repeated notices from Norton of intrusion attempts

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
1
2
3
→
Last »

You cannot start a new topic
This topic is locked

repeated notices from Norton of intrusion attempts do I have malware, how to remove

#1 sabai

Member

Group: Members
Posts: 31
Joined: 24-July 11

Posted 24 July 2011 - 01:40 AM

I keep getting notices from Norton that it has blocked an intrusion attempt and all seem to point to \DEVICE\HARDDISKVOLUME2\PROGRAMFILES (X86)\MSN\MSNCOREFILES\MSN.EXE. I have run full scans with Norton Anti-Virus, used their removal tool, used their boot disk, I have run full scan with Ad-Aware, Malware Bytes, ESET online, Housecall online and find nothing. I also use Ccleaner. I'm not very computer savy, I do manage to push the right button from time to time. These notices come from random sites, previously no problem sites, I seldom if ever use google, don't trust. I never had a problem with these sites until about 2 weeks ago when this all started, coincidentally my renew subscription notice from Norton also appeared about the same time. I've enclose history log from Norton also. I did not GMER as my system is X86, not X32. Thanks in advance for whatever you can do to help. A quick update, while using this site I was notified twice about intrusion attempt.

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,Category,Default Action,Action Taken,IPS Alert Name,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
23-Jul-11 09:02,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
23-Jul-11 09:02,Info,Intrusion Prevention is monitoring 1694 signatures. Driver version: 10.0.1.3,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
23-Jul-11 09:02,Info,Intrusion Prevention Engine version: 4.9.0.5 Definitions Set version: 20110722.031,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
22-Jul-11 16:42,High,An intrusion attempt by 85.17.131.161 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Phoenix Toolkit Variant Activity 4,"85.17.131.161, 80",cristopherm.info/yoboywjraokmgqiw.php,"USMC56-PC (192.168.1.2, 57249)",85.17.131.161,"TCP, www-http"
22-Jul-11 16:42,Info,Intrusion Prevention Signature Auto Block has blocked IP: 85.17.131.161 for a period of: 30 minutes,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
22-Jul-11 16:42,High,An intrusion attempt by 85.17.131.161 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Malicious Toolkit Website 9,"85.17.131.161, 80",cristopherm.info/yoboywjraokmgqiw.php,"USMC56-PC (192.168.1.2, 57249)",85.17.131.161,"TCP, www-http"
22-Jul-11 16:04,High,An intrusion attempt by 174.127.98.40 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Blackhole Toolkit Website 5,"174.127.98.40, 80",temp.livedanang.com/index.php?tp=413ac28f13a95e53,"USMC56-PC (192.168.1.2, 56160)",174.127.98.40,"TCP, www-http"
22-Jul-11 14:05,Info,Intrusion Prevention Signature Auto Block has blocked IP: 85.17.131.161 for a period of: 30 minutes,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
22-Jul-11 14:05,High,An intrusion attempt by 85.17.131.161 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Phoenix Toolkit Variant Activity 4,"85.17.131.161, 80",cristopherm.info/yoboywjraokmgqiw.php,"USMC56-PC (192.168.1.2, 55288)",85.17.131.161,"TCP, www-http"
22-Jul-11 14:05,High,An intrusion attempt by 85.17.131.161 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Malicious Toolkit Website 9,"85.17.131.161, 80",cristopherm.info/yoboywjraokmgqiw.php,"USMC56-PC (192.168.1.2, 55288)",85.17.131.161,"TCP, www-http"
22-Jul-11 09:26,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
22-Jul-11 09:26,Info,Intrusion Prevention Engine version: 4.9.0.5 Definitions Set version: 20110721.031,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
22-Jul-11 09:26,Info,Intrusion Prevention is monitoring 1693 signatures. Driver version: 10.0.1.3,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 21:24,Info,Intrusion Prevention is monitoring 1685 signatures. Driver version: 10.0.1.3,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 21:24,Info,Intrusion Prevention Engine version: 4.9.0.5 Definitions Set version: 20110720.031,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 21:24,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 18:45,High,An intrusion attempt by 174.127.98.40 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Blackhole Toolkit Website 5,"174.127.98.40, 80",dred.acestimates.net/index.php?tp=4524b83cdb1fd7a0,"USMC56-PC (192.168.1.2, 51013)",174.127.98.40,"TCP, www-http"
21-Jul-11 17:09,Info,Intrusion Prevention is monitoring 1685 signatures. Driver version: 10.0.1.3,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 17:09,Info,Intrusion Prevention Engine version: 4.9.0.5 Definitions Set version: 20110720.031,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 17:09,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 13:14,High,An intrusion attempt by 85.17.131.161 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Phoenix Toolkit Variant Activity 4,"85.17.131.161, 80",cccccc.ks.ua/gzylxob.php,"USMC56-PC (192.168.1.2, 56006)",85.17.131.161,"TCP, www-http"
21-Jul-11 13:14,Info,Intrusion Prevention Signature Auto Block has blocked IP: 85.17.131.161 for a period of: 30 minutes,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 13:14,High,An intrusion attempt by 85.17.131.161 was blocked.,Blocked,No Action Required,,No Action Required,No Action Required,Web Attack: Malicious Toolkit Website 9,"85.17.131.161, 80",cccccc.ks.ua/gzylxob.php,"USMC56-PC (192.168.1.2, 56006)",85.17.131.161,"TCP, www-http"
21-Jul-11 09:44,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 09:44,Info,Intrusion Prevention is monitoring 1685 signatures. Driver version: 10.0.1.3,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
21-Jul-11 09:44,Info,Intrusion Prevention Engine version: 4.9.0.5 Definitions Set version: 20110720.031,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
20-Jul-11 20:28,Info,Intrusion Prevention is monitoring 1680 signatures. Driver version: 10.0.1.3,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
20-Jul-11 20:28,Info,Intrusion Prevention Engine version: 4.9.0.5 Definitions Set version: 20110716.031,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,
20-Jul-11 20:28,Info,Intrusion Prevention has been enabled,Detected,No Action Required,Intrusion Prevention,No Action Required,No Action Required,,,,,,

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by USMC56 at 13:17:28 on 2011-07-24
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4087.1922 [GMT 7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Soluto\SolutoService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Soluto\soluto.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files (x86)\MSN\MSNCoreFiles\msn.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Java\jre6\bin\javaw.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = qq.sanook.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
BHO: Download Guard for Internet Explorer: {20c1a7f0-528e-444f-bac5-5804a61cca7f} - C:\Program Files (x86)\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dll
BHO: GhosteryBHO Class: {237eb6da-3fea-4dd2-8a61-a901b5c489d7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
BHO: Abine Plugin: {430b0d90-6934-44b0-934b-42127ef55ad9} - C:\Program Files (x86)\Abine\PF_BHO.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB: Abine ToolBar: {bd3b233c-91b9-4fa6-8718-6c9588c61808} - C:\Program Files (x86)\Abine\PF_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Abine ToolBar: {bd3b233c-91b9-4fa6-8718-6c9588c61808} - C:\Program Files (x86)\Abine\PF_BHO.dll
mRun: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
mRun: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
mRun: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add To QQ Expression - C:\Program Files (x86)\Sanook! QQ\QQ\AddEmotion.htm
IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: {85E6F309-A27D-487e-AE22-B014E197E969} - C:\Program Files (x86)\Sanook! QQ\QQ\QQ.EXE
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
IE: {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
Trusted Zone: 111222.cn\list1
Trusted Zone: pps.tv\kan
Trusted Zone: pps.tv\list1
Trusted Zone: pps.tv\tvguide
Trusted Zone: pps.tv\vodguide
Trusted Zone: ppstream.com\list1
Trusted Zone: ppstream.com\notice
Trusted Zone: ppstream.com\xml1
Trusted Zone: ppstream.com\xml2
Trusted Zone: ppstream.com\xml3
Trusted Zone: ppstream.net\list1
Trusted Zone: ppstv.com\list1
Trusted Zone: ppstv.net\list1
Trusted Zone: security_PPStream.exe
DPF: {10000000-1000-1000-1000-100000000000} - hxxp://cdn.betteradvertising.com/ghostery/addons/ie/WebInstall/ghostery.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{294E3E56-7D7F-4EE3-9802-436203CCD552} : DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{32CA9D23-6644-411E-9495-B333B2EE8738} : DhcpNameServer = 10.10.64.1
Filter: text/html - {4459DC76-1FDE-4B16-BAD0-E4F8E7647555} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryMimeFilter.dll
Handler: abine - {4CAB4B60-0290-4BF9-871B-8FAD8AB728DF} - C:\Program Files (x86)\Abine\PF_BHO.dll
BHO-X64: Download Guard for Internet Explorer: {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - C:\Program Files (x86)\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dll
BHO-X64: DownloadGuardBHO - No File
BHO-X64: GhosteryBHO Class: {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
BHO-X64: Ghostery BHO - No File
BHO-X64: Abine Plugin: {430B0D90-6934-44b0-934B-42127EF55AD9} - C:\Program Files (x86)\Abine\PF_BHO.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB-X64: Abine ToolBar: {BD3B233C-91B9-4FA6-8718-6C9588C61808} - C:\Program Files (x86)\Abine\PF_BHO.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB-X64: {BD3B233C-91B9-4FA6-8718-6C9588C61808} - No File
mRun-x64: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
mRun-x64: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
mRun-x64: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE-X64: {85E6F309-A27D-487e-AE22-B014E197E969} - C:\Program Files (x86)\Sanook! QQ\QQ\QQ.EXE
IE-X64: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R0 Soluto;Soluto;C:\Windows\system32\DRIVERS\Soluto.sys --> C:\Windows\system32\DRIVERS\Soluto.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110701.001\BHDrvx64.sys [2011-7-6 1143416]
R1 CFRMD;CFRMD;C:\Windows\system32\DRIVERS\CFRMD.sys --> C:\Windows\system32\DRIVERS\CFRMD.sys [?]
R1 CFRPD;CFRPD;C:\Windows\system32\DRIVERS\CFRPD.sys --> C:\Windows\system32\DRIVERS\CFRPD.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110722.031\IDSviA64.sys [2011-7-23 488056]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2009-3-4 96752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-7-12 2151640]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [2011-5-10 130008]
R2 SolutoService;Soluto PCGenome Core Service;C:\Program Files\Soluto\SolutoService.exe [2011-6-26 376352]
R3 AVER_H193;AVerMedia H193 Video Capture;C:\Windows\system32\drivers\AVer888RC_64.sys --> C:\Windows\system32\drivers\AVer888RC_64.sys [?]
R3 CXCIR;AVerMedia Consumer Infrared Receiver;C:\Windows\system32\DRIVERS\AVer888RCIR_64.sys --> C:\Windows\system32\DRIVERS\AVer888RCIR_64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-5-10 136824]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-8-14 17152]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech Webcam 200(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2011-4-1 428640]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Cleaner_Validator;COMODO System - Cleaner Service;C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe [2010-12-9 371648]
S3 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]
S3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\system32\DRIVERS\lvpopf64.sys --> C:\Windows\system32\DRIVERS\lvpopf64.sys [?]
S3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]
S3 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-1-14 341296]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
.
=============== Created Last 30 ================
.
2011-07-21 14:28:41 -------- d-----w- C:\ProgramData\MSNDynFiles
2011-07-20 05:24:14 -------- d-----w- C:\ProgramData\Uninstall
2011-07-20 05:24:03 55024 ------w- C:\Windows\System32\drivers\PxHlpa64.sys
2011-07-20 05:24:03 -------- d-----w- C:\Program Files (x86)\Common Files\Sonic Shared
2011-07-20 05:24:03 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine
2011-07-20 05:23:59 -------- d-----w- C:\Users\USMC56\AppData\Local\Programs
2011-07-20 05:23:57 -------- d-----w- C:\Program Files (x86)\Roxio
2011-07-16 14:14:28 -------- d-----w- C:\Users\USMC56\AppData\Local\uTorrent
2011-07-16 13:51:05 -------- d-----w- C:\Program Files (x86)\FileHippo.com
2011-07-16 11:49:09 34152 ----a-r- C:\Windows\System32\drivers\GEARAspiWDM.sys
2011-07-16 11:49:09 126312 ----a-r- C:\Windows\System32\GEARAspi64.dll
2011-07-16 11:49:09 107368 ----a-r- C:\Windows\SysWow64\GEARAspi.dll
2011-07-16 11:48:39 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0305000.017
2011-07-16 11:48:39 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64
2011-07-16 11:48:39 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard
2011-07-16 10:19:54 -------- d-----w- C:\Users\USMC56\AppData\Local\NPE
2011-07-15 11:14:43 -------- d-----w- C:\Program Files (x86)\ESET
2011-07-13 07:45:46 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-13 07:45:46 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-13 07:45:42 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-13 07:45:41 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-13 07:45:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-13 07:45:41 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-13 07:45:41 338944 ----a-w- C:\Windows\System32\conhost.exe
2011-07-13 07:45:41 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-13 07:45:41 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-13 07:45:41 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-13 07:45:41 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-12 19:00:16 -------- d-----w- C:\ProgramData\Kaspersky Lab
2011-07-11 14:26:08 389120 ----a-w- C:\Program Files (x86)\MSN\MSNCoreFiles\MSNDynFiles\txsrvc.dll
2011-07-11 14:25:16 476672 ----a-w- C:\Program Files (x86)\MSN\MSNCoreFiles\MSNDynFiles\unicows.dll
2011-06-30 14:12:38 148480 ----a-w- C:\Program Files (x86)\MSN\MsnInstaller\msdbxi.dll
2011-06-30 14:12:20 834048 ----a-w- C:\Program Files (x86)\MSN\MsnInstaller\msnsign.dll
2011-06-30 14:12:04 360448 ----a-w- C:\Program Files (x86)\MSN\MsnInstaller\msninst.dll
2011-06-30 14:11:08 167248 ----a-w- C:\Program Files (x86)\MSN\MsnInstaller\msniadm.exe
2011-06-30 14:11:08 166736 ----a-w- C:\Program Files (x86)\MSN\MsnInstaller\msniusr.exe
2011-06-30 14:11:08 129360 ----a-w- C:\Program Files (x86)\MSN\MsnInstaller\msninst.exe
2011-06-30 14:08:50 32256 ----a-w- C:\Program Files (x86)\MSN\MsnInstaller\msnilc.dll
2011-06-30 14:07:20 48128 ----a-w- C:\Program Files (x86)\MSN\MsnInstaller\iasvcstb.dll
2011-06-27 13:13:12 -------- d-----w- C:\Program Files\Soluto
.
==================== Find3M ====================
.
2011-07-23 17:26:25 22114 ----a-w- C:\Windows\cscmondump.bin
2011-07-16 14:23:51 403616 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-06 12:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 12:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-28 18:19:05 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-06-26 06:34:52 54728 ----a-w- C:\Windows\System32\drivers\Soluto.sys
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-06-03 06:56:38 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-06-03 05:57:52 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-06-03 05:56:11 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-06-03 03:48:32 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-06-03 03:48:31 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-06-03 03:48:31 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-03 03:48:31 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2011-05-10 03:36:10 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-05-04 05:25:03 2315776 ----a-w- C:\Windows\System32\tquery.dll
2011-05-04 05:22:25 778752 ----a-w- C:\Windows\System32\mssvp.dll
2011-05-04 05:22:25 2223616 ----a-w- C:\Windows\System32\mssrch.dll
2011-05-04 05:22:24 75264 ----a-w- C:\Windows\System32\msscntrs.dll
2011-05-04 05:22:24 491520 ----a-w- C:\Windows\System32\mssph.dll
2011-05-04 05:22:24 288256 ----a-w- C:\Windows\System32\mssphtb.dll
2011-05-04 05:19:28 591872 ----a-w- C:\Windows\System32\SearchIndexer.exe
2011-05-04 05:19:28 249856 ----a-w- C:\Windows\System32\SearchProtocolHost.exe
2011-05-04 05:19:28 113664 ----a-w- C:\Windows\System32\SearchFilterHost.exe
2011-05-04 04:34:43 1549312 ----a-w- C:\Windows\SysWow64\tquery.dll
2011-05-04 04:32:02 666624 ----a-w- C:\Windows\SysWow64\mssvp.dll
2011-05-04 04:32:01 337408 ----a-w- C:\Windows\SysWow64\mssph.dll
2011-05-04 04:32:01 197120 ----a-w- C:\Windows\SysWow64\mssphtb.dll
2011-05-04 04:32:01 1401344 ----a-w- C:\Windows\SysWow64\mssrch.dll
2011-05-04 04:32:00 59392 ----a-w- C:\Windows\SysWow64\msscntrs.dll
2011-05-04 04:28:31 86528 ----a-w- C:\Windows\SysWow64\SearchFilterHost.exe
2011-05-04 04:28:31 427520 ----a-w- C:\Windows\SysWow64\SearchIndexer.exe
2011-05-04 04:28:31 164352 ----a-w- C:\Windows\SysWow64\SearchProtocolHost.exe
2011-05-03 05:29:29 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-05-03 04:30:02 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-04-29 03:06:10 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-04-29 03:05:49 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-04-29 03:05:37 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-27 02:40:40 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-27 02:39:40 289280 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-27 02:39:37 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
.
============= FINISH: 13:18:07.43 ===============

This post has been edited by sabai: 24 July 2011 - 01:43 AM

#2 HelpBot

Bleepin' Binary Bot

Group: Bots
Posts: 5,607
Joined: 05-October 07
Gender:Male

Posted 03 August 2011 - 01:45 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you!

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

First, I need to know if you still need help! To tell me this, please click on http://www.bleepingcomputer.com/logreply/410938 and follow the instructions there. If you no longer need help, this is all you need to do. If you do need help please continue below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
- Please do this even if you have previously posted logs for us.
- If you were unable to produce the logs originally please try once more.
- If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
- If you are unsure about any of these characteristics just post what you can and we will guide you.
Please tell us if you have your original Windows CD/DVD available.
Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 sabai

Member

Group: Members
Posts: 31
Joined: 24-July 11

Posted 03 August 2011 - 02:19 PM

OK, I got the message from the robot, I'm not good at this stuff, so whoever finally answers will have to be patient. The "intrusions" have slowed but still are there. I have enclosed log from DDS. I have 64 bit version of Windows 7. I do not have original CD/DVD Windows 7, it came on this computer. Let me add, that I am in Thailand, it is now 0223 and I need to sleep. Thanks.

.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by USMC56 at 1:47:03 on 2011-08-04
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4087.2444 [GMT 7:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files\Soluto\SolutoService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Soluto\soluto.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page =
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
BHO: Download Guard for Internet Explorer: {20c1a7f0-528e-444f-bac5-5804a61cca7f} - C:\Program Files (x86)\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dll
BHO: GhosteryBHO Class: {237eb6da-3fea-4dd2-8a61-a901b5c489d7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
BHO: Abine Plugin: {430b0d90-6934-44b0-934b-42127ef55ad9} - C:\Program Files (x86)\Abine\PF_BHO.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB: Abine ToolBar: {bd3b233c-91b9-4fa6-8718-6c9588c61808} - C:\Program Files (x86)\Abine\PF_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Abine ToolBar: {bd3b233c-91b9-4fa6-8718-6c9588c61808} - C:\Program Files (x86)\Abine\PF_BHO.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
mRun: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
mRun: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
mRun: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add To QQ Expression - C:\Program Files (x86)\Sanook! QQ\QQ\AddEmotion.htm
IE: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: {85E6F309-A27D-487e-AE22-B014E197E969} - C:\Program Files (x86)\Sanook! QQ\QQ\QQ.EXE
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
IE: {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
Trusted Zone: 111222.cn\list1
Trusted Zone: pps.tv\kan
Trusted Zone: pps.tv\list1
Trusted Zone: pps.tv\tvguide
Trusted Zone: pps.tv\vodguide
Trusted Zone: ppstream.com\list1
Trusted Zone: ppstream.com\notice
Trusted Zone: ppstream.com\xml1
Trusted Zone: ppstream.com\xml2
Trusted Zone: ppstream.com\xml3
Trusted Zone: ppstream.net\list1
Trusted Zone: ppstv.com\list1
Trusted Zone: ppstv.net\list1
Trusted Zone: security_PPStream.exe
DPF: {10000000-1000-1000-1000-100000000000} - hxxp://cdn.betteradvertising.com/ghostery/addons/ie/WebInstall/ghostery.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{294E3E56-7D7F-4EE3-9802-436203CCD552} : DhcpNameServer = 50.23.239.24 208.67.222.222
TCP: Interfaces\{32CA9D23-6644-411E-9495-B333B2EE8738} : DhcpNameServer = 10.10.64.1
Filter: text/html - {4459DC76-1FDE-4B16-BAD0-E4F8E7647555} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryMimeFilter.dll
Handler: abine - {4CAB4B60-0290-4BF9-871B-8FAD8AB728DF} - C:\Program Files (x86)\Abine\PF_BHO.dll
BHO-X64: Download Guard for Internet Explorer: {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - C:\Program Files (x86)\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dll
BHO-X64: DownloadGuardBHO - No File
BHO-X64: GhosteryBHO Class: {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
BHO-X64: Ghostery BHO - No File
BHO-X64: Abine Plugin: {430B0D90-6934-44b0-934B-42127EF55AD9} - C:\Program Files (x86)\Abine\PF_BHO.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO-X64: Hotspot Shield Class: {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll
TB-X64: Abine ToolBar: {BD3B233C-91B9-4FA6-8718-6C9588C61808} - C:\Program Files (x86)\Abine\PF_BHO.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB-X64: {BD3B233C-91B9-4FA6-8718-6C9588C61808} - No File
mRun-x64: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
mRun-x64: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
mRun-x64: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
IE-X64: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE-X64: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE-X64: {85E6F309-A27D-487e-AE22-B014E197E969} - C:\Program Files (x86)\Sanook! QQ\QQ\QQ.EXE
IE-X64: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R0 Soluto;Soluto;C:\Windows\system32\DRIVERS\Soluto.sys --> C:\Windows\system32\DRIVERS\Soluto.sys [?]
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110723.001\BHDrvx64.sys [2011-7-23 1151096]
R1 CFRMD;CFRMD;C:\Windows\system32\DRIVERS\CFRMD.sys --> C:\Windows\system32\DRIVERS\CFRMD.sys [?]
R1 CFRPD;CFRPD;C:\Windows\system32\DRIVERS\CFRPD.sys --> C:\Windows\system32\DRIVERS\CFRPD.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110802.030\IDSviA64.sys [2011-8-2 488056]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-13 12368]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [?]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-7-19 146816]
R2 Cleaner_Validator;COMODO System - Cleaner Service;C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe [2010-12-9 371648]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-7-12 2151640]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccsvchst.exe [2011-5-10 130008]
R2 SolutoService;Soluto PCGenome Core Service;C:\Program Files\Soluto\SolutoService.exe [2011-7-21 392224]
R3 AVER_H193;AVerMedia H193 Video Capture;C:\Windows\system32\drivers\AVer888RC_64.sys --> C:\Windows\system32\drivers\AVer888RC_64.sys [?]
R3 CXCIR;AVerMedia Consumer Infrared Receiver;C:\Windows\system32\DRIVERS\AVer888RCIR_64.sys --> C:\Windows\system32\DRIVERS\AVer888RCIR_64.sys [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-7-28 136824]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-8-14 17152]
R3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\system32\DRIVERS\lvrs64.sys --> C:\Windows\system32\DRIVERS\lvrs64.sys [?]
R3 LVUVC64;Logitech Webcam 200(UVC);C:\Windows\system32\DRIVERS\lvuvc64.sys --> C:\Windows\system32\DRIVERS\lvuvc64.sys [?]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 HssWd;Hotspot Shield Monitoring Service;C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS --> C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe -product HSS [?]
S3 lvpopf64;Logitech POP Suppression Filter;C:\Windows\system32\DRIVERS\lvpopf64.sys --> C:\Windows\system32\DRIVERS\lvpopf64.sys [?]
S3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\system32\DRIVERS\LVPr2M64.sys --> C:\Windows\system32\DRIVERS\LVPr2M64.sys [?]
S3 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-1-14 341296]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys --> C:\Windows\system32\DRIVERS\psi_mf.sys [?]
S3 Secunia PSI Agent;Secunia PSI Agent;C:\Program Files (x86)\Secunia\PSI\psia.exe [2011-4-19 993848]
S3 Secunia Update Agent;Secunia Update Agent;C:\Program Files (x86)\Secunia\PSI\sua.exe [2011-4-19 399416]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 UMVPFSrv;UMVPFSrv;C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [2011-4-1 428640]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
.
=============== Created Last 30 ================
.
2011-08-03 06:19:14 -------- d-----w- C:\Users\USMC56\AppData\Roaming\SUPERAntiSpyware.com
2011-08-03 06:18:30 -------- d-----w- C:\ProgramData\!SASCORE
2011-08-03 06:18:28 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-07-26 12:51:01 -------- d-----w- C:\Program Files (x86)\Common Files\xing shared
2011-07-26 12:48:08 54728 ----a-w- C:\Windows\System32\drivers\Soluto.sys
2011-07-26 12:48:07 -------- d-----w- C:\Program Files\Soluto
2011-07-25 12:37:51 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-07-25 12:31:48 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL
2011-07-25 12:31:48 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-07-25 12:16:24 -------- d-----w- C:\Users\USMC56\AppData\Local\Secunia PSI
2011-07-25 12:16:15 -------- d-----w- C:\Program Files (x86)\Secunia
2011-07-24 09:50:13 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-07-21 14:28:41 -------- d-----w- C:\ProgramData\MSNDynFiles
2011-07-20 05:24:14 -------- d-----w- C:\ProgramData\Uninstall
2011-07-20 05:23:59 -------- d-----w- C:\Users\USMC56\AppData\Local\Programs
2011-07-16 14:14:28 -------- d-----w- C:\Users\USMC56\AppData\Local\uTorrent
2011-07-16 13:51:05 -------- d-----w- C:\Program Files (x86)\FileHippo.com
2011-07-16 11:49:09 34152 ----a-r- C:\Windows\System32\drivers\GEARAspiWDM.sys
2011-07-16 11:49:09 126312 ----a-r- C:\Windows\System32\GEARAspi64.dll
2011-07-16 11:49:09 107368 ----a-r- C:\Windows\SysWow64\GEARAspi.dll
2011-07-16 11:48:39 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64\0305000.017
2011-07-16 11:48:39 -------- d-----w- C:\Windows\System32\drivers\NBRTWizardx64
2011-07-16 11:48:39 -------- d-----w- C:\Program Files (x86)\Norton Bootable Recovery Tool Wizard
2011-07-16 10:19:54 -------- d-----w- C:\Users\USMC56\AppData\Local\NPE
2011-07-15 11:14:43 -------- d-----w- C:\Program Files (x86)\ESET
2011-07-13 07:45:46 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-13 07:45:46 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-13 07:45:42 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-13 07:45:41 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-13 07:45:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-13 07:45:41 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-13 07:45:41 338944 ----a-w- C:\Windows\System32\conhost.exe
2011-07-13 07:45:41 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-13 07:45:41 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-13 07:45:41 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-13 07:45:41 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-12 19:00:16 -------- d-----w- C:\ProgramData\Kaspersky Lab
2011-07-11 14:26:08 389120 ----a-w- C:\Program Files (x86)\MSN\MSNCoreFiles\MSNDynFiles\txsrvc.dll
2011-07-11 14:25:16 476672 ----a-w- C:\Program Files (x86)\MSN\MSNCoreFiles\MSNDynFiles\unicows.dll
.
==================== Find3M ====================
.
2011-08-03 09:35:07 22112 ----a-w- C:\Windows\cscmondump.bin
2011-07-26 12:50:28 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-07-26 12:50:28 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2011-07-26 11:17:35 403616 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-08 10:45:12 386168 ----a-w- C:\Windows\System32\drivers\NISx64\1206000.01D\symnets.sys
2011-07-06 12:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 12:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-28 18:19:05 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-06-03 06:56:38 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-06-03 05:57:52 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-06-03 05:56:11 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-06-03 03:48:32 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-06-03 03:48:31 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-06-03 03:48:31 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-03 03:48:31 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2011-05-10 03:36:10 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
.
============= FINISH: 1:47:37.37 ===============

This post has been edited by sabai: 03 August 2011 - 02:23 PM

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 03 August 2011 - 07:52 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#5 sabai

Member

Group: Members
Posts: 31
Joined: 24-July 11

Posted 04 August 2011 - 01:52 AM

Hi gringo, I ran ComboFix, took about one hour. No real problems, I did receive a High CPU Usage notice at one point. After ComboFix restarted etc. I turned Norton and Ad-Aware back on then clicked on MSN to get email brought up and got the "Illegal operation attempted on a registery key that has been marked for deletion." As instructed I restarted and everything came back up fine. So far, after only a few minutes everything seems to be working ok. I will see as I check some of the sites if I get intrusion notice again. As I said, the notices have slowed over the last few days. Thanks for the help, maybe this got it, whatever it is. Here is the ComboFix log:

ComboFix 11-08-03.03 - USMC56 04-Aug-11 12:11:13.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4087.2646 [GMT 7:00]
Running from: c:\users\USMC56\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\20100917173752_pinganchexian100901zanting15s.swf
c:\favoritevideo\InvisibleFolder\20100925200642_yaowan100926qipao.swf
c:\favoritevideo\InvisibleFolder\20101009120216_baojie101009zanting15s.jpg
c:\favoritevideo\InvisibleFolder\20101009155744_huiyuan101009haiwai.swf
c:\favoritevideo\InvisibleFolder\20101013220321_guangfayinghang101013zhu8s.swf
c:\favoritevideo\InvisibleFolder\20101014112335_beinasong101014zanting15slehuo.swf
c:\favoritevideo\InvisibleFolder\20101014112623_beinasong101014zanting15smenhu.swf
c:\favoritevideo\InvisibleFolder\20101014112818_beinasong101014zanting15speisong.swf
c:\favoritevideo\InvisibleFolder\20101014121155_haoya101014hanmierdun.swf
c:\favoritevideo\InvisibleFolder\20101014121336_haoya101014shawa.swf
c:\favoritevideo\InvisibleFolder\20101014121454_haoya101014wz.swf
c:\favoritevideo\InvisibleFolder\20101014121609_haoya101014ldhm.swf
c:\favoritevideo\InvisibleFolder\20101014121722_haoya101014wzsw.swf
c:\favoritevideo\InvisibleFolder\20101014160145_sasa101014jiao15s1.swf
c:\favoritevideo\InvisibleFolder\20101015171622_lining101016zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101018170403_baidukongjian101101zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101018182734_shoubiao101019zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101022101337_wanmei101022zhu15schunji.swf
c:\favoritevideo\InvisibleFolder\20101022101456_wanmei101022zhu15stanlidanbai.swf
c:\favoritevideo\InvisibleFolder\20101022101548_wanmei101022zhu15sgelishuangA.swf
c:\favoritevideo\InvisibleFolder\20101022101638_wanmei101022zhu15sgelishuangB.swf
c:\favoritevideo\InvisibleFolder\20101022101734_wanmei101022zhu15sjingzhitanli.swf
c:\favoritevideo\InvisibleFolder\20101022101820_wanmei101022zhu15sqiaokeli.swf
c:\favoritevideo\InvisibleFolder\20101023203224_aieryanke101025zhu8s.swf
c:\favoritevideo\InvisibleFolder\20101023203404_aieryanke101025zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101023203749_aieryanke101025zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101025154136_tianya101025cha15s.gif
c:\favoritevideo\InvisibleFolder\20101025154215_tianya101025zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101028150745_sasa101028zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101028173847_aobleepiandi101028zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101028185158_shenhua101029zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101029114223_sasa101029cha15s.swf
c:\favoritevideo\InvisibleFolder\20101029152333_tianyijue101030qipao15s.swf
c:\favoritevideo\InvisibleFolder\20101029152455_tianyijue101030zhu15s1.swf
c:\favoritevideo\InvisibleFolder\20101029152649_tianyijue101030zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101029175115_biyadi101029zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101029180124_biyadi101029jiaobiao.swf
c:\favoritevideo\InvisibleFolder\20101029185627_tianxiaer101105zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101029185829_tianxiaer101104zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101101103022_sanling101101zanting15s.jpg
c:\favoritevideo\InvisibleFolder\20101101103915_xianglongzhijian101101zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101101104016_sanlingasx101101zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101101105230_taobao101101zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101101221642_LUMI101101zantingbeijing.swf
c:\favoritevideo\InvisibleFolder\20101101230342_LUMI101101zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101102093306_pinguo1102zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101102111112_xiaochun101102zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101102111230_xiaokewang101102zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101102151514_taobao101104zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101102151658_taobao101104zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101102151821_taobao101104cha15s.swf
c:\favoritevideo\InvisibleFolder\20101103112613_kuowang101103zhu5s.swf
c:\favoritevideo\InvisibleFolder\20101103154932_pinganchexian101103cha15s.swf
c:\favoritevideo\InvisibleFolder\20101103163809_xianglongzhijian101103zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101103175403_qianjunpo101103zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101104115357_sasa101104zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101104135837_shenghuojia101104zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101104162807_uucall101104zhu151s.swf
c:\favoritevideo\InvisibleFolder\20101104171605_huiyuan101104zanting15s.jpg
c:\favoritevideo\InvisibleFolder\20101104173505_zhaoshangyinhang101105zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101104211923_baidushinianyijian101105zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101104212019_baidushinianyijian101105zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101105155052_xixun101105zhu15s.wmv
c:\favoritevideo\InvisibleFolder\20101105163541_huiyuan101105zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101105180537_qianjunpo101106zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101105180628_qianjunpo101106qipao15s.swf
c:\favoritevideo\InvisibleFolder\20101105190851_shengmozhixue101108zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101105191047_tianxiaer101110zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101105191139_tianxiaer101112bkqipao15s.swf
c:\favoritevideo\InvisibleFolder\20101105202255_xianglongzhijian101106zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101105202504_xianglongzhijian101108zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101105230815_taobao101108cha15s.swf
c:\favoritevideo\InvisibleFolder\20101105231128_taobao101108zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101105231416_taobao101108zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101108143557_3mxinxueli101122zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101108143711_3mxinxueli101122zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101112103740_taobao101112cha15s.swf
c:\favoritevideo\InvisibleFolder\20101112141416_sasa101112cha2.swf
c:\favoritevideo\InvisibleFolder\20101112165425_tankedazhan101112zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101117100050_pinganchexian101117qipao15s.swf
c:\favoritevideo\InvisibleFolder\20101118161832_kuowang101118zhu5s.swf
c:\favoritevideo\InvisibleFolder\20101119115856_taobao101119cha15sman.swf
c:\favoritevideo\InvisibleFolder\20101119120106_taobao101119cha15swoman.swf
c:\favoritevideo\InvisibleFolder\20101124180524_zuoxuan101124zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101125182742_lining101129zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101126174343_zhongguoliantong101129zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101130183135_aixinbaoguo101201zanting15s.jpg
c:\favoritevideo\InvisibleFolder\20101201141043_jujing101201yixingqipao15s.swf
c:\favoritevideo\InvisibleFolder\20101202165626_yuandayiyuan101202cha15s.gif
c:\favoritevideo\InvisibleFolder\20101203150904_lining101204zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101203153518_liyijiujiuwang101203zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101203172801_qianjunpo101203zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101206174724_zuoxuan101206cha15s.swf
c:\favoritevideo\InvisibleFolder\20101207230205_fankong101208qipao.swf
c:\favoritevideo\InvisibleFolder\20101208123802_longze101208zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101208141044_sanjieqiyuan101208zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101208151716_lumi101208zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101208191023_tianjinyiqi101209zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101208191119_tianjinyiqi101209zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101209114035_airui101210zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101210110326_tianjinyiqi101213cha15s.swf
c:\favoritevideo\InvisibleFolder\20101210154218_zhengtu2101211zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101214141308_lechi101221qipao15s.swf
c:\favoritevideo\InvisibleFolder\20101214141935_zhoudafu101225zanting15s.jpg
c:\favoritevideo\InvisibleFolder\20101214142143_zhoudafu101215cha15s.jpg
c:\favoritevideo\InvisibleFolder\20101214174235_tianxiaer101222zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101215235231_bianfeng101216zanting.swf
c:\favoritevideo\InvisibleFolder\20101215235342_bianfeng101219qipao.swf
c:\favoritevideo\InvisibleFolder\20101216000731_yingjia101216qipao.gif
c:\favoritevideo\InvisibleFolder\20101216142728_lvsezhengtu101218zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101216151819_lvsezhengtu101218zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101216180507_wanmeishenmodalu101217zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101216180658_wanmeishenmodalu101217zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101217100327_xiangganglvyouju101217zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101217112741_xiaogouwang101217zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101217163710_baidushinianyijian101218zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101217165615_dafuni101220zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101217165709_dafuni101220zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101217183731_caixin101220zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101220113143_KFC101220zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101220123435_sanling101220zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101220144744_biyadi101223zanting15s.jpg
c:\favoritevideo\InvisibleFolder\20101220144923_biyadi101223cha15s.swf
c:\favoritevideo\InvisibleFolder\20101220164804_vip101220zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101220164848_vip101220zanting15s.jpg
c:\favoritevideo\InvisibleFolder\20101220164851_eastpak101220zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101220165121_eastpak101220zanting15s.gif
c:\favoritevideo\InvisibleFolder\20101220165333_eastpak101220cha15s.swf
c:\favoritevideo\InvisibleFolder\20101220170858_pingan101220cha15s.swf
c:\favoritevideo\InvisibleFolder\20101220171122_pingan101220zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101220172306_pingan101220houtie.swf
c:\favoritevideo\InvisibleFolder\20101220172513_xiangganglvyouju101221jiao15s.swf
c:\favoritevideo\InvisibleFolder\20101220174642_dongfengrichan101220cha15s.swf
c:\favoritevideo\InvisibleFolder\20101220174837_dongfengrichan101220zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101220190303_taobao101221cha15s.swf
c:\favoritevideo\InvisibleFolder\20101220190358_taobao101221zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101220190559_taobao101221zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101220190717_taobao101221bkqipao15s.swf
c:\favoritevideo\InvisibleFolder\20101220210403_shenguishijie101221zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101220210510_shenguishijie101221zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101221112902_KFC101221jiaobiao.swf
c:\favoritevideo\InvisibleFolder\20101221174112_woyouwangluo101221bkqipao15s.swf
c:\favoritevideo\InvisibleFolder\20101222094001_shijitiancheng101222qipao15s.swf
c:\favoritevideo\InvisibleFolder\20101222164804_tianxiaer101223zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101222164905_tianxiaer101225zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101222174556_jianfengzhanji101223zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101223092638_tianyijue101223zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101223092851_tianyijue101223bkqipao15s.swf
c:\favoritevideo\InvisibleFolder\20101223114801_tianyijue101223zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101223152005_taobao101224cha15s.swf
c:\favoritevideo\InvisibleFolder\20101223152112_taobao101224zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101223152205_taobao101224zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101223160139_wopaiwang101223zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101223181149_jianfengzhanji101223zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101223181313_jianfengzhanji101223zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101223181751_shijitiancheng101224zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224112404_woyouwangluo101224zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224112522_woyouwangluo101224zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224113612_wanmeishenguishijie101225zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224113736_wanmeishenguishijie101225zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224135126_wangwangzhiwang3101227zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224135223_wangwangzhiwang3101228zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224135317_wangwangzhiwang3101229zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224135437_wangwangzhiwang3101230zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224145732_wanmeishenmodalu101226zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224161510_woyouwangluo101225zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224161707_woyouwangluo101224zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224162116_woyouwangluo101225bkqipao15s.swf
c:\favoritevideo\InvisibleFolder\20101224164333_shinianyijian101225zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224165431_91wan101225zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224171826_taobao101225cha15s.swf
c:\favoritevideo\InvisibleFolder\20101224171910_taobao101225zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224171958_taobao101225zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224175557_guangyuwendao101227zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224181428_taobao101226cha15s.swf
c:\favoritevideo\InvisibleFolder\20101224181513_taobao101226zanting15s.swf
c:\favoritevideo\InvisibleFolder\20101224181634_taobao101226zhu15s.swf
c:\favoritevideo\InvisibleFolder\20101224183847_maoxiandao101227zanting15s.swf
c:\favoritevideo\InvisibleFolder\externtab(1.0.0.5).zip
c:\favoritevideo\InvisibleFolder\peer.dll
c:\favoritevideo\InvisibleFolder\pplss2.swf
c:\favoritevideo\InvisibleFolder\pptvsetup_2.6.3.0007_s2.exe
c:\favoritevideo\InvisibleFolder\TipsClient.dll
c:\favoritevideo\InvisibleFolder\vip_db_allinonetoday2010110520101105211453.zip
c:\favoritevideo\InvisibleFolder\vip_db_allinonetoday2010122620101226203536.zip
c:\favoritevideo\InvisibleFolder\vip_db_allinonetoday2010122620101226204730.zip
c:\favoritevideo\InvisibleFolder\vip_db_big20101105.zip
c:\favoritevideo\InvisibleFolder\vip_db_big20101225.zip
c:\favoritevideo\InvisibleFolder\vip_db_small2010100620101009.zip
c:\favoritevideo\InvisibleFolder\vip_db_small2010122520101226.zip
c:\program files (x86)\Downloaded Installers
c:\program files (x86)\Downloaded Installers\{f2e82d79-a583-4e9f-9380-aa0d89122ba7}\setup.msi
c:\program files (x86)\Hotspot Shield\HssIE\HsSIe.dll
c:\users\USMC56\AppData\Roaming\FFSJ
c:\users\USMC56\AppData\Roaming\FFSJ\FFSJ.cfg
c:\users\USMC56\videos\hjsplit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))
.
.
2011-08-03 06:19 . 2011-08-03 06:19 -------- d-----w- c:\users\USMC56\AppData\Roaming\SUPERAntiSpyware.com
2011-08-03 06:18 . 2011-08-03 06:18 -------- d-----w- c:\programdata\!SASCORE
2011-08-03 06:18 . 2011-08-03 06:19 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-26 12:51 . 2011-07-26 12:51 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2011-07-26 12:48 . 2011-07-21 04:33 54728 ----a-w- c:\windows\system32\drivers\Soluto.sys
2011-07-26 12:48 . 2011-07-26 12:48 -------- d-----w- c:\program files\Soluto
2011-07-25 12:37 . 2011-07-25 12:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-25 12:31 . 2011-07-25 12:33 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-07-25 12:31 . 2010-01-10 12:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2011-07-25 12:16 . 2011-07-25 12:16 -------- d-----w- c:\users\USMC56\AppData\Local\Secunia PSI
2011-07-25 12:16 . 2011-07-25 12:16 -------- d-----w- c:\program files (x86)\Secunia
2011-07-24 09:50 . 2011-07-24 09:49 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-24 09:49 . 2011-07-24 09:49 -------- d-----w- c:\program files\Java
2011-07-22 16:28 . 2011-07-22 16:28 -------- d-----w- c:\program files\Recuva
2011-07-21 14:28 . 2011-07-21 14:28 -------- d-----w- c:\programdata\MSNDynFiles
2011-07-20 05:24 . 2011-07-20 05:24 -------- d-----w- c:\programdata\Uninstall
2011-07-20 05:24 . 2011-07-20 05:24 -------- d-----w- c:\programdata\Sonic
2011-07-20 05:24 . 2011-07-20 05:24 -------- d-----w- c:\programdata\InstallShield
2011-07-20 05:23 . 2011-07-20 05:23 -------- d-----w- c:\users\USMC56\AppData\Local\Programs
2011-07-16 14:14 . 2011-07-16 14:14 -------- d-----w- c:\users\USMC56\AppData\Local\uTorrent
2011-07-16 13:51 . 2011-07-16 13:51 -------- d-----w- c:\program files (x86)\FileHippo.com
2011-07-16 11:49 . 2009-05-18 08:47 34152 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-07-16 11:49 . 2008-01-29 05:34 126312 ----a-r- c:\windows\system32\GEARAspi64.dll
2011-07-16 11:49 . 2008-01-29 05:32 107368 ----a-r- c:\windows\SysWow64\GEARAspi.dll
2011-07-16 11:48 . 2011-07-16 11:48 -------- d-----w- c:\windows\system32\drivers\NBRTWizardx64
2011-07-16 11:48 . 2011-07-16 11:48 -------- d-----w- c:\program files (x86)\Norton Bootable Recovery Tool Wizard
2011-07-16 10:19 . 2011-07-16 11:04 -------- d-----w- c:\users\USMC56\AppData\Local\NPE
2011-07-15 11:14 . 2011-07-15 11:14 -------- d-----w- c:\program files (x86)\ESET
2011-07-13 07:45 . 2011-06-03 06:57 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2011-07-13 07:45 . 2011-06-03 06:00 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2011-07-13 07:45 . 2011-06-03 03:53 2048 ----a-w- c:\windows\SysWow64\user.exe
2011-07-13 07:45 . 2011-06-03 06:57 362496 ----a-w- c:\windows\system32\wow64win.dll
2011-07-13 07:45 . 2011-06-03 06:57 243200 ----a-w- c:\windows\system32\wow64.dll
2011-07-13 07:45 . 2011-06-03 06:57 13312 ----a-w- c:\windows\system32\wow64cpu.dll
2011-07-13 07:45 . 2011-06-03 06:57 214528 ----a-w- c:\windows\system32\winsrv.dll
2011-07-13 07:45 . 2011-06-03 06:53 338944 ----a-w- c:\windows\system32\conhost.exe
2011-07-13 07:45 . 2011-06-03 05:57 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2011-07-13 07:45 . 2011-06-03 05:56 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2011-07-13 07:45 . 2011-06-03 03:53 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2011-07-12 19:00 . 2011-07-12 19:00 -------- d-----w- c:\programdata\Kaspersky Lab
2011-07-11 14:26 . 2011-07-11 14:26 389120 ----a-w- c:\program files (x86)\MSN\MSNCoreFiles\MSNDynFiles\txsrvc.dll
2011-07-11 14:25 . 2011-07-11 14:25 476672 ----a-w- c:\program files (x86)\MSN\MSNCoreFiles\MSNDynFiles\unicows.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-26 12:50 . 2009-07-23 13:46 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2011-07-26 12:50 . 2009-07-23 13:46 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2011-07-26 11:17 . 2011-05-21 18:06 403616 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-26 10:58 . 2010-04-03 13:38 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-07-26 10:57 . 2010-05-20 00:22 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-07-08 10:45 . 2011-05-10 03:36 386168 ----a-w- c:\windows\system32\drivers\NISx64\1206000.01D\symnets.sys
2011-07-06 12:52 . 2010-10-09 12:13 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-06 12:52 . 2010-10-09 12:13 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-28 18:19 . 2010-05-21 07:33 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-03 05:57 . 2011-07-13 07:45 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-24 11:42 . 2011-06-29 13:08 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-05-24 10:40 . 2011-06-29 13:08 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2011-05-24 10:40 . 2011-06-29 13:08 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2011-05-24 10:39 . 2011-06-29 13:08 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37 . 2011-06-29 13:08 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2011-05-10 03:36 . 2010-01-15 16:08 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7}]
2010-05-14 07:10 561400 ----a-w- c:\program files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BATINDICATOR"="c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe" [2009-05-08 2068992]
"LaunchHPOSIAPP"="c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe" [2009-04-03 385024]
"UpdatePRCShortCut"="c:\program files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SolutoService]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 HssWd;Hotspot Shield Monitoring Service;c:\program files (x86)\Hotspot Shield\bin\hsswd.exe [2010-09-22 325168]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-06-28 2151640]
R3 lvpopf64;Logitech POP Suppression Filter;c:\windows\system32\DRIVERS\lvpopf64.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [x]
R3 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe [2011-01-14 341296]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
R3 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe [2011-04-19 993848]
R3 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe [2011-04-19 399416]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2011-03-31 428640]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S0 Soluto;Soluto;c:\windows\system32\DRIVERS\Soluto.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1206000.01D\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1206000.01D\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110723.001\BHDrvx64.sys [2011-07-23 1151096]
S1 CFRMD;CFRMD;c:\windows\system32\DRIVERS\CFRMD.sys [x]
S1 CFRPD;CFRPD;c:\windows\system32\DRIVERS\CFRPD.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110803.030\IDSvia64.sys [2011-08-01 488056]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1206000.01D\Ironx64.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1206000.01D\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-07-19 146816]
S2 Cleaner_Validator;COMODO System - Cleaner Service;c:\program files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe [2010-12-09 371648]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
S2 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [2011-07-21 392224]
S3 AVER_H193;AVerMedia H193 Video Capture;c:\windows\system32\drivers\AVer888RC_64.sys [x]
S3 CXCIR;AVerMedia Consumer Infrared Receiver;c:\windows\system32\DRIVERS\AVer888RCIR_64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-07-27 136824]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech Webcam 200(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-03 c:\windows\Tasks\COMODO Updater.job
- c:\program files\COMODO\COMODO System-Cleaner\Updater.exe [2010-12-09 12:08]
.
2011-08-02 c:\windows\Tasks\Norton Security Scan for USMC56.job
- c:\program files (x86)\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2010-02-13 03:06]
.
2011-07-31 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-06-10 11:04]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2010-09-22 19:19 284208 ----a-w- c:\program files (x86)\Hotspot Shield\HssIE\HssIE_64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984DD45-52CF-49cd-AB77-18F378FEA264}"= "c:\program files (x86)\Stardock\Fences\FencesMenu64.dll" [2009-10-02 134656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page =
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: &ieSpell Options - c:\program files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add To QQ Expression - c:\program files (x86)\Sanook! QQ\QQ\AddEmotion.htm
IE: Check &Spelling - c:\program files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files (x86)\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files (x86)\ieSpell\wikipedia.HTM
IE: {{85E6F309-A27D-487e-AE22-B014E197E969} - c:\program files (x86)\Sanook! QQ\QQ\QQ.EXE
IE: {{237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - c:\program files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
Trusted Zone: 111222.cn\list1
Trusted Zone: pps.tv\kan
Trusted Zone: pps.tv\list1
Trusted Zone: pps.tv\tvguide
Trusted Zone: pps.tv\vodguide
Trusted Zone: ppstream.com\list1
Trusted Zone: ppstream.com\notice
Trusted Zone: ppstream.com\xml1
Trusted Zone: ppstream.com\xml2
Trusted Zone: ppstream.com\xml3
Trusted Zone: ppstream.net\list1
Trusted Zone: ppstv.com\list1
Trusted Zone: ppstv.net\list1
Trusted Zone: security_PPStream.exe
TCP: DhcpNameServer = 50.23.239.24 208.67.222.222
Handler: abine - {4CAB4B60-0290-4BF9-871B-8FAD8AB728DF} - c:\program files (x86)\Abine\PF_BHO.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11a_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11a_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11a.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11a.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
.
**************************************************************************
.
Completion time: 2011-08-04 13:26:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-04 06:26
.
Pre-Run: 41,406,406,656 bytes free
Post-Run: 42,638,700,544 bytes free
.
- - End Of File - - D35BBA2ADC63BE15CDD3390BB7D6AAF0

#6 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 04 August 2011 - 02:03 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

click ok

copy and paste the report into this topic for me to review

Gringo

<-- Don't worry every little bit helps.

#7 sabai

Member

Group: Members
Posts: 31
Joined: 24-July 11

Posted 04 August 2011 - 02:27 AM

I'm not sure I'm doing this right, this is the only thing I can come up with and I don't think it is what you are requesting.

µTorrent
7-Zip 4.65
Abine
Ad-Aware
Adobe Flash Player 11 ActiveX
AllDup 3.3.14
Any Video Converter 3.2.5
AsfTools 3.1 (remove only)
Auto Care
CameraHelperMsi
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite Deluxe
DirectX for Managed Code Update (Summer 2004)
DJ_AIO_06_F2400_SW_Min
Download Guard for Internet Explorer
DuckLink Screen Capture 2.3
erLT
ESET Online Scanner v3
Fences
File Splitter and Joiner (FFSJ v3.3)
FileHippo.com Update Checker
Foxit PDF Editor
Foxit Reader 5.0
Ghostery IE Plugin
Google Update Helper
GPL Ghostscript 8.71 Lite
Haihaisoft Universal Player
Hotspot Shield 1.52
HP Customer Experience Enhancements
HP MAINSTREAM KEYBOARD
HP MediaSmart DVD
HP MediaSmart Movie Themes
HP MediaSmart Music/Photo/Video
HP Odometer
HP Product Detection
HP Remote Solution
HP Setup
HP Support Information
HP Update
ieSpell
JDownloader 0.9
Junk Mail filter update
LabelPrint
LightScribe System Software
Logitech Vid
Logitech Webcam Software
LWS Facebook
LWS Gallery
LWS Help_main
LWS Launcher
LWS Motion Detection
LWS Pictures And Video
LWS Twitter
LWS Video Mask Maker
LWS Webcam Software
LWS WLM Plugin
LWS YouTube Plugin
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft Choice Guard
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Reader
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
Norton Bootable Recovery Tool Wizard
Norton Internet Security
Norton Security Scan
NVIDIA PhysX
Power2Go
PowerDirector
PowerRecover
PPStream V2.7.0.1096 Final
PPTV V2.5.5.0019
PrimoPDF -- brought to you by Nitro PDF Software
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Scan
Secunia PSI (2.0.0.3003)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
SlimComputer
Some PDF Image Extractr 1.5
SopCast 3.2.9
SpywareBlaster 4.4
StreamTorrent 1.0
Toolbox
TVAnts 1.0
TVUPlayer 2.5.3.1
Veetle TV 0.9.18
VisiPics V1.30
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.11
Windows Essentials Media Codec Pack 3.0
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 04 August 2011 - 03:30 AM

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#9 sabai

Member

Group: Members
Posts: 31
Joined: 24-July 11

Posted 04 August 2011 - 03:55 AM

OK, I'll run this next set, just to let you know, when I opened this email I got another notice of blocked intrusion attempt.

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 04 August 2011 - 03:57 AM

Ok let me know after you this next set

gringo

<-- Don't worry every little bit helps.

#11 sabai

Member

Group: Members
Posts: 31
Joined: 24-July 11

Posted 04 August 2011 - 05:38 AM

I had a hard time with HijackThis. I kept getting "For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file HijackThis may not be able to fix this." I tried following the instructions but was unable to accomplish anything. When I ran the program it generated a log but I was unable to copy, save etc. I used the Windows Compatablility troubleshooter and was able to run HijackThis. I hope the results are what you needed. Please understand, I am not the most computer savy person around, thanks.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7373

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

04-Aug-11 16:39:21
mbam-log-2011-08-04 (16-39-21).txt

Scan type: Quick scan
Objects scanned: 182977
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:30:52, on 04-Aug-11
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\MSN\MSNCoreFiles\msn.exe
c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files (x86)\DuckLink\DuckCapture\DuckCapture.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_US&c=94&bd=Pavilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DownloadGuardBHO - {20C1A7F0-528E-444F-BAC5-5804A61CCA7F} - C:\Program Files (x86)\Lavasoft\Download Guard for Internet Explorer\DownloadGuardBHO.dll
O2 - BHO: Ghostery BHO - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
O2 - BHO: Abine Plugin - {430B0D90-6934-44b0-934B-42127EF55AD9} - C:\Program Files (x86)\Abine\PF_BHO.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: Abine ToolBar - {BD3B233C-91B9-4FA6-8718-6C9588C61808} - C:\Program Files (x86)\Abine\PF_BHO.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
O4 - HKLM\..\Run: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
O4 - HKLM\..\Run: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
O4 - HKLM\..\Run: [UpdatePRCShortCut] "C:\Program Files (x86)\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Hewlett-Packard\Recovery" UpdateWithCreateOnce "Software\CyberLink\PowerRecover"
O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add To QQ Expression - C:\Program Files (x86)\Sanook! QQ\QQ\AddEmotion.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files (x86)\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files (x86)\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files (x86)\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll
O9 - Extra button: Ghostery - {237EB6DA-3FEA-4DD2-8A61-A901B5C489D7} - C:\Program Files (x86)\GhosteryIEplugin\GhosteryBrowserHelperObjec.dll
O9 - Extra button: Sanook! QQ - Thai Version - {85E6F309-A27D-487e-AE22-B014E197E969} - C:\Program Files (x86)\Sanook! QQ\QQ\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: Sanook! QQ - {85E6F309-A27D-487e-AE22-B014E197E969} - C:\Program Files (x86)\Sanook! QQ\QQ\QQ.EXE (file missing)
O9 - Extra button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
O9 - Extra 'Tools' menuitem: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: http://list1.111222.cn
O15 - Trusted Zone: http://kan.pps.tv
O15 - Trusted Zone: http://list1.pps.tv
O15 - Trusted Zone: http://tvguide.pps.tv
O15 - Trusted Zone: http://vodguide.pps.tv
O15 - Trusted Zone: http://list1.ppstream.com
O15 - Trusted Zone: http://notice.ppstream.com
O15 - Trusted Zone: http://xml1.ppstream.com
O15 - Trusted Zone: http://xml2.ppstream.com
O15 - Trusted Zone: http://xml3.ppstream.com
O15 - Trusted Zone: http://list1.ppstream.net
O15 - Trusted Zone: http://list1.ppstv.com
O15 - Trusted Zone: http://list1.ppstv.net
O15 - ESC Trusted Zone: http://list1.111222.cn
O15 - ESC Trusted Zone: http://kan.pps.tv
O15 - ESC Trusted Zone: http://list1.pps.tv
O15 - ESC Trusted Zone: http://tvguide.pps.tv
O15 - ESC Trusted Zone: http://vodguide.pps.tv
O15 - ESC Trusted Zone: http://list1.ppstream.com
O15 - ESC Trusted Zone: http://notice.ppstream.com
O15 - ESC Trusted Zone: http://xml1.ppstream.com
O15 - ESC Trusted Zone: http://xml2.ppstream.com
O15 - ESC Trusted Zone: http://xml3.ppstream.com
O15 - ESC Trusted Zone: http://list1.ppstream.net
O15 - ESC Trusted Zone: http://list1.ppstv.com
O15 - ESC Trusted Zone: http://list1.ppstv.net
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: abine - {4CAB4B60-0290-4BF9-871B-8FAD8AB728DF} - C:\Program Files (x86)\Abine\PF_BHO.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: COMODO System - Cleaner Service (Cleaner_Validator) - Unknown owner - C:\Program Files\COMODO\COMODO System-Cleaner\Cleaner_Validator.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe (file missing)
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files (x86)\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
O23 - Service: NitroPDFReaderDriverCreatorReadSpool (NitroReaderDriverReadSpool) - Nitro PDF Software - C:\Program Files\Common Files\Nitro PDF\Reader\1.0\NitroPDFReaderDriverServicex64.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files (x86)\Secunia\PSI\sua.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Soluto PCGenome Core Service (SolutoService) - Soluto - C:\Program Files\Soluto\SolutoService.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 12083 bytes

#12 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 04 August 2011 - 07:07 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

Sometimes we have to run it like this To run HijackThis as an administrator,
rightclick HijackThis.exe (located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)
and select to run as administrator

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

NOTE**You can research each of those lines >here< and see if you want to keep them or not
just copy the name between the brakets and paste into the search space
O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
- Click Start
When asked, allow the activex control to install
- Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options
Click Scan
Wait for the scan to finish
Click on copy to clipboard and paste the results here in this topic
you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

<-- Don't worry every little bit helps.

#13 sabai

Member

Group: Members
Posts: 31
Joined: 24-July 11

Posted 04 August 2011 - 10:32 PM

I ran Eset, nothing showed up. I left Messenger in the boot but removed the other 2. Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# msn.exe=10.00.0079.0400
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=6e49af534c082149960bf923944719cc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-19 05:02:10
# local_time=2011-07-20 12:02:10 (+0700, SE Asia Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=3588 16777214 85 79 1016835 14141156 0 0
# compatibility_mode=5893 16776574 100 94 11503988 62717000 0 0
# compatibility_mode=8192 67108863 100 0 358667 358667 0 0
# scanned=600036
# found=0
# cleaned=0
# scan_time=7780
esets_scanner_update returned -1 esets_gle=53251

#14 sabai

Member

Group: Members
Posts: 31
Joined: 24-July 11

Posted 04 August 2011 - 10:34 PM

Just after I finished my reply, I got another notice of Norton Blocked an Intrusion attempt.

This post has been edited by sabai: 04 August 2011 - 10:35 PM

#15 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,518
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 04 August 2011 - 10:39 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.