Firefox settings keep setting to manual proxy 127.0.0.1 and Spybot finds AVSecurity daily. All rec'd files included and attached.

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Firefox settings keep setting to manual proxy 127.0.0.1 and Spybot finds AVSecurity daily. All rec'd files included and attached. Unable to fix w/ Ccleaner, MBAM, Spybot, Avast, ASC, Combofix

#1 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 01 September 2011 - 10:43 PM

Dell Dimension 4600 / XP home.

I have an old Dell at home that I use solely for accessing my point of sale system at work using PC Anywhere, and web browsing using Firefox. No mail, office, music, photos, or anything else, and other than downloading one of my own PDFs from my server from time to time, I don't download ANYTHING.

I run Spybot daily and from time to time, it picks up a trojan or a piece of malware / clickware / adware. I fix the problems and I am good to go. I have AVG running at all times and I run MBAM every couple of weeks.

About a month ago, when I opened Firefox (which is up to date), it said my proxy server was refusing connections. Having not changed my settings, I was surprised to find that my proxy settings had somehow switched to proxy with a 127.0.0.1 IP address. I changed the settings to No Proxy and was able to surf normally.

Now, whenever I restart Firefox, the settings are changed back to that same proxy setting. I have searched high and low, and it looks like a lot of people have had this problem, but none of the various fixes seem to apply to my situation.

My PC is also making that little bubble popping noise from time to time for no apparent reason. Coincidentally, every day now Spybot is finding Fraud.AVSecuritySuite, which I fix daily, and then it is found again the next day.

So this isn't a total takeover of my computer, but it is concerning that I am getting the same infection every day, and that my Firefox keeps changing its own settings every time I start it.

Any help would be greatly appreciated.

Thanks in advance.

----------- I ran combofix last week trying to chase this before I found out about bleepingcomputer - hope this doesn't preclude your help.

I have followed the instructions. Here is my dds.txt file:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Run by Owner at 21:57:46 on 2011-09-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1221 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\CrossLoop\CrossLoopService.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Kensington TrackballWorks\KTbWorks.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [KTbWorks] "c:\program files\kensington trackballworks\KTbWorks.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0ANAAyADMAMwA4ADUAMQA0ADQALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA"&"prod=90"&"ver=9.0.894
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264387306265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{4919C683-A6D4-4085-A100-D82EDE9ABB4F} : DhcpNameServer = 24.116.2.50 24.116.2.34
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: PCANotify - PCANotify.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\yunx4pt4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b5d1405&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50202
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-24 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-24 309848]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-8-28 328536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-24 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-24 42184]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\owner\local settings\application data\crossloop\CrossLoopService.exe [2010-6-22 560792]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
R2 HMuKstOr;Kensington TrackballWorks Orbit USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstOr.sys [2011-2-13 51280]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-24 366640]
R2 TabletServiceWacom;TabletServiceWacom;c:\program files\tablet\wacom\Wacom_Tablet.exe [2011-2-8 4807536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-24 22712]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-1 106496]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 uvnc_service;uvnc_service;c:\documents and settings\owner\local settings\application data\crossloop\winvnc.exe [2010-6-22 1590216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-7-16 14336]
.
=============== Created Last 30 ================
.
2011-09-02 02:14:51 -------- d-----w- c:\program files\CCleaner
2011-09-01 18:39:03 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9a2b2f00-c16a-4f38-870e-c3a4f6f6a989}\mpengine.dll
2011-08-28 18:05:08 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-08-28 18:04:31 -------- d-----w- c:\windows\system32\winrm
2011-08-28 18:04:30 -------- d-----w- c:\windows\system32\GroupPolicy
2011-08-28 18:04:20 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-08-28 17:45:51 -------- d-----w- c:\documents and settings\owner\application data\RegistryKeys
2011-08-28 17:44:05 -------- d-----w- c:\documents and settings\owner\application data\IObit
2011-08-28 17:44:03 -------- d-----w- c:\program files\IObit
2011-08-28 08:10:08 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-08-28 08:07:33 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-26 02:42:03 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-08-25 01:45:41 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-25 01:45:16 40112 ----a-w- c:\windows\avastSS.scr
2011-08-25 01:44:57 -------- d-----w- c:\program files\AVAST Software
2011-08-25 01:44:57 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-08-25 01:36:52 -------- d-----w- c:\documents and settings\owner\local settings\application data\WinZip
2011-08-24 12:03:10 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-08-24 12:03:10 215920 ----a-w- c:\windows\system32\muweb.dll
2011-08-24 12:03:10 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2011-08-24 04:23:24 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-24 04:20:23 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-24 03:05:46 -------- d-sha-r- C:\cmdcons
2011-08-24 03:03:41 98816 ----a-w- c:\windows\sed.exe
2011-08-24 03:03:41 518144 ----a-w- c:\windows\SWREG.exe
2011-08-24 03:03:41 256000 ----a-w- c:\windows\PEV.exe
2011-08-24 03:03:41 208896 ----a-w- c:\windows\MBR.exe
2011-08-13 02:37:04 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-08-10 22:15:46 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:15:16 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-10 02:27:17 -------- d-----w- c:\documents and settings\all users\application data\!SASCORE
.
==================== Find3M ====================
.
2011-08-16 01:15:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-27 01:34:34 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 21:59:21.09 ===============

Attached File(s)

ark.txt (212.27K)
Number of downloads: 1
attach.txt (13.16K)
Number of downloads: 0

#2 CatByte

Bleepin' curls!

Group: Malware Response Team
Posts: 7,857
Joined: 09-November 08
Gender:Not Telling
Location:Canada

Posted 02 September 2011 - 09:13 PM

please post the combofix log(s)

The help you receive here is free. If you wish to show your appreciation, then you may
Microsoft MVP - 2010, 2011

#3 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 03 September 2011 - 08:50 PM

CatByte, on 02 September 2011 - 09:13 PM, said:

please post the combofix log(s)

Thanks for your response!

Here you go:

ComboFix 11-09-03.01 - Owner 09/03/2011 20:35:51.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1419 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))
.
.
2011-09-03 02:28 . 2011-08-12 00:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1CA5A0A0-6471-468B-B6D0-75B04163C78C}\mpengine.dll
2011-09-02 02:14 . 2011-09-02 02:14 -------- d-----w- c:\program files\CCleaner
2011-08-28 18:33 . 2011-08-28 18:33 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet
2011-08-28 18:05 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-08-28 18:04 . 2011-08-28 18:04 -------- d-----w- c:\windows\system32\winrm
2011-08-28 18:04 . 2011-08-28 18:04 -------- d-----w- c:\windows\system32\GroupPolicy
2011-08-28 18:04 . 2011-08-28 18:04 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-08-28 17:45 . 2011-08-28 17:45 -------- d-----w- c:\documents and settings\Owner\Application Data\RegistryKeys
2011-08-28 17:44 . 2011-08-28 17:44 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2011-08-28 17:44 . 2011-08-28 17:44 -------- d-----w- c:\program files\IObit
2011-08-28 08:10 . 2011-08-28 08:10 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-08-28 08:07 . 2011-08-28 09:35 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-26 02:42 . 2011-08-12 00:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-25 01:45 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-25 01:45 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-25 01:45 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-25 01:45 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-25 01:45 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-25 01:45 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-25 01:45 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-25 01:45 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-25 01:45 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-25 01:45 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-25 01:44 . 2011-08-25 01:44 -------- d-----w- c:\program files\AVAST Software
2011-08-25 01:44 . 2011-08-25 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-25 01:36 . 2011-08-25 01:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WinZip
2011-08-24 12:03 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-08-24 12:03 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-08-24 04:23 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-24 04:20 . 2011-08-24 04:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-13 02:37 . 2011-08-13 02:37 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-08-10 22:15 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:15 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-10 02:27 . 2011-08-10 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 01:15 . 2011-07-31 18:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-27 01:34 . 2003-07-16 20:30 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-07-27 01:17 . 2011-07-27 01:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-15 13:29 . 2003-07-16 20:34 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-07-16 20:37 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52 . 2011-07-25 00:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2011-07-25 00:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2010-01-03 20:42 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-07-16 20:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-07-16 20:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-07-16 20:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-02 02:26 . 2011-05-10 03:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-08-28_17.25.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-02 02:22 . 2011-09-02 02:22 16384 c:\windows\Temp\Perflib_Perfdata_290.dat
+ 2009-10-09 19:56 . 2009-10-09 19:56 14848 c:\windows\system32\wsmprovhost.exe
+ 2009-10-09 19:56 . 2009-10-09 19:56 12288 c:\windows\system32\wsmplpxy.dll
+ 2009-10-09 19:56 . 2009-10-09 19:56 12288 c:\windows\system32\winrssrv.dll
+ 2009-10-09 19:56 . 2009-10-09 19:56 22528 c:\windows\system32\winrshost.exe
+ 2009-10-09 21:22 . 2009-10-09 21:22 69632 c:\windows\system32\winrs.exe
+ 2009-10-09 19:56 . 2009-10-09 19:56 25088 c:\windows\system32\winrmprov.dll
+ 2009-10-09 19:56 . 2009-10-09 19:56 24064 c:\windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll
+ 2009-10-09 21:22 . 2009-10-09 21:22 42496 c:\windows\system32\pwrshplugin.dll
+ 2005-10-29 04:49 . 2005-10-29 04:49 84480 c:\windows\system32\pintool.exe
+ 2003-07-16 20:40 . 2009-10-08 19:56 20480 c:\windows\system32\oleaccrc.dll
+ 2003-07-16 20:40 . 2009-10-08 19:56 20480 c:\windows\system32\dllcache\oleaccrc.dll
+ 2005-10-29 04:49 . 2005-10-29 04:49 25600 c:\windows\system32\bcsprsrc.dll
+ 2005-10-28 21:40 . 2005-10-28 21:40 96792 c:\windows\system32\basecsp.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 17920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\5b8d9854c1eeeeaed165b9ec7952780b\Microsoft.WSMan.Runtime.ni.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 21504 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\139a5210be993c2fa8e856f8c01de628\Microsoft.WSMan.Management.resources.ni.dll
+ 2011-08-28 18:06 . 2011-08-28 18:06 45568 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f5a58e4c247fa90e982ea7608a8509fa\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 16896 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\d68edc72140d957dc7317ddb866e2f6b\Microsoft.PowerShell.Security.resources.ni.dll
+ 2011-08-28 18:06 . 2011-08-28 18:06 38912 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\c3d3c5a8550a97cfe7375d1987d8eb63\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2011-08-28 18:05 . 2011-08-28 18:05 18432 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a187793f4b76b2d401ed37a35a658865\Microsoft.PowerShell.Commands.Diagnostics.resources.ni.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 36352 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\6a0e3f48947a0ccadba8938a36bd7093\Microsoft.PowerShell.GPowerShell.resources.ni.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 24576 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\2841dd9afdb997cccf3bd53731fc171f\Microsoft.PowerShell.GraphicalHost.resources.ni.dll
+ 2011-08-28 18:06 . 2011-08-28 18:06 67072 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\1034ecba76c32e29c3f660dc9719026e\Microsoft.PowerShell.Editor.resources.ni.dll
+ 2011-08-28 18:05 . 2011-08-28 18:05 31744 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\0e4e11ff4e9f2ad10cdd673889007d7b\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2011-08-28 18:05 . 2011-08-28 18:05 91648 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\e3cfeca417f9bfb8f28862aa17e2bc54\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll
+ 2011-08-28 18:05 . 2011-08-28 18:05 14848 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\c19d7c727706051afbf2489641242dc1\Microsoft.BackgroundIntelligentTransfer.Management.resources.ni.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 13824 c:\windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 69632 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 16896 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll
+ 2011-08-28 18:05 . 2011-08-28 18:05 40960 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 69632 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 40960 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 49152 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 36864 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 10752 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 57344 c:\windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
+ 2009-10-09 19:57 . 2009-10-09 19:57 20480 c:\windows\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
+ 2009-10-09 19:56 . 2009-10-09 19:56 2048 c:\windows\system32\winrsmgr.dll
+ 2009-10-09 21:23 . 2009-10-09 21:23 4608 c:\windows\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
+ 2009-10-09 21:23 . 2009-10-09 21:23 4096 c:\windows\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
+ 2011-08-28 18:05 . 2009-03-08 09:35 2048 c:\windows\ie8updates\KB2447568-IE8\iecompat.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 7168 c:\windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 9216 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 7168 c:\windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
+ 2009-10-09 19:56 . 2009-10-09 19:56 9216 c:\windows\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
+ 2009-10-09 19:56 . 2009-10-09 19:56 209408 c:\windows\system32\WsmWmiPl.dll
+ 2009-10-09 21:22 . 2009-10-09 21:22 368640 c:\windows\system32\WsmRes.dll
+ 2009-10-09 19:56 . 2009-10-09 19:56 139776 c:\windows\system32\WsmAuto.dll
+ 2009-10-09 19:56 . 2009-10-09 19:56 225280 c:\windows\system32\wsmanhttpconfig.exe
+ 2009-10-09 19:56 . 2009-10-09 19:56 233984 c:\windows\system32\winrscmd.dll
+ 2009-08-01 04:27 . 2009-08-01 04:27 201184 c:\windows\system32\winrm.vbs
+ 2009-10-09 21:23 . 2009-10-09 21:23 148480 c:\windows\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
+ 2009-10-09 19:57 . 2009-10-09 19:57 204800 c:\windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe
+ 2009-10-09 19:56 . 2009-10-09 19:56 448000 c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
+ 2009-10-09 19:57 . 2009-10-09 19:57 112640 c:\windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
+ 2009-07-16 15:22 . 2009-07-16 15:22 126976 c:\windows\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
+ 2009-10-09 21:23 . 2009-10-09 21:23 178176 c:\windows\system32\wevtfwd.dll
+ 2008-07-30 00:59 . 2009-10-08 19:57 611328 c:\windows\system32\uiautomationcore.dll
+ 2003-07-16 20:40 . 2009-10-08 19:57 220160 c:\windows\system32\oleacc.dll
+ 2005-10-29 04:49 . 2005-10-29 04:49 151552 c:\windows\system32\ifxcardm.dll
+ 2003-07-16 20:40 . 2009-10-08 19:57 220160 c:\windows\system32\dllcache\oleacc.dll
- 2010-01-25 04:53 . 2009-11-21 15:51 471552 c:\windows\system32\dllcache\aclayers.dll
+ 2010-01-25 04:53 . 2011-03-11 14:10 471552 c:\windows\system32\dllcache\aclayers.dll
+ 2005-10-29 04:49 . 2005-10-29 04:49 133120 c:\windows\system32\axaltocm.dll
+ 2011-08-28 18:05 . 2010-02-22 14:23 382840 c:\windows\ie8updates\KB2447568-IE8\spuninst\updspapi.dll
+ 2011-08-28 18:05 . 2010-02-22 14:23 231288 c:\windows\ie8updates\KB2447568-IE8\spuninst\spuninst.exe
+ 2011-08-28 18:07 . 2011-08-28 18:07 250368 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\d3cf9f41850526e59d8fa5fd23dd04ca\System.Management.Automation.resources.ni.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 508928 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\f6cf16436722ee50cc59d649ccb1eaa4\Microsoft.WSMan.Management.ni.dll
+ 2011-08-28 18:05 . 2011-08-28 18:05 291328 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\dff853661ba7069c76ac4cb6c46848cb\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
+ 2011-08-28 18:05 . 2011-08-28 18:05 737792 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\ab200fa61ac31a20e0f6732ccd730a2c\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 729600 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8d5894ec85509cf78703ea1bee1fc80c\Microsoft.PowerShell.GraphicalHost.ni.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 156160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\6d8c4d87787f216de0dad380b900e1aa\Microsoft.PowerShell.Security.ni.dll
+ 2011-08-28 18:06 . 2011-08-28 18:06 515584 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3afddd7d0aa6f1dd5a33388b9dc07f5a\Microsoft.PowerShell.ConsoleHost.ni.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 253952 c:\windows\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 274432 c:\windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 278528 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 651264 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 991232 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 200704 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 618496 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 262144 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 102400 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
- 2003-07-16 20:23 . 2009-11-21 15:51 471552 c:\windows\AppPatch\aclayers.dll
+ 2003-07-16 20:23 . 2011-03-11 14:10 471552 c:\windows\AppPatch\aclayers.dll
+ 2011-08-28 18:04 . 2009-06-17 23:59 379184 c:\windows\$968930Uinstall_KB968930$\spuninst\updspapi.dll
+ 2011-08-28 18:04 . 2009-06-17 23:59 221488 c:\windows\$968930Uinstall_KB968930$\spuninst\spuninst.exe
+ 2009-10-09 21:23 . 2009-10-09 21:23 1107456 c:\windows\system32\WsmSvc.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 8365056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\e6e037f89fa00f6bef019911d8a61e7c\System.Management.Automation.ni.dll
+ 2011-08-28 18:06 . 2011-08-28 18:06 1609728 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\fe9fe5f005c3388b746775e37bdd570e\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2011-08-28 18:07 . 2011-08-28 18:07 1704448 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\c4a3531d82739a8d87ff114dd8c414db\Microsoft.PowerShell.GPowerShell.ni.dll
+ 2011-08-28 18:06 . 2011-08-28 18:06 3722752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\7f20fe401b30d585776df19e2ea04695\Microsoft.PowerShell.Editor.ni.dll
+ 2011-08-28 18:04 . 2011-08-28 18:04 2682880 c:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-23 4603264]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
"KTbWorks"="c:\program files\Kensington TrackballWorks\KTbWorks.exe" [2010-07-01 3269200]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA&inst=NwA3AC0ANAAyADMAMwA4ADUAMQA0ADQALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA&prod=90&ver=9.0.894" [?]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-10 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-07-23 19:37 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:vnc5910
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/24/2011 8:45 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/24/2011 8:45 PM 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [8/28/2011 12:44 PM 328536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/24/2011 8:45 PM 19544]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 2:34 PM 1361288]
R2 HMuKstOr;Kensington TrackballWorks Orbit USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstOr.sys [2/13/2011 10:07 PM 51280]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/24/2011 7:03 PM 366640]
R2 TabletServiceWacom;TabletServiceWacom;c:\program files\Tablet\Wacom\Wacom_Tablet.exe [2/8/2011 2:58 PM 4807536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/24/2011 7:02 PM 22712]
S2 CrossLoopService;CrossLoop Service;c:\documents and settings\Owner\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [6/22/2010 11:02 AM 560792]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 uvnc_service;uvnc_service;c:\documents and settings\Owner\Local Settings\Application Data\CrossLoop\winvnc.exe [6/22/2010 11:02 AM 1590216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [7/16/2003 3:47 PM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - UFLCIPOC
*Deregistered* - uflcipoc
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-08-28 21:40]
.
2011-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-879983540-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-28 01:52]
.
2011-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-879983540-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-28 01:52]
.
2011-09-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-09-04 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-01-24 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yunx4pt4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b5d1405&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50202
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-03 20:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2672)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-09-03 20:48:53
ComboFix-quarantined-files.txt 2011-09-04 01:48
ComboFix2.txt 2011-08-28 17:30
ComboFix3.txt 2011-08-24 03:14
.
Pre-Run: 26,451,021,824 bytes free
Post-Run: 26,438,434,816 bytes free
.
- - End Of File - - 186FBA45ABB2C27DAEB057A274D83034

#4 CatByte

Bleepin' curls!

Group: Malware Response Team
Posts: 7,857
Joined: 09-November 08
Gender:Not Telling
Location:Canada

Posted 03 September 2011 - 09:38 PM

Hi,

Please do the following:

Note:

Please allow ComboFix to update if it asks to do so

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\windows\$968930Uinstall_KB968930$

FireFox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yunx4pt4.default\
FF - prefs.js: network.proxy.http_port - 50202

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT

Please open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan completes, press the LIST OF THREATS FOUND button
Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
Include the contents of this report in your next reply.
Press the BACK button.
Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may
Microsoft MVP - 2010, 2011

#5 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 04 September 2011 - 09:15 PM

Here is the MBAM log. Going to run ESET now. Thanks again for your help!!!

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7654

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/4/2011 9:14:17 PM
mbam-log-2011-09-04 (21-14-17).txt

Scan type: Quick scan
Objects scanned: 178849
Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 04 September 2011 - 09:42 PM

Unfortunately I accidentally failed to save my log at the end of the Eset scan. Tried to run it again and am getting the following error. The forum won't allow me to upload a CLP file.

Here is the message:

Can not get update. Is proxy configured?

Progress stopped at 50%

Note: Eset online scanner has already been run on this computer in the past. Only files necessary to update to the current version will be downloaded. Please advise.

Thanks.

#7 CatByte

Bleepin' curls!

Group: Malware Response Team
Posts: 7,857
Joined: 09-November 08
Gender:Not Telling
Location:Canada

Posted 05 September 2011 - 07:11 AM

were there any threats found?

You can uninstall the ESET files through add/remove programs

The help you receive here is free. If you wish to show your appreciation, then you may
Microsoft MVP - 2010, 2011

#8 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 05 September 2011 - 08:42 PM

No threats were found. I just un-installed and ran again with the same result. Nothing to export as a log to post.

I am still experiencing the same problems. Just restarted FF and had to change my proxy settings and woke up this morning to Spybot finding AVSecurity suite.

#9 CatByte

Bleepin' curls!

Group: Malware Response Team
Posts: 7,857
Joined: 09-November 08
Gender:Not Telling
Location:Canada

Posted 06 September 2011 - 08:12 PM

Please rerun ComboFix

allow it to update if it requests to do so

The help you receive here is free. If you wish to show your appreciation, then you may
Microsoft MVP - 2010, 2011

#10 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 06 September 2011 - 10:42 PM

combofix log.

ComboFix 11-09-06.03 - Owner 09/06/2011 22:06:18.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1331 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-07 to 2011-09-07 )))))))))))))))))))))))))))))))
.
.
2011-09-06 21:41 . 2011-08-12 00:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D66CABC5-8073-4732-B90E-8A883D0D9CD7}\mpengine.dll
2011-09-06 17:51 . 2011-09-06 17:51 -------- d-----w- c:\windows\LastGood
2011-09-04 03:19 . 2011-09-04 03:19 -------- d-----w- c:\program files\ESET
2011-09-02 02:14 . 2011-09-02 02:14 -------- d-----w- c:\program files\CCleaner
2011-08-28 18:33 . 2011-08-28 18:33 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet
2011-08-28 18:05 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-08-28 18:04 . 2011-08-28 18:04 -------- d-----w- c:\windows\system32\winrm
2011-08-28 18:04 . 2011-08-28 18:04 -------- d-----w- c:\windows\system32\GroupPolicy
2011-08-28 17:45 . 2011-08-28 17:45 -------- d-----w- c:\documents and settings\Owner\Application Data\RegistryKeys
2011-08-28 17:44 . 2011-08-28 17:44 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2011-08-28 17:44 . 2011-08-28 17:44 -------- d-----w- c:\program files\IObit
2011-08-28 08:10 . 2011-08-28 08:10 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-08-28 08:07 . 2011-08-28 09:35 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-26 02:42 . 2011-08-12 00:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-25 01:45 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-25 01:45 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-25 01:45 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-25 01:45 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-25 01:45 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-25 01:45 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-25 01:45 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-25 01:45 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-25 01:45 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-25 01:45 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-25 01:44 . 2011-08-25 01:44 -------- d-----w- c:\program files\AVAST Software
2011-08-25 01:44 . 2011-08-25 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-25 01:36 . 2011-08-25 01:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WinZip
2011-08-24 12:03 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-08-24 12:03 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-08-24 04:23 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-24 04:20 . 2011-08-24 04:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-13 02:37 . 2011-08-13 02:37 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-08-10 22:15 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:15 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-10 02:27 . 2011-08-10 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 01:15 . 2011-07-31 18:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-27 01:34 . 2003-07-16 20:30 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-07-27 01:17 . 2011-07-27 01:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-15 13:29 . 2003-07-16 20:34 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-07-16 20:37 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52 . 2011-07-25 00:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2011-07-25 00:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2010-01-03 20:42 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-07-16 20:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-07-16 20:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-07-16 20:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-02 02:26 . 2011-05-10 03:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-09-04_01.44.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-05 21:35 . 2011-09-05 21:35 16384 c:\windows\Temp\Perflib_Perfdata_1c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-23 4603264]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
"KTbWorks"="c:\program files\Kensington TrackballWorks\KTbWorks.exe" [2010-07-01 3269200]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA&inst=NwA3AC0ANAAyADMAMwA4ADUAMQA0ADQALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA&prod=90&ver=9.0.894" [?]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-10 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-07-23 19:37 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:vnc5910
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/24/2011 8:45 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/24/2011 8:45 PM 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [8/28/2011 12:44 PM 328536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/24/2011 8:45 PM 19544]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 2:34 PM 1361288]
R2 HMuKstOr;Kensington TrackballWorks Orbit USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstOr.sys [2/13/2011 10:07 PM 51280]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/24/2011 7:03 PM 366640]
R2 TabletServiceWacom;TabletServiceWacom;c:\program files\Tablet\Wacom\Wacom_Tablet.exe [2/8/2011 2:58 PM 4807536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/24/2011 7:02 PM 22712]
S2 CrossLoopService;CrossLoop Service;c:\documents and settings\Owner\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [6/22/2010 11:02 AM 560792]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 uvnc_service;uvnc_service;c:\documents and settings\Owner\Local Settings\Application Data\CrossLoop\winvnc.exe [6/22/2010 11:02 AM 1590216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [7/16/2003 3:47 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-05 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-08-28 21:40]
.
2011-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-879983540-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-28 01:52]
.
2011-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-879983540-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-28 01:52]
.
2011-09-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-09-07 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-01-24 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yunx4pt4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b5d1405&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50202
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-06 22:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-09-06 22:20:48
ComboFix-quarantined-files.txt 2011-09-07 03:20
ComboFix2.txt 2011-09-04 03:08
ComboFix3.txt 2011-09-04 01:48
ComboFix4.txt 2011-08-28 17:30
ComboFix5.txt 2011-09-07 03:04
.
Pre-Run: 26,105,188,352 bytes free
Post-Run: 26,093,408,256 bytes free
.
- - End Of File - - 59D12DDFC7E230F95AC88E92139C7DAF

#11 CatByte

Bleepin' curls!

Group: Malware Response Team
Posts: 7,857
Joined: 09-November 08
Gender:Not Telling
Location:Canada

Posted 07 September 2011 - 04:06 PM

Hi

where is Spybot finding the AV security suite?

Does it show the full path?

Please run the following:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

ComboFix is still showing that you have both Avast and Microsoft Security Essentials installed, did you uninstall one of them?

The help you receive here is free. If you wish to show your appreciation, then you may
Microsoft MVP - 2010, 2011

#12 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 07 September 2011 - 07:23 PM

Just uninstalled MSE and tried to uninstall Avast, but I am getting the following, saying there was a problem uninstalling Avast. I had it turned off. I am hoping that that wasn't doing anything to the combofix scan. I figured if it was turned off I was OK. Here is the log on the Avast uninstall.

07.09.2011 19:13:19 general: Started: 07.09.2011, 19:13:19
07.09.2011 19:13:19 general: Running setup_ais-4b3 (1203)
07.09.2011 19:13:19 system: Operating system: WindowsXP ver 5.1, build 2600, sp 3.0 [Service Pack 3]
07.09.2011 19:13:19 system: Memory: 45% load. Phys:1145116/2095088K free, Page:1394160/2335488K free, Virt:2067256/2097024K free
07.09.2011 19:13:19 system: Computer WinName: XCOMPUTER
07.09.2011 19:13:19 system: Windows Net User: XCOMPUTER\Owner
07.09.2011 19:13:19 general: Cmdline: /uninstwiz
07.09.2011 19:13:19 general: Old version: 4b3 (1203)
07.09.2011 19:13:19 registry: Deleted registry: Software\AVAST Software\Avast\UpdateReady
07.09.2011 19:13:19 system: Using temp: C:\DOCUME~1\Owner\LOCALS~1\Temp\_asw_aisI.tm~a02524 (24827M free)
07.09.2011 19:13:19 general: SGW32AIS::CheckIfInstalled set m_bAlreadyInstalled to 1
07.09.2011 19:13:19 general: DldSrc set to inet
07.09.2011 19:13:19 internet: SYNCER: Agent=Syncer/5.00 (ais-1203;p)
07.09.2011 19:13:20 system: Computer DnsName: xcomputer
07.09.2011 19:13:20 system: Computer Ip Addr: 192.168.1.102
07.09.2011 19:13:20 system: Installed in: C:\Program Files\AVAST Software\Avast (24827M free)
07.09.2011 19:13:20 internet: SYNCER: Type: use IE settings
07.09.2011 19:13:20 internet: SYNCER: Auth: another authentication, use WinInet
07.09.2011 19:13:20 package: Part prg_ais-4b3 is installed
07.09.2011 19:13:20 package: Part vps_win32-11070401 is installed
07.09.2011 19:13:20 package: Part setup_ais-4b3 is installed
07.09.2011 19:13:20 package: Part jrog-a7 is installed
07.09.2011 19:13:20 package: Part jrog2-264 is installed
07.09.2011 19:13:20 general: LoadState: Edition=1
07.09.2011 19:13:20 general: Old version: 4b3 (1203)
07.09.2011 19:13:20 file: SetExistingFilesBitmap: 942->352->352
07.09.2011 19:13:20 general: GUID: fec88912-f10d-4a8a-93c5-763b1ebf6ec1
07.09.2011 19:13:20 general: Server definition(s) loaded for 'main': 296 (maintenance:0)
07.09.2011 19:13:20 general: SelectCurrent: selected server 'Download692 AVAST5 Server' from 'main'
07.09.2011 19:13:20 internet: SYNCER: Type: use IE settings
07.09.2011 19:13:20 internet: SYNCER: Auth: another authentication, use WinInet
07.09.2011 19:13:46 general: Operation set to INST_OP_UNINSTALL
07.09.2011 19:13:46 general: Entered SetupProcessAIS::Do( INST_OP_UNINSTALL )
07.09.2011 19:13:46 general: Entered SetupProcessWin32Avast::Do( INST_OP_UNINSTALL )
07.09.2011 19:14:55 package: Transferred: files 0, bytes 0, time 0 ms
07.09.2011 19:14:55 package: Retries: total 0, files 0, servers 1
07.09.2011 19:15:00 internet: Sending stats 'http://download692.avast.com/cgi-bin/iavs4stats.cgi': 20000004 0
07.09.2011 19:15:00 file: NeedReboot=false
07.09.2011 19:15:00 general: Return code: 0x000004C7 [The operation was canceled by the user.]
07.09.2011 19:15:00 general: Stopped: 07.09.2011, 19:15:00

---------------------------------------------------

Here is the latest Spybot log.

--- Search result list ---
Fraud.AVSecuritySuite: [SBI $5587D6DE] Settings (Registry value, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=...http=127.0.0.1:5643...

Fraud.AVSecuritySuite: [SBI $5587D6DE] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer=...http=127.0.0.1:5643...

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-01-24 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-06-28 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-05-16 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-04-05 Includes\Malware.sbi (*)
2011-08-16 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-05-24 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-06-14 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-06-20 Includes\Trojans.sbi (*)
2011-08-01 Includes\TrojansC-02.sbi (*)
2011-08-09 Includes\TrojansC-03.sbi (*)
2011-08-15 Includes\TrojansC-04.sbi (*)
2011-08-16 Includes\TrojansC-05.sbi (*)
2011-08-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ KB968930 / SP10: Windows Management Framework Core
/ Windows Media Player: Security Update for Windows Media Player (KB2378111)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player: Security Update for Windows Media Player (KB954155)
/ Windows Media Player: Security Update for Windows Media Player (KB968816)
/ Windows Media Player: Security Update for Windows Media Player (KB973540)
/ Windows Media Player: Security Update for Windows Media Player (KB975558)
/ Windows Media Player: Security Update for Windows Media Player (KB978695)
/ Windows Media Player: Security Update for Windows Media Player (KB979402)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB2447568)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB2510531)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB2530548)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB2544521)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB2559049)
/ Windows XP / SP10: Update for Microsoft Windows (KB971513)
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB2079403)
/ Windows XP / SP4: Security Update for Windows XP (KB2115168)
/ Windows XP / SP4: Security Update for Windows XP (KB2229593)
/ Windows XP / SP4: Security Update for Windows XP (KB2296011)
/ Windows XP / SP4: Update for Windows XP (KB2345886)
/ Windows XP / SP4: Security Update for Windows XP (KB2347290)
/ Windows XP / SP4: Security Update for Windows XP (KB2360937)
/ Windows XP / SP4: Security Update for Windows XP (KB2387149)
/ Windows XP / SP4: Security Update for Windows XP (KB2393802)
/ Windows XP / SP4: Security Update for Windows XP (KB2412687)
/ Windows XP / SP4: Security Update for Windows XP (KB2419632)
/ Windows XP / SP4: Security Update for Windows XP (KB2423089)
/ Windows XP / SP4: Security Update for Windows XP (KB2440591)
/ Windows XP / SP4: Security Update for Windows XP (KB2443105)
/ Windows XP / SP4: Hotfix for Windows XP (KB2443685)
/ Windows XP / SP4: Security Update for Windows XP (KB2476490)
/ Windows XP / SP4: Security Update for Windows XP (KB2478960)
/ Windows XP / SP4: Security Update for Windows XP (KB2478971)
/ Windows XP / SP4: Security Update for Windows XP (KB2479943)
/ Windows XP / SP4: Security Update for Windows XP (KB2481109)
/ Windows XP / SP4: Security Update for Windows XP (KB2483185)
/ Windows XP / SP4: Security Update for Windows XP (KB2485663)
/ Windows XP / SP4: Update for Windows XP (KB2492386)
/ Windows XP / SP4: Security Update for Windows XP (KB2503665)
/ Windows XP / SP4: Security Update for Windows XP (KB2506212)
/ Windows XP / SP4: Security Update for Windows XP (KB2507618)
/ Windows XP / SP4: Security Update for Windows XP (KB2507938)
/ Windows XP / SP4: Security Update for Windows XP (KB2508272)
/ Windows XP / SP4: Security Update for Windows XP (KB2508429)
/ Windows XP / SP4: Security Update for Windows XP (KB2509553)
/ Windows XP / SP4: Security Update for Windows XP (KB2524375)
/ Windows XP / SP4: Security Update for Windows XP (KB2535512)
/ Windows XP / SP4: Security Update for Windows XP (KB2536276)
/ Windows XP / SP4: Security Update for Windows XP (KB2536276-v2)
/ Windows XP / SP4: Update for Windows XP (KB2541763)
/ Windows XP / SP4: Security Update for Windows XP (KB2544893)
/ Windows XP / SP4: Security Update for Windows XP (KB2555917)
/ Windows XP / SP4: Security Update for Windows XP (KB2562937)
/ Windows XP / SP4: Security Update for Windows XP (KB2566454)
/ Windows XP / SP4: Security Update for Windows XP (KB2567680)
/ Windows XP / SP4: Security Update for Windows XP (KB2570222)
/ Windows XP / SP4: Hotfix for Windows XP (KB2570791)
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955759)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956744)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956844)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958869)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Security Update for Windows XP (KB960859)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Update for Windows XP (KB968389)
/ Windows XP / SP4: Security Update for Windows XP (KB969059)
/ Windows XP / SP4: Security Update for Windows XP (KB969947)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)
/ Windows XP / SP4: Security Update for Windows XP (KB970430)
/ Windows XP / SP4: Update for Windows XP (KB971029)
/ Windows XP / SP4: Security Update for Windows XP (KB971468)
/ Windows XP / SP4: Security Update for Windows XP (KB971486)
/ Windows XP / SP4: Security Update for Windows XP (KB971557)
/ Windows XP / SP4: Security Update for Windows XP (KB971633)
/ Windows XP / SP4: Security Update for Windows XP (KB971657)
/ Windows XP / SP4: Update for Windows XP (KB971737)
/ Windows XP / SP4: Security Update for Windows XP (KB971961)
/ Windows XP / SP4: Security Update for Windows XP (KB972270)
/ Windows XP / SP4: Security Update for Windows XP (KB973354)
/ Windows XP / SP4: Security Update for Windows XP (KB973507)
/ Windows XP / SP4: Security Update for Windows XP (KB973525)
/ Windows XP / SP4: Update for Windows XP (KB973687)
/ Windows XP / SP4: Update for Windows XP (KB973815)
/ Windows XP / SP4: Security Update for Windows XP (KB973869)
/ Windows XP / SP4: Security Update for Windows XP (KB973904)
/ Windows XP / SP4: Security Update for Windows XP (KB974112)
/ Windows XP / SP4: Security Update for Windows XP (KB974318)
/ Windows XP / SP4: Security Update for Windows XP (KB974392)
/ Windows XP / SP4: Security Update for Windows XP (KB974571)
/ Windows XP / SP4: Security Update for Windows XP (KB975025)
/ Windows XP / SP4: Security Update for Windows XP (KB975467)
/ Windows XP / SP4: Security Update for Windows XP (KB975560)
/ Windows XP / SP4: Security Update for Windows XP (KB975561)
/ Windows XP / SP4: Security Update for Windows XP (KB975562)
/ Windows XP / SP4: Security Update for Windows XP (KB975713)
/ Windows XP / SP4: Hotfix for Windows XP (KB976098-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB977165)
/ Windows XP / SP4: Security Update for Windows XP (KB977816)
/ Windows XP / SP4: Security Update for Windows XP (KB977914)
/ Windows XP / SP4: Security Update for Windows XP (KB978037)
/ Windows XP / SP4: Update for Windows XP (KB978207)
/ Windows XP / SP4: Security Update for Windows XP (KB978251)
/ Windows XP / SP4: Security Update for Windows XP (KB978262)
/ Windows XP / SP4: Security Update for Windows XP (KB978338)
/ Windows XP / SP4: Security Update for Windows XP (KB978542)
/ Windows XP / SP4: Security Update for Windows XP (KB978601)
/ Windows XP / SP4: Security Update for Windows XP (KB978706)
/ Windows XP / SP4: Hotfix for Windows XP (KB979306)
/ Windows XP / SP4: Security Update for Windows XP (KB979309)
/ Windows XP / SP4: Security Update for Windows XP (KB979482)
/ Windows XP / SP4: Security Update for Windows XP (KB979559)
/ Windows XP / SP4: Security Update for Windows XP (KB979683)
/ Windows XP / SP4: Security Update for Windows XP (KB979687)
/ Windows XP / SP4: Update for Windows XP (KB980182)
/ Windows XP / SP4: Security Update for Windows XP (KB980195)
/ Windows XP / SP4: Security Update for Windows XP (KB980218)
/ Windows XP / SP4: Security Update for Windows XP (KB980232)
/ Windows XP / SP4: Security Update for Windows XP (KB980436)
/ Windows XP / SP4: Security Update for Windows XP (KB981322)
/ Windows XP / SP4: Security Update for Windows XP (KB981349)
/ Windows XP / SP4: Hotfix for Windows XP (KB981793)
/ Windows XP / SP4: Security Update for Windows XP (KB981997)
/ Windows XP / SP4: Security Update for Windows XP (KB982132)
/ Windows XP / SP4: Security Update for Windows XP (KB982381)
/ Windows XP / SP4: Security Update for Windows XP (KB982665)

--- Startup entries list ---
Located: HK_LM:Run, avast
command: "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
file: C:\Program Files\AVAST Software\Avast\avastUI.exe
size: 3493720
MD5: E7CF222185411C6A3E68273C452B3283

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\System32\hkcmd.exe
file: C:\WINDOWS\System32\hkcmd.exe
size: 114688
MD5: EE2AC08BE7024A781DF6F40870ED748D

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\System32\igfxtray.exe
file: C:\WINDOWS\System32\igfxtray.exe
size: 155648
MD5: 095B56D71D4C6AF017712B0E59C66166

Located: HK_LM:Run, KTbWorks
command: "C:\Program Files\Kensington TrackballWorks\KTbWorks.exe"
file: C:\Program Files\Kensington TrackballWorks\KTbWorks.exe
size: 3269200
MD5: FAED5FE19F9B9B534F24F3FE59948674

Located: HK_LM:Run, LogMeIn Hamachi Ui
command: "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
file: C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
size: 1955208
MD5: A5E712D753289A5BC0B8393BADD3A526

Located: HK_LM:Run, Malwarebytes' Anti-Malware
command: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
file: C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
size: 449584
MD5: 33BFCE71F407F24E5DFDB7DD46CE2D6D

Located: HK_LM:Run, Malwarebytes Anti-Malware (reboot)
command: "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
file: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
size: 1047656
MD5: E5CA22F495988A55E58C527F25FB21EE

Located: HK_LM:Run, SoundMAXPnP
command: C:\Program Files\Analog Devices\Core\smax4pnp.exe
file: C:\Program Files\Analog Devices\Core\smax4pnp.exe
size: 1404928
MD5: 10247C15D999CC116C87DA36BD0AD64D

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
file: C:\Program Files\Common Files\Java\Java Update\jusched.exe
size: 246504
MD5: E0D6538B62C79FCBF0B27F95FAF3208B

Located: HK_LM:RunOnce, AvgUninstallURL
command: cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAFYARgBSAEUARQAtAFYAMABLAE0AQwAtAEUAOQBWAFUAVwAtAEUAVwAwAFYAQQAtAFUAVQAzAFgATAAtAEYARQBXADkANwA"&"inst=NwA3AC0ANAAyADMAMwA4ADUAMQA0ADQALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AC0ARgA5AE0AMQAwAEIAKwAxAC0AWABPADkAKwAxAC0ARgA5AE0AMgArADEALQBEAEQAVAArADAA"&"prod=90"&"ver=9.0.894
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Advanced SystemCare 4
where: S-1-5-21-1177238915-879983540-839522115-1003...
command: "C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe"
file: C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
size: 417112
MD5: 01199AE166E4621C51D9963FA82C86B6

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1177238915-879983540-839522115-1003...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: HK_CU:Run, SUPERAntiSpyware
where: S-1-5-21-1177238915-879983540-839522115-1003...
command: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
file: C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
size: 4603264
MD5: 6DB4CC46B84D49F675D89BFB0A8CAFC3

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1177238915-879983540-839522115-500...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:RunOnce, avg_spchecker
where: S-1-5-21-1177238915-879983540-839522115-501...
command: "C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe" /start
file: C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), McAfee Security Scan Plus.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
file: C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
size: 255536
MD5: 89F7C30A91E5581BDF14C62AB46A2B2D

Located: WinLogon, !SASWinLogon
command: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
file: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
size: 548352
MD5: 482E8F6FD557D5A0DF7363F72DF145FE

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, PCANotify
command: PCANotify.dll
file: PCANotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 12/21/2009 7:27:44 PM
Date (last access): 9/7/2011 3:03:46 AM
Date (last write): 12/21/2009 7:27:44 PM
Filesize: 75200
Attributes: archive
MD5: DC1E56092CC57FB4605B088D3DCCBF7A
CRC32: FF82C62B
Version: 9.3.0.148

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDHelper.dll
info link: http://www.safer-networking.org/
info source: Safer-Networking Ltd.
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 1/24/2010 2:50:30 PM
Date (last access): 9/7/2011 7:10:04 PM
Date (last write): 1/26/2009 4:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14

{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} (avast! WebRep)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: avast! WebRep
Path: C:\Program Files\AVAST Software\Avast\
Long name: aswWebRepIE.dll
Short name: ASWWEB~1.DLL
Date (created): 8/24/2011 8:45:14 PM
Date (last access): 9/7/2011 7:10:30 PM
Date (last write): 7/4/2011 6:43:50 AM
Filesize: 820864
Attributes: archive
MD5: 75D85BD73B985DD443EA640C0A907B4F
CRC32: 97A8D77C
Version: 6.0.1203.0

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java™ Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java™ Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 2/21/2010 9:23:14 PM
Date (last access): 9/7/2011 3:18:30 AM
Date (last write): 2/21/2010 9:23:14 PM
Filesize: 41760
Attributes: archive
MD5: 883EF2DD3C9F68691CE02DAAC7267D41
CRC32: C0FCD56C
Version: 6.0.180.7

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 2/21/2010 9:23:14 PM
Date (last access): 9/7/2011 3:10:06 AM
Date (last write): 2/21/2010 9:23:14 PM
Filesize: 79648
Attributes: archive
MD5: FD60844F7DC0CF7C7AFA70B7EC6D0A7E
CRC32: 386E7BEE
Version: 6.0.180.7

--- ActiveX list ---
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264387306265
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: wuweb.dll
Short name:
Date (created): 8/6/2009 8:23:28 PM
Date (last access): 9/7/2011 4:15:20 AM
Date (last write): 8/6/2009 8:23:28 PM
Filesize: 209624
Attributes: archive
MD5: 3822C7B5AF1898991629C287C5868893
CRC32: DB749760
Version: 7.4.7600.226

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_18
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_18.dll
Short name: NPJPI1~1.DLL
Date (created): 2/21/2010 9:23:14 PM
Date (last access): 9/5/2011 8:11:34 PM
Date (last write): 2/21/2010 9:23:14 PM
Filesize: 136992
Attributes: archive
MD5: FD681B5B1CEC8B3181E63A3CC9A8C5EF
CRC32: 23BC9EDD
Version: 6.0.180.7

{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_18
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_18.dll
Short name: NPJPI1~1.DLL
Date (created): 2/21/2010 9:23:14 PM
Date (last access): 9/7/2011 7:20:22 PM
Date (last write): 2/21/2010 9:23:14 PM
Filesize: 136992
Attributes: archive
MD5: FD681B5B1CEC8B3181E63A3CC9A8C5EF
CRC32: 23BC9EDD
Version: 6.0.180.7

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_18
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_18.dll
Short name: NPJPI1~1.DLL
Date (created): 2/21/2010 9:23:14 PM
Date (last access): 9/7/2011 7:20:22 PM
Date (last write): 2/21/2010 9:23:14 PM
Filesize: 136992
Attributes: archive
MD5: FD681B5B1CEC8B3181E63A3CC9A8C5EF
CRC32: 23BC9EDD
Version: 6.0.180.7

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer:
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash6.ocx
Short name:
Date (created): 7/27/2006 1:02:42 PM
Date (last access): 9/5/2011 8:34:18 PM
Date (last write): 7/27/2006 1:02:42 PM
Filesize: 857720
Attributes: readonly archive
MD5: B729BA1592ACACB47F2B06DD3D5753FA
CRC32: 9E50C885
Version: 6.0.88.0

--- Process list ---
PID: 0 ( 0) [System]
PID: 716 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 780 ( 716) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 804 ( 716) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 848 ( 804) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 860 ( 804) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1020 ( 848) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1096 ( 848) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1484 ( 848) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1580 ( 848) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1848 ( 848) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
size: 42184
MD5: D16C826F375A44802BF317982E81A7E2
PID: 1380 ( 848) C:\WINDOWS\system32\spoolsv.exe
size: 58880
MD5: 60784F891563FB1B767F70117FC2428F
PID: 1596 ( 848) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
size: 116608
MD5: C0393EB99A6C72C6BEF9BFC4A72B33A6
PID: 1616 ( 848) C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
size: 328536
MD5: 9EABD21316CCF59E508BD4662AD02843
PID: 1868 ( 848) C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
size: 1361288
MD5: D1C12332326D7F4AB5CB57C660FEED0B
PID: 448 ( 848) C:\Program Files\Java\jre6\bin\jqs.exe
size: 153376
MD5: 77AC10DB097DFD0CD3071465B644D0AB
PID: 760 ( 848) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
size: 366640
MD5: 37036C07983EF1024B2FF3C28AAE5700
PID: 1896 ( 848) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
size: 4807536
MD5: 304CE920C3145BB8EA06AA25E903368A
PID: 2176 ( 848) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 2916 (1484) C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
size: 763224
MD5: 3F7D23CC704BF22E24A1EFFA82F73D3C
PID: 3164 ( 848) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 3568 (2928) C:\WINDOWS\System32\hkcmd.exe
size: 114688
MD5: EE2AC08BE7024A781DF6F40870ED748D
PID: 3576 (2928) C:\Program Files\Analog Devices\Core\smax4pnp.exe
size: 1404928
MD5: 10247C15D999CC116C87DA36BD0AD64D
PID: 3608 (2928) C:\Program Files\Common Files\Java\Java Update\jusched.exe
size: 246504
MD5: E0D6538B62C79FCBF0B27F95FAF3208B
PID: 3624 (2928) C:\Program Files\Kensington TrackballWorks\KTbWorks.exe
size: 3269200
MD5: FAED5FE19F9B9B534F24F3FE59948674
PID: 3640 (2928) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
size: 449584
MD5: 33BFCE71F407F24E5DFDB7DD46CE2D6D
PID: 3656 (2928) C:\Program Files\AVAST Software\Avast\avastUI.exe
size: 3493720
MD5: E7CF222185411C6A3E68273C452B3283
PID: 3944 (2928) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
size: 4603264
MD5: 6DB4CC46B84D49F675D89BFB0A8CAFC3
PID: 3952 (1896) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
size: 1158512
MD5: 9D8F3FE84EB295AC549799BD312731CA
PID: 4020 (2928) C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
size: 417112
MD5: 01199AE166E4621C51D9963FA82C86B6
PID: 1352 (1896) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
size: 4807536
MD5: 304CE920C3145BB8EA06AA25E903368A
PID: 1400 (2928) C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
size: 255536
MD5: 89F7C30A91E5581BDF14C62AB46A2B2D
PID: 2592 (3608) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
size: 490216
MD5: E9638B0CBB5DAE86F6E9DA843C19399D
PID: 3184 (1484) C:\WINDOWS\system32\wscntfy.exe
size: 13824
MD5: F92E1076C42FCD6DB3D72D8CFE9816D5
PID: 2340 (1484) C:\WINDOWS\system32\wuauclt.exe
size: 53472
MD5: 62BB79160F86CD962F312C68C6239BFD
PID: 2020 ( 804) C:\WINDOWS\explorer.exe
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 1436 (2544) C:\Program Files\Mozilla Firefox\firefox.exe
size: 924632
MD5: 63346640E170B63970C093F720065DAB
PID: 1544 (1436) C:\Program Files\Mozilla Firefox\plugin-container.exe
size: 16856
MD5: 7653CD0E8F2C0052185673B574DB699E
PID: 2212 (1484) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 3312 (2020) C:\Program Files\Symantec\pcAnywhere\Winaw32.exe
size: 774144
MD5: EC458C195540402018805285565C8676
PID: 3068 ( 848) C:\WINDOWS\system32\msiexec.exe
size: 78848
MD5: 5879D691E842574A20FE63817CB76DF9
PID: 4 ( 0) System

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 9/7/2011 7:20:21 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4919C683-A6D4-4085-A100-D82EDE9ABB4F}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4919C683-A6D4-4085-A100-D82EDE9ABB4F}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8B95D2EB-5F08-4D5B-A183-23BFD6427BE0}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8B95D2EB-5F08-4D5B-A183-23BFD6427BE0}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2350D5BA-334C-4890-BCFB-0C003A8C0F4C}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2350D5BA-334C-4890-BCFB-0C003A8C0F4C}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{30B206A2-1974-4FEC-9B47-493EAAA12776}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{30B206A2-1974-4FEC-9B47-493EAAA12776}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Going to run Goredfix right now as directed.

Back in a few. Thanks for your continued help!

#13 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 07 September 2011 - 07:26 PM

Here is the Goredfix log:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 19:24 on 07/09/2011 (Owner)
Firefox version 6.0.2 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:46 24/01/2010]
{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [02:23 22/02/2010]

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\yunx4pt4.default\extensions\
foxmarks@kei.com [19:06 18/06/2011]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [01:44 18/08/2011]
{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [03:24 13/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [02:23 22/02/2010]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:03 31/07/2011]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [01:45 25/08/2011]

-=E.O.F=-

#14 CatByte

Bleepin' curls!

Group: Malware Response Team
Posts: 7,857
Joined: 09-November 08
Gender:Not Telling
Location:Canada

Posted 07 September 2011 - 07:58 PM

Hi

something was interfering with fixing that proxy hijack.

Make certain that tea timer is totally disabled when you run the fix with ComboFix or it will stop the fix from adjusting the registry change that it needs to make.

I will use the script to uninstall the remnants of both AntiVirus Programs, when the script is complete, choose ONE AV and install it.

(Personally I use Microsoft Security Essentials)

Please do the following

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

SecCenter::
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FireFox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yunx4pt4.default\
FF - prefs.js: network.proxy.http_port - 50202

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

The help you receive here is free. If you wish to show your appreciation, then you may
Microsoft MVP - 2010, 2011

#15 pesky_human

Member

Group: Members
Posts: 21
Joined: 01-September 11

Posted 07 September 2011 - 08:55 PM

All directions followed. Here you go.

ComboFix 11-09-07.04 - Owner 09/07/2011 20:35:20.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1528 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-08 to 2011-09-08 )))))))))))))))))))))))))))))))
.
.
2011-09-04 03:19 . 2011-09-04 03:19 -------- d-----w- c:\program files\ESET
2011-09-02 02:14 . 2011-09-02 02:14 -------- d-----w- c:\program files\CCleaner
2011-08-28 18:33 . 2011-08-28 18:33 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet
2011-08-28 18:05 . 2010-10-18 11:10 7680 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-08-28 18:04 . 2011-08-28 18:04 -------- d-----w- c:\windows\system32\winrm
2011-08-28 18:04 . 2011-08-28 18:04 -------- d-----w- c:\windows\system32\GroupPolicy
2011-08-28 17:45 . 2011-08-28 17:45 -------- d-----w- c:\documents and settings\Owner\Application Data\RegistryKeys
2011-08-28 17:44 . 2011-08-28 17:44 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit
2011-08-28 17:44 . 2011-08-28 17:44 -------- d-----w- c:\program files\IObit
2011-08-28 08:10 . 2011-08-28 08:10 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-08-28 08:07 . 2011-08-28 09:35 -------- d-----w- c:\windows\SxsCaPendDel
2011-08-25 01:45 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-08-25 01:45 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-08-25 01:45 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-25 01:45 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-08-25 01:45 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-08-25 01:45 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-08-25 01:45 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-08-25 01:45 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-25 01:45 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-08-25 01:45 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-08-25 01:44 . 2011-08-25 01:44 -------- d-----w- c:\program files\AVAST Software
2011-08-25 01:44 . 2011-08-25 01:44 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-08-25 01:36 . 2011-08-25 01:36 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WinZip
2011-08-24 12:03 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-08-24 12:03 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-08-24 04:23 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-13 02:37 . 2011-08-13 02:37 -------- d-----w- c:\program files\LogMeIn Hamachi
2011-08-10 22:15 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:15 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-10 02:27 . 2011-08-10 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\!SASCORE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-16 01:15 . 2011-07-31 18:39 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-27 01:34 . 2003-07-16 20:30 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-07-27 01:17 . 2011-07-27 01:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-15 13:29 . 2003-07-16 20:34 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2003-07-16 20:37 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52 . 2011-07-25 00:03 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52 . 2011-07-25 00:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2010-01-03 20:42 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2003-07-16 20:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2003-07-16 20:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2003-07-16 20:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-07 03:40 . 2011-05-10 03:33 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-09-04_01.44.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-08 01:46 . 2011-09-08 01:46 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-23 4603264]
"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-08-09 417112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-07 1047656]
"KTbWorks"="c:\program files\Kensington TrackballWorks\KTbWorks.exe" [2010-07-01 3269200]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-10 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2004-11-01 16:50 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2010-07-23 19:37 648536 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\CrossLoop\\vncviewer.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5910:TCP"= 5910:TCP:vnc5910
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/24/2011 8:45 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/24/2011 8:45 PM 309848]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [8/28/2011 12:44 PM 328536]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/24/2011 8:45 PM 19544]
R2 CrossLoopService;CrossLoop Service;c:\documents and settings\Owner\Local Settings\Application Data\CrossLoop\CrossLoopService.exe [6/22/2010 11:02 AM 560792]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 2:34 PM 1361288]
R2 HMuKstOr;Kensington TrackballWorks Orbit USB HID Device Filter Driver;c:\windows\system32\drivers\HMuKstOr.sys [2/13/2011 10:07 PM 51280]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/24/2011 7:03 PM 366640]
R2 TabletServiceWacom;TabletServiceWacom;c:\program files\Tablet\Wacom\Wacom_Tablet.exe [2/8/2011 2:58 PM 4807536]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/24/2011 7:02 PM 22712]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 uvnc_service;uvnc_service;c:\documents and settings\Owner\Local Settings\Application Data\CrossLoop\winvnc.exe [6/22/2010 11:02 AM 1590216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [7/16/2003 3:47 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-08 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-08-28 21:40]
.
2011-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-879983540-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-28 01:52]
.
2011-09-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-879983540-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-28 01:52]
.
2011-09-08 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-01-24 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 24.116.2.50 24.116.2.34
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\yunx4pt4.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b5d1405&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-07 20:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1296)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Tablet\Wacom\Wacom_TabletUser.exe
.
**************************************************************************
.
Completion time: 2011-09-07 20:52:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-08 01:52
ComboFix2.txt 2011-09-07 03:20
ComboFix3.txt 2011-09-04 03:08
ComboFix4.txt 2011-09-04 01:48
ComboFix5.txt 2011-09-08 01:33
.
Pre-Run: 26,284,797,952 bytes free
Post-Run: 26,270,916,608 bytes free
.
- - End Of File - - 8B486CF97747E4F679E06349F73E1997