-04-03 06:59 . 2006-05-07 01:24 442368 ----a-w- c:\windows\system32\sqlsrv32.dll
2011-04-03 06:59 . 2010-05-19 20:59 552960 ----a-w- c:\windows\system32\splitter.ax
2011-04-03 06:59 . 2008-03-01 17:04 217088 ----a-w- c:\windows\system32\skjpeg40.dll
2011-04-03 06:59 . 2006-05-07 01:24 86016 ----a-w- c:\windows\system32\sl_anet.acm
2011-04-03 06:59 . 2002-09-21 07:42 122880 ----a-w- c:\windows\system32\ShellvRTF.dll
2011-04-03 06:59 . 2010-06-04 02:10 36864 ----a-w- c:\windows\system32\RtlGina2.dll
2011-04-03 06:59 . 2010-06-04 02:10 344064 ----a-w- c:\windows\system32\SCMLib.dll
2011-04-03 06:59 . 2007-08-10 01:55 282624 ----a-w- c:\windows\system32\RTSndMgr.cpl
2011-04-03 06:59 . 2007-03-22 03:48 102400 ----a-w- c:\windows\system32\SampleGrabber.ax
2011-04-03 06:59 . 2004-04-27 15:03 49152 ----a-w- c:\windows\system32\RLOFRDec.ax
2011-04-03 06:59 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-04-03 06:59 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-04-03 06:59 . 2008-11-06 15:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2011-04-03 06:59 . 2010-10-31 06:14 61440 ----a-w- c:\windows\system32\pthswmcp.dll
2011-04-03 06:59 . 2007-05-01 17:15 323584 ----a-w- c:\windows\system32\osMPEGVidDec.ax
2011-04-03 06:59 . 2004-04-20 22:00 172032 ----a-w- c:\windows\system32\OptimFROG.dll
2011-04-03 06:59 . 2009-09-29 15:45 57344 ----a-r- c:\windows\system32\NeroBurnRights.cpl
2011-04-03 06:59 . 2009-09-29 15:41 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2011-04-03 06:59 . 2006-06-29 00:59 24576 ----a-w- c:\windows\system32\nlsdl.dll
2011-04-03 06:59 . 2007-08-28 16:00 626688 ----a-w- c:\windows\system32\msvcr80.dll
2011-04-03 06:59 . 2007-08-28 16:00 548864 ----a-w- c:\windows\system32\msvcp80.dll
2011-04-03 06:59 . 2007-08-10 01:59 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-04-03 06:59 . 2003-08-27 20:43 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-03 06:59 . 2003-02-22 01:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-04-03 06:59 . 2009-03-08 18:22 49152 ----a-w- c:\windows\system32\msrating.dll.mui
2011-04-03 06:59 . 2008-02-14 01:56 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-04-03 06:59 . 2006-05-07 01:24 1355776 ----a-w- c:\windows\system32\msvbvm50.dll
2011-04-03 06:59 . 2006-05-07 01:36 118784 ----a-w- c:\windows\system32\msg723.acm
2011-04-03 06:59 . 2006-05-07 01:36 188416 ----a-w- c:\windows\system32\msh261.drv
2011-04-03 06:59 . 2004-08-04 08:56 294912 ----a-w- c:\windows\system32\msh263.drv
2011-04-03 06:59 . 2007-08-28 16:00 1101824 ----a-w- c:\windows\system32\mfc80.dll
2011-04-03 06:59 . 2008-02-14 01:56 974848 ----a-w- c:\windows\system32\mfc70.dll
2011-04-03 06:59 . 2007-08-10 02:24 94208 ----a-w- c:\windows\system32\mdmxsdk.dll
2011-04-03 06:59 . 2007-08-10 02:16 20480 ----a-w- c:\windows\system32\Marker32.exe
2011-04-03 06:59 . 2010-06-04 02:10 1069056 ----a-w- c:\windows\system32\libeay32.dll
2011-04-03 06:59 . 2009-05-01 20:02 1044480 ----a-w- c:\windows\system32\libdivx.dll
2011-04-03 06:59 . 2010-04-03 21:33 311296 ----a-w- c:\windows\system32\LEXBCES.EXE
2011-04-03 06:59 . 2010-04-03 21:33 200704 ----a-w- c:\windows\system32\LEXLMPM.DLL
2011-04-03 06:59 . 2010-04-03 21:33 147456 ----a-w- c:\windows\system32\LEXBCE.DLL
2011-04-03 06:59 . 2008-09-24 20:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-04-03 06:59 . 2006-05-07 01:24 98304 ----a-w- c:\windows\system32\L3CODECX.AX
2011-04-03 06:59 . 2010-12-30 10:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-03 06:59 . 2006-05-07 01:24 65536 ----a-w- c:\windows\system32\jgsh400.dll
2011-04-03 06:59 . 2006-04-17 13:37 3956736 ----a-w- c:\windows\system32\IVIVIDEO.ax
2011-04-03 06:59 . 2006-07-01 06:30 49152 ----a-w- c:\windows\system32\install.dll
2011-04-03 06:59 . 2008-07-04 14:23 802816 ----a-w- c:\windows\system32\imagXRA7.dll
2011-04-03 06:59 . 2008-07-04 14:23 258048 ----a-w- c:\windows\system32\imagXR7.dll
2011-04-03 06:59 . 2008-07-04 14:23 1757184 ----a-w- c:\windows\system32\imagX7.dll
2011-04-03 06:59 . 2009-09-29 15:41 569344 ----a-w- c:\windows\system32\imagr5.dll
2011-04-03 06:59 . 2009-09-29 15:41 544768 ----a-w- c:\windows\system32\imagx5.dll
2011-04-03 06:59 . 2007-08-10 01:54 2363392 ----a-w- c:\windows\system32\iglicd32.dll
2011-04-03 06:59 . 2007-08-10 01:54 364544 ----a-w- c:\windows\system32\igxpun.exe
2011-04-03 06:59 . 2006-05-07 01:24 16384 ----a-w- c:\windows\system32\imaadp32.acm
2011-04-03 06:59 . 2007-08-10 01:54 172032 ----a-w- c:\windows\system32\igfxrita.lrc
2011-04-03 06:59 . 2007-08-10 01:54 167936 ----a-w- c:\windows\system32\igfxrfra.lrc
2011-04-03 06:59 . 2007-08-10 01:54 159744 ----a-w- c:\windows\system32\igfxrsve.lrc
2011-04-03 06:59 . 2007-08-10 01:54 155648 ----a-w- c:\windows\system32\igfxrtrk.lrc
2011-04-03 06:59 . 2007-08-10 01:54 147456 ----a-w- c:\windows\system32\igfxrtha.lrc
2011-04-03 06:59 . 2007-08-10 01:54 139264 ----a-w- c:\windows\system32\igfxrheb.lrc
2011-04-03 06:59 . 2007-08-10 01:54 114688 ----a-w- c:\windows\system32\igfxrkor.lrc
2011-04-03 06:59 . 2007-08-10 01:54 114688 ----a-w- c:\windows\system32\igfxrjpn.lrc
2011-04-03 06:59 . 2007-08-10 01:54 454656 ----a-w- c:\windows\system32\igldev32.dll
2011-04-03 06:59 . 2007-08-10 01:54 3276800 ----a-w- c:\windows\system32\igfxress.dll
2011-04-03 06:59 . 2007-08-10 01:54 192512 ----a-w- c:\windows\system32\igfxsrvc.exe
2011-04-03 06:59 . 2007-08-10 01:54 172032 ----a-w- c:\windows\system32\igfxrnld.lrc
2011-04-03 06:59 . 2007-08-10 01:54 167936 ----a-w- c:\windows\system32\igfxrhun.lrc
2011-04-03 06:59 . 2007-08-10 01:54 163840 ----a-w- c:\windows\system32\igfxrrus.lrc
2011-04-03 06:59 . 2007-08-10 01:54 163840 ----a-w- c:\windows\system32\igfxrptg.lrc
2011-04-03 06:59 . 2007-08-10 01:54 163840 ----a-w- c:\windows\system32\igfxrptb.lrc
2011-04-03 06:59 . 2007-08-10 01:54 163840 ----a-w- c:\windows\system32\igfxrplk.lrc
2011-04-03 06:59 . 2007-08-10 01:54 159744 ----a-w- c:\windows\system32\igfxrnor.lrc
2011-04-03 06:59 . 2007-08-10 01:54 159744 ----a-w- c:\windows\system32\igfxrfin.lrc
2011-04-03 06:59 . 2007-08-10 01:54 106496 ----a-w- c:\windows\system32\igfxzoom.exe
2011-04-03 06:59 . 2007-08-10 02:27 155648 ----a-w- c:\windows\system32\igfxres.dll
2011-04-03 06:59 . 2007-08-10 01:54 159744 ----a-w- c:\windows\system32\igfxrdan.lrc
2011-03-18 17:53 . 2011-03-23 19:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\2355220a384d6b49eb3fdbae ----
.
2011-04-03 22:28 . 2011-04-03 22:28 788 ---ha-w- c:\2355220a384d6b49eb3fdbae\$shtdwn$.req
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\2070\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 13152 ----a-w- c:\2355220a384d6b49eb3fdbae\3082\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1053\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1055\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 11104 ----a-w- c:\2355220a384d6b49eb3fdbae\2052\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 13152 ----a-w- c:\2355220a384d6b49eb3fdbae\1045\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1046\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1049\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 11616 ----a-w- c:\2355220a384d6b49eb3fdbae\1042\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1043\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1044\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1040\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 11616 ----a-w- c:\2355220a384d6b49eb3fdbae\1041\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 13152 ----a-w- c:\2355220a384d6b49eb3fdbae\1036\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12128 ----a-w- c:\2355220a384d6b49eb3fdbae\1037\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1038\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 13152 ----a-w- c:\2355220a384d6b49eb3fdbae\1032\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1033\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1035\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1030\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 13152 ----a-w- c:\2355220a384d6b49eb3fdbae\1031\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12128 ----a-w- c:\2355220a384d6b49eb3fdbae\1025\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 11104 ----a-w- c:\2355220a384d6b49eb3fdbae\1028\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 12640 ----a-w- c:\2355220a384d6b49eb3fdbae\1029\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 11104 ----a-w- c:\2355220a384d6b49eb3fdbae\3076\HotFixInstallerUI.dll
2010-02-25 04:14 . 2010-02-25 04:14 318816 ----a-w- c:\2355220a384d6b49eb3fdbae\HotFixInstaller.exe
2010-02-25 04:14 . 2010-02-25 04:14 543232 ----a-w- c:\2355220a384d6b49eb3fdbae\NDP20SP2-KB979909.msp
2010-02-25 04:06 . 2010-02-25 04:06 15616 ----a-w- c:\2355220a384d6b49eb3fdbae\DHtmlHeader.html
2010-02-25 04:06 . 2010-02-25 04:06 7306 ----a-w- c:\2355220a384d6b49eb3fdbae\header.bmp
2010-02-25 04:06 . 2010-02-25 04:06 3547 ----a-w- c:\2355220a384d6b49eb3fdbae\ParameterInfo.xml
2010-02-25 04:06 . 2010-02-25 04:06 110348 ----a-w- c:\2355220a384d6b49eb3fdbae\watermark.bmp
2010-02-25 04:06 . 2010-02-25 04:06 76237 ----a-w- c:\2355220a384d6b49eb3fdbae\1025\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 37119 ----a-w- c:\2355220a384d6b49eb3fdbae\1028\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 74519 ----a-w- c:\2355220a384d6b49eb3fdbae\1029\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 76465 ----a-w- c:\2355220a384d6b49eb3fdbae\1030\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 116656 ----a-w- c:\2355220a384d6b49eb3fdbae\1031\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 78951 ----a-w- c:\2355220a384d6b49eb3fdbae\1032\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 100363 ----a-w- c:\2355220a384d6b49eb3fdbae\1033\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 75533 ----a-w- c:\2355220a384d6b49eb3fdbae\1035\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 127060 ----a-w- c:\2355220a384d6b49eb3fdbae\1036\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 59647 ----a-w- c:\2355220a384d6b49eb3fdbae\1037\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 67624 ----a-w- c:\2355220a384d6b49eb3fdbae\1038\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 115589 ----a-w- c:\2355220a384d6b49eb3fdbae\1040\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 104768 ----a-w- c:\2355220a384d6b49eb3fdbae\1041\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 147711 ----a-w- c:\2355220a384d6b49eb3fdbae\1042\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 76257 ----a-w- c:\2355220a384d6b49eb3fdbae\1043\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 73305 ----a-w- c:\2355220a384d6b49eb3fdbae\1044\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 73386 ----a-w- c:\2355220a384d6b49eb3fdbae\1045\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 97721 ----a-w- c:\2355220a384d6b49eb3fdbae\1046\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 141033 ----a-w- c:\2355220a384d6b49eb3fdbae\1049\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 76556 ----a-w- c:\2355220a384d6b49eb3fdbae\1053\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 77193 ----a-w- c:\2355220a384d6b49eb3fdbae\1055\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 102032 ----a-w- c:\2355220a384d6b49eb3fdbae\2052\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 76519 ----a-w- c:\2355220a384d6b49eb3fdbae\2070\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 37119 ----a-w- c:\2355220a384d6b49eb3fdbae\3076\eula.rtf
2010-02-25 04:06 . 2010-02-25 04:06 94271 ----a-w- c:\2355220a384d6b49eb3fdbae\3082\eula.rtf
.
---- Directory of c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2} ----
.
2011-04-03 23:18 . 2011-04-03 23:18 5954 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}\chrome\content\overlay.xul
2011-04-03 23:18 . 2011-04-03 23:18 2124 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}\chrome\content\_cfg.js
2011-04-03 23:18 . 2011-04-03 23:18 764 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}\install.rdf
2011-04-03 23:18 . 2011-04-03 23:18 122 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\{3061F544-2679-42CF-8CFC-CCABAEE668C2}\chrome.manifest
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2011-04-03 212992]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-13 16132608]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-04-03 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v2\WG111v2.exe [2010-6-3 1261568]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2010-6-8 745472]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AvgUninstallURL]
start http: [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-05-21 15:36 3824472 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2006-10-13 22:01 277296 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-04-03 06:50 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX6000]
2006-10-13 22:04 994096 ----a-w- c:\windows\vVX6000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GoogleDesktopManager-110309-193829"=3 (0x3)
"RichVideo"=2 (0x2)
"MSCamSvc"=2 (0x2)
"LexBceS"=2 (0x2)
"avg9emc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\wowd.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NETGEAR\\WG111v2\\WG111v2.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/2/2009 2:37 PM 721904]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [11/2/2009 2:36 PM 95592]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/30/2009 1:54 PM 66048]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/30/2010 1:10 AM 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/30/2010 1:10 AM 20952]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [6/8/2010 12:54 AM 167808]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [6/8/2010 12:54 AM 13532]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2011 3:20 PM 136176]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [7/1/2006 1:44 AM 69692]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/30/2010 1:10 AM 38224]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [6/29/2006 7:56 PM 2383152]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SJYPKT
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:19]
.
2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-04 19:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - hxxp://mywebcast.cc/tvants/tvants.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pzd49ed4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php?ref=hp
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
MSConfigStartUp-Lexmark 1200 Series - c:\program files\Lexmark 1200 Series\lxczbmgr.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 22:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3004)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\PSIService.exe
c:\program files\Zune\ZuneBusEnum.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
.
**************************************************************************
.
Completion time: 2011-04-05 22:33:19 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-06 02:33
ComboFix2.txt 2011-04-05 20:29
ComboFix3.txt 2009-07-06 16:20
.
Pre-Run: 9,183,260,672 bytes free
Post-Run: 9,156,493,312 bytes free
.
- - End Of File - - B48B205893697C5B0B0260561DFF8BA3

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6282

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/5/2011 10:45:55 PM
mbam-log-2011-04-05 (22-45-55).txt

Scan type: Quick scan
Objects scanned: 153157
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\IKXGVMFZHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,393
Joined: 16-May 10
Gender:Male

Posted 06 April 2011 - 10:35 AM

dhillen:

How is your computer running now? Please do this next:

Posted Image

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ 6 Update 23 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
- Trace and Log Files
Click OK on Delete Temporary Files Window

Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

Please run ESET Online Scanner

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Please include the following in your next post:

How is your computer running?

ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#9 dhillen

New Member

Group: Members
Posts: 14
Joined: 26-June 09

Posted 08 April 2011 - 05:13 PM

I am no longer receiving Pop-Ups or being re-directed to other sites through search engines. My computer, however, is still lagging very bad. It is an older machine but I have noticed it is much slower since all this happened. Here is the log you requested:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=bf298d082777a94d8da887be420b18b2
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-06 09:07:39
# local_time=2011-04-06 05:07:39 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 6033498 6033498 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=88928
# found=3
# cleaned=0
# scan_time=2975
C:\Qoobox\Quarantine\C\WINDOWS\adacalolac.dll.vir a variant of Win32/Kryptik.MHG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP5\A0005209.dll a variant of Win32/Kryptik.MHG trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\AscConTest.dll Win32/Adware.Ascentive application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=bf298d082777a94d8da887be420b18b2
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-04-08 10:08:52
# local_time=2011-04-08 06:08:52 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 6209970 6209970 0 0
# compatibility_mode=8192 67108863 100 0 90327 90327 0 0
# scanned=89138
# found=3
# cleaned=0
# scan_time=2975
C:\Qoobox\Quarantine\C\WINDOWS\adacalolac.dll.vir a variant of Win32/Kryptik.MHG trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{39C571A2-5C6A-433B-8AC6-DBD815F09639}\RP5\A0005209.dll a variant of Win32/Kryptik.MHG trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\AscConTest.dll Win32/Adware.Ascentive application (unable to clean) 00000000000000000000000000000000 I

#10 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,393
Joined: 16-May 10
Gender:Male

Posted 09 April 2011 - 12:05 AM

dhillen:

This will take care of the one ESET detection that isn't already in quarantine or your system restore cache (those will be removed when we uninstall ComboFix):

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\WINDOWS\system32\AscConTest.dll"

Other than that, your logs look good. If you are still having performance issues try following the suggestions in this post. Before you do that I have another update and some very important cleanup for you to take care of:

Posted Image

Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image

Uninstall ComboFix

Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
Combofix /Uninstall

Delete the following tools along with any other logs you saved from our work:

DDS
GMER

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

Re-install an anti-virus program. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Posted Image

Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

Restart any anti-malware programs that we disabled while we were cleaning your machine.
Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
Please read this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#11 dhillen

New Member

Group: Members
Posts: 14
Joined: 26-June 09

Posted 09 April 2011 - 12:29 PM

Everything seems good now. Thank you for all of your help!

#12 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,393
Joined: 16-May 10
Gender:Male

Posted 09 April 2011 - 07:25 PM

You're welcome, dhillen. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may

#13 RPMcMurphy

Bleeping *^#@%~

Group: Malware Response Team
Posts: 2,393
Joined: 16-May 10
Gender:Male

Posted 09 April 2011 - 07:26 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member

The help you receive here is free. If you wish to show your appreciation, then you may