Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/purityscan.a.gen!eldorado


  • This topic is locked This topic is locked
19 replies to this topic

#1 SMShadowman

SMShadowman

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 21 July 2008 - 11:50 PM

Hello all:

I've just registered here; this looks like a great forum, there's quite a bit of information available here that I couldn't find anywhere else.

Anyway, I'm fixing my mother-in-law's computer. It suddenly got a pretty nasty malware infection with quite a few different threats listed from various scanners. I'm not sure how this happened, my best guess from something I've read here is the comp had an old version of java installed, something from early 2005, and perhaps it was exploited. And then a single malware infection installed about 30 other problems. But anyway, that's not really important at the moment.

The comp has always had F-prot antivirus installed as well as spybot & ccleaner. I disabled system restore and ran all of those scans in safe mode and managed to clean a great deal of things. I also needed to use adaware, CWShredder and Smitfraudfix. I've used processexplorer, autoruns, and rootkitrevealer to try to kill anything suspicious. And also ran the Trend Micro online scanner at one point. Spybot kept reporting Virtumonde, which I've hopefully been able to fix now with the virtumonde tools

Anyway, one thing that keeps showing in f-prot is:
[Found adware] <W32/PurityScan.A.gen!Eldorado (not disinfectable, generic)> C:\WINDOWS\system32\?dobe\chkntfs.exe->(UPX)
[Failed to quarantine] C:\WINDOWS\system32\?dobe\chkntfs.exe

The question mark in the file name is odd, I found this folder called Аdobe (that's not an really an A, I think some other character that looks similar) with that file in it. I had to uncheck the "hide protected OS files" option to see it. But it can't be deleted manually or with any of these tools, it seems.

I also installed an ran SDFix after reading a topic here about it. Still no luck with that one file.

Sorry for the rambling here; just trying to provide enough info. Anyway I'd obviously like to get every piece of malware off of this system, so I'm hoping for some advice/links/programs/whatever. Thanks in advance for your help.

Hopefully someone might also recommend something that will prevent this from happening in the future -- she lives 4 hours away and this was too complicated to talk her through over the phone, so she had to send the comp down here.

Here's the latest Hijack this logfile. I'm not sure if it shows anything wrong anymore, however. I used it previously to successfully get rid of a few BHOs and a suspicious winlogon notify entry. But I am still getting the problem above with the ?dobe file...

Thanks in Advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:46:57, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Bev\My Documents\security utils\procexp.exe
C:\programfiles\FirefoxPortable\FirefoxPortable.exe
C:\programfiles\FirefoxPortable\App\firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://search.live.com/results.aspx?q=olea...;src=IE-Address
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon DSL.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132859832331
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150211599328
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5126 bytes

Edited by SMShadowman, 21 July 2008 - 11:50 PM.


BC AdBot (Login to Remove)

 


#2 SMShadowman

SMShadowman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 27 July 2008 - 02:47 AM

Sorry to double-dip here -- I just wanted to post an update.

I was able to delete those files by using a Boot CD. However, after a few restarts, F-Prot is now reporting that Virtumonde.AB.gen has reappeared. This was present in the initial set of scans by F-prot and spybot. and I thought it had been fixed, but. now it apparently has returned in the form of 4 randomly-named dll's in WINDOWS/system32.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 AM

Posted 02 August 2008 - 05:49 PM

Hello SMShadowman,

Since you have been removing items yourself and I have no idea what you removed or why, it makes diagnosis twice as hard. :thumbsup:

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.
3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE,
Scan Options:
Scan Archives
Scan Mail Bases


then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.
8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:

Posted Image

Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.
9. Post the Kaspersky scan results in your next reply.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll






We need to create a Deckard's System Scanner (DSS) Log.

Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.
Primary Mirror
Secondary Mirror

DSS will do the following:
1. Create a new System Restore point in Windows XP and Vista.
2. Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
3. Check some important areas of your system and produce a report for an analyst to review.
4. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.

1. Close all applications and windows.
2. Double-click on dss.exe to run it and follow the prompts.

3. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
4. When the scan is complete, two text files will open in Notepad:
main.txt <-- Will be maximized
extra.txt <-- Will be minimized
5. If not, they both can be found in the C:\Deckard\System Scanner folder.
6. Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.

Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.
Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

In your next reply, I need to see the following reports:
Kaspersky scan log
Malwarebytes' Anti-Malware report
DSS Main.txt
DSS Extra.txt

Edited by SifuMike, 02 August 2008 - 05:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SMShadowman

SMShadowman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 02 August 2008 - 08:44 PM

Since you have been removing items yourself and I have no idea what you removed or why, it makes diagnosis twice as hard. :thumbsup:


I understand. My initial hope was to simply remove everything with the tools I used and be done with it, but unfortunately things didn't go as planned. If I had known it would be this much trouble, of course I would have just came here from the start. Thanks a million for your help!

Anyway, here's the Kaspersky log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 2, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 03, 2008 02:59:42
Records in database: 1046803
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 45660
Threat name: 3
Infected objects: 6
Suspicious objects: 1
Duration of the scan: 00:47:49


File name / Threat name / Threats count
C:\Documents and Settings\Bev\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Bev\My Documents\Downloads\SmitfraudFix\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\Documents and Settings\Bev\My Documents\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Bev\My Documents\Downloads\SmitfraudFix\SmitfraudFix.zip Infected: Hoax.Win32.Renos.vaoz 1
C:\Documents and Settings\Bev\My Documents\Downloads\SmitfraudFix\SmitfraudFix.zip Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Bev\My Documents\Downloads\SmitfraudFix.exe Infected: Hoax.Win32.Renos.vaoz 1
C:\Documents and Settings\Bev\My Documents\Downloads\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

The selected area was scanned.

And mbam:
Malwarebytes' Anti-Malware 1.24
Database version: 1018
Windows 5.1.2600 Service Pack 2

9:29:30 PM 8/2/2008
mbam-log-8-2-2008 (21-29-30).txt

Scan type: Quick Scan
Objects scanned: 39807
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\bam (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\BMcfa1b3d0.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMcfa1b3d0.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

DSS Main.txt
Deckard's System Scanner v20071014.68
Run by Bev on 2008-08-02 21:31:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Bev.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:38 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bev\Local Settings\Temp\jkos-Bev\binaries\ScanningProcess.exe
C:\Documents and Settings\Bev\My Documents\security utils\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dumprep.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bev.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon DSL.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132859832331
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150211599328
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6423 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080712-101139-152 O2 - BHO: (no name) - {8C9EC4B7-631F-435D-A57C-C5E6DF90194A} - (no file)
backup-20080712-101139-159 O2 - BHO: (no name) - {7E4C87E4-26D4-4A18-8F17-78D4C1D2E038} - (no file)
backup-20080712-101139-167 O20 - Winlogon Notify: vtUklMee - C:\WINDOWS\
backup-20080712-101139-202 R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
backup-20080712-101139-212 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
backup-20080712-101139-291 O2 - BHO: (no name) - {32D4780C-5031-4266-89EF-19019BBFEC02} - (no file)
backup-20080712-101139-357 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
backup-20080712-101139-387 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
backup-20080712-101139-490 O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
backup-20080712-101139-644 O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
backup-20080712-101139-906 O2 - BHO: (no name) - {DEEED296-EFC0-45EF-AF0E-A488337CA8A0} - (no file)
backup-20080712-101139-992 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
backup-20080721-232906-105 O2 - BHO: (no name) - {8C9EC4B7-631F-435D-A57C-C5E6DF90194A} - (no file)
backup-20080721-232906-207 O20 - Winlogon Notify: vtUklMee - C:\WINDOWS\
backup-20080721-232906-357 O2 - BHO: (no name) - {32D4780C-5031-4266-89EF-19019BBFEC02} - (no file)
backup-20080721-232906-709 O2 - BHO: (no name) - {7E4C87E4-26D4-4A18-8F17-78D4C1D2E038} - (no file)
backup-20080721-232906-741 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20080721-232906-811 O23 - Service: HMMVERW - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HMMVERW.exe (file missing)
backup-20080721-232906-919 O2 - BHO: (no name) - {DEEED296-EFC0-45EF-AF0E-A488337CA8A0} - (no file)
backup-20080721-232906-930 O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\docume~1\bev\locals~1\temp\catchme.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 HMMVERW - c:\docume~1\admini~1\locals~1\temp\hmmverw.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-24 11:00:00 324 --a------ C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job


-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 21:11:37 0 d-------- C:\Documents and Settings\Bev\Application Data\Malwarebytes
2008-08-02 21:11:29 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 21:11:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-27 00:21:43 0 d-------- C:\Documents and Settings\Bev\Application Data\FRISK Software
2008-07-27 00:20:52 0 dr-h----- C:\Documents and Settings\Bev\Recent
2008-07-22 23:16:14 0 d-------- C:\WINDOWS\484E1A3C94D942309AE4467EE6B40180.TMP
2008-07-22 23:15:25 0 d-------- C:\Documents and Settings\Bev\Application Data\Mozilla
2008-07-22 00:16:53 0 d--h----- C:\WINDOWS\PIF
2008-07-21 23:18:08 0 d-------- C:\Program Files\Common Files\Java
2008-07-21 22:29:51 0 d-------- C:\WINDOWS\ERUNT
2008-07-21 20:36:31 0 d-------- C:\VundoFix Backups
2008-07-19 02:08:41 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-07-19 00:27:46 0 d-------- C:\Program Files\Panda Security
2008-07-18 23:31:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-07-18 23:31:42 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-12 02:46:55 0 d-------- C:\Program Files\Trend Micro
2008-07-12 02:45:24 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-12 01:38:11 0 d-------- C:\Program Files\Lavasoft
2008-07-12 01:38:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 01:34:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 01:32:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-11 22:59:52 0 d-------- C:\programfiles


-- Find3M Report ---------------------------------------------------------------

2008-08-02 20:32:51 0 d-------- C:\Program Files\TweakNow RegCleaner Std
2008-07-21 23:18:37 0 d-------- C:\Program Files\Java
2008-07-21 23:18:08 0 d-------- C:\Program Files\Common Files
2008-07-18 23:27:27 3158 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-12 02:53:17 0 d-------- C:\Documents and Settings\Bev\Application Data\?ppPatch
2008-07-12 01:34:00 0 d-------- C:\Documents and Settings\Bev\Application Data\Lavasoft
2008-07-11 22:50:00 654130 --ahs---- C:\WINDOWS\system32\xHilRXbc.ini2
2008-06-26 15:41:11 651574 --ahs---- C:\WINDOWS\system32\tBdgNXyb.ini2
2008-06-26 11:06:03 652521 --ahs---- C:\WINDOWS\system32\yHkmpXbc.ini2
2008-06-26 10:56:04 2541 --a------ C:\WINDOWS\unins000.dat
2008-06-26 10:53:56 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [03/23/2005 02:20 AM C:\WINDOWS\stsystra.exe]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 10:12 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [06/10/2005 12:44 PM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 12:44 PM]
"POINTER"="point32.exe" []
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [05/28/2002 09:16 AM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [05/18/2002 01:04 PM]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 03:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 03:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 03:50 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/2006 07:58 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [04/21/2008 03:25 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 2:01:04 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1146c890-a2c9-11dc-b589-00123fb3b37f}]
AutoRun\command- E:\Installer.exe




-- End of Deckard's System Scanner: finished at 2008-08-02 21:33:43 ------------

DSS Extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 1014.07 MiB / 656.4 MiB
Pagefile Memory (total/avail): 2440.89 MiB / 2185.76 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.32 MiB

C: is Fixed (NTFS) - 145.54 GiB total, 133.2 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160023AS - 149.01 GiB - 3 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 145.54 GiB - C:
\PARTITION2 - Unknown - 3.43 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: F-PROT Antivirus for Windows v6.0 (FRISK Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Disabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Disabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Disabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Bev\\My Documents\\security utils\\jxpiinstall.exe"="C:\\Documents and Settings\\Bev\\My Documents\\security utils\\jxpiinstall.exe:*:Enabled:jxpiinstall"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Bev\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SEITCHEK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Bev
LOGONSERVER=\\SEITCHEK
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE16~1.0_0\bin;C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Bev\LOCALS~1\Temp
TMP=C:\DOCUME~1\Bev\LOCALS~1\Temp
USERDOMAIN=SEITCHEK
USERNAME=Bev
USERPROFILE=C:\Documents and Settings\Bev
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Bev (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\VERIZO~1\HELPSU~1\Uninstall.exe Verizon
--> C:\PROGRA~1\VERIZO~1\Uninstall.exe Verizon
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00C6-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF00D1-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{25EF03D9-F17B-11D6-88EA-000476CD2443}\Setup.exe" -l0x9 UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
AOLIcon --> MsiExec.exe /I{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}
Canon Utilities Easy-PhotoPrint --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Canon Utilities Easy-PhotoPrint Plus --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint Plus\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint Plus\EZUNINST.DLL"
Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{03CDDD00-BD57-4326-9480-4C74449AF597}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Corel Photo Album 6 --> MsiExec.exe /X{8A9B8148-DDD7-448F-BD6C-358386D32354}
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Dell Media Experience --> MsiExec.exe /I{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}
Dell Support 3.1 --> MsiExec.exe /X{548EEA8E-8299-497F-8057-811D2D7097DC}
Digital Content Portal --> MsiExec.exe /I{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}
EarthLink setup files --> MsiExec.exe /X{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}
Easy-WebPrint --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
EducateU --> MsiExec.exe /I{A683A2C0-821C-486F-858C-FA634DB5E864}
F-PROT Antivirus for Windows --> MsiExec.exe /I{E58B329B-FB28-4874-90DE-0D7CB2709267}
F-PROT Antivirus Updater Fix --> MsiExec.exe /I{F8A3A6BC-D68F-445B-B1BA-6F03A4352865}
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel® 537EP V9x DF PCI Modem"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2776 PCI\VEN_8086&DEV_2772
Intel® PRO Network Connections Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{83F793B5-8BBF-42FD-A8A6-868CB3E2AAEA}
Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MathPlayer --> C:\Program Files\Design Science\MathPlayer\Setup.exe -u
Microsoft Office Outlook Connector --> MsiExec.exe /I{61CC6D1A-672E-4519-B68F-DF796FB58906}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Express 9 --> C:\WINDOWS\system32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0900}
Microsoft Picture It! Library 9 --> C:\WINDOWS\system32\msiexec.exe /i {9F7FC79B-3059-4264-9450-39EB368E3220}
Microsoft Plus! Digital Media Edition Installer --> MsiExec.exe /X{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}
Microsoft Plus! Photo Story 2 LE --> MsiExec.exe /X{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}
Modem Event Monitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}\setup.exe" -l0x9
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Modem On Hold --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN Encarta Plus Support Files --> MsiExec.exe /I{00000000-785F-478A-BAA2-87F1A136068C}
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600816}
Musicmatch® Jukebox --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85D3CC30-8859-481A-9654-FD9B74310BEF}\setup.exe" -l0x9 -uninst
NetZeroInstallers --> MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
OneTouch Version 3.0 --> C:\PROGRA~1\VISION~1\UNWISE.EXE C:\PROGRA~1\VISION~1\INSTALL.LOG
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PaperPort 7.02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ScanSoft\PaperPort\Config\DeIsL1.isu" -y -c"C:\Program Files\ScanSoft\PaperPort\UnInstl2.dll"
Photo Click --> MsiExec.exe /I{6E179C77-7335-458D-9537-4F4EAC0181ED}
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD LE --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Sonic RecordNow Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Sonic RecordNow Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Sonic Update Manager --> MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Spybot - Search & Destroy --> "C:\Documents and Settings\Bev\My Documents\Downloads\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
TweakNow RegCleaner Standard --> "C:\Program Files\TweakNow RegCleaner Std\unins000.exe"
Verizon Broadband Toolbar --> C:\Program Files\VZBB Toolbar\Uninstall.exe
Verizon Online --> C:\WINDOWS\system32\VerizonUninstaller.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}


-- Application Event Log -------------------------------------------------------

Event Record #/Type27641 / Warning
Event Submitted/Written: 08/02/2008 08:32:51 PM
Event ID/Source: 4096 / F-PROT Antivirus
Event Description:
Found file, C:\WINDOWS\TEMP\FPQ10C.tmp, infected with W32/Virtumonde.AB.gen!Eldorado

For more information please visit http://www.f-prot.com/support/index.html

Event Record #/Type27640 / Warning
Event Submitted/Written: 08/02/2008 08:32:51 PM
Event ID/Source: 4096 / F-PROT Antivirus
Event Description:
Found file, C:\WINDOWS\TEMP\FPQ10C.tmp, infected with W32/Virtumonde.AB.gen!Eldorado

For more information please visit http://www.f-prot.com/support/index.html

Event Record #/Type27639 / Warning
Event Submitted/Written: 08/02/2008 08:32:51 PM
Event ID/Source: 4096 / F-PROT Antivirus
Event Description:
Found file, C:\WINDOWS\TEMP\FPQ10B.tmp, infected with W32/Virtumonde.AB.gen!Eldorado

For more information please visit http://www.f-prot.com/support/index.html

Event Record #/Type27638 / Warning
Event Submitted/Written: 08/02/2008 08:32:51 PM
Event ID/Source: 4096 / F-PROT Antivirus
Event Description:
Found file, C:\WINDOWS\TEMP\FPQ10B.tmp, infected with W32/Virtumonde.AB.gen!Eldorado

For more information please visit http://www.f-prot.com/support/index.html

Event Record #/Type27637 / Warning
Event Submitted/Written: 08/02/2008 08:32:51 PM
Event ID/Source: 4096 / F-PROT Antivirus
Event Description:
Found file, C:\WINDOWS\TEMP\FPQ10A.tmp, infected with W32/Virtumonde.AB.gen!Eldorado

For more information please visit http://www.f-prot.com/support/index.html



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type26915 / Error
Event Submitted/Written: 08/02/2008 09:32:59 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Network Connections service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type26914 / Error
Event Submitted/Written: 08/02/2008 09:32:59 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Workstation service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type26913 / Error
Event Submitted/Written: 08/02/2008 09:32:59 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Server service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type26912 / Error
Event Submitted/Written: 08/02/2008 09:32:59 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The HID Input Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type26911 / Error
Event Submitted/Written: 08/02/2008 09:32:59 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The Help and Support service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.



-- End of Deckard's System Scanner: finished at 2008-08-02 21:33:43 ------------

Attached Files


Edited by SifuMike, 02 August 2008 - 09:34 PM.


#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 AM

Posted 02 August 2008 - 11:10 PM

SMShadowman

Your Spybot - Search & Destroy 1.5.2.20 is out of date.
Uninstall it and download and install the new Spybot 1.6.0.



We must fix all your file associations:

To repair the faulty file associations, please do the following:
Make sure that DSS.exe is located on your Desktop.
Click on your START button, then choose Run. A little box will appear.
Now copy and paste all the following in bold (including the "" marks into the run box and click OK.

"%userprofile%\desktop\dss.exe" /daft


This will start DSS in a different way. A small window will appear.
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
Click the Fix button.
Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post

******************************

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

Cheers.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 SMShadowman

SMShadowman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 03 August 2008 - 03:20 PM

The Daft Log:

DAFT Log saved on 2008-08-03 16:00:27
-----------------------------------------------------------------------
All associations okay!


I've attached both below.

Attached Files



#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 AM

Posted 03 August 2008 - 05:03 PM

SMShadowman

There is something wrong with the OTScanit log you posted, as I am not seeing all the items. :thumbsup:

Please refer to my previous post, follow the direction exactly and run the scan again.
Make sure you word wrap turned off.
Attach the OTScanit log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SMShadowman

SMShadowman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 03 August 2008 - 08:35 PM

OK, that's odd. I left word wrap off and followed all of those instructions the first time. But here it is again.

Attached Files



#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 AM

Posted 03 August 2008 - 09:12 PM

SMShadowman,

OTscanIt still not working correctly so we will use ComboFix©.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
 It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

You need to disable your F-PROT Antivirus before running ComboFix, as it will prevent it from running.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

 When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT 
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read  here   what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 03 August 2008 - 10:59 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 SMShadowman

SMShadowman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 04 August 2008 - 09:45 AM

OK, thanks. I'll be able to take a look at it again this evening.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 AM

Posted 04 August 2008 - 01:29 PM

There is no rush. ;)

The following is referring to TweakNow RegCleaner Std .
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.

If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

Should I Use a Registry Cleaner?

Mark Russinovich wrote:
No, even if the registry was massively bloated there would be little impact on the performance of anything other than exhaustive searches (ed. of the registry itself).

On Win2K Terminal Server systems, however, there is a limit on the total amount of Registry data that can be loaded and so large profile hives can limit the number of users that can be logged on simultaneously.

I haven't and never will implement a Registry cleaner since it's of little practical use on anything other than Win2K terminal servers and developing one that's both safe and effective requires a huge amount of application-specific knowledge.


Edited by SifuMike, 04 August 2008 - 01:37 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SMShadowman

SMShadowman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 04 August 2008 - 06:34 PM

Thanks for the advice about the regcleaner. This is my mother-in-law's box, so I'm not sure if she wants it or not, but I'll pass the message along.

Anyway, here's the combofix log:

ComboFix 08-08-04.01 - Bev 2008-08-04 19:27:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.685 [GMT -4:00]
Running from: C:\Documents and Settings\Bev\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bev\Application Data\PPPATC~1
C:\WINDOWS\system32\bkvuhgxq.ini
C:\WINDOWS\system32\dtnfqjbd.ini
C:\WINDOWS\system32\fgdquxsy.ini
C:\WINDOWS\system32\fjidktsn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhuadpcs.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\tBdgNXyb.ini
C:\WINDOWS\system32\tBdgNXyb.ini2
C:\WINDOWS\system32\upengmqi.ini
C:\WINDOWS\system32\xHilRXbc.ini
C:\WINDOWS\system32\xHilRXbc.ini2
C:\WINDOWS\system32\yHkmpXbc.ini
C:\WINDOWS\system32\yHkmpXbc.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-08-02 21:30 . 2008-08-02 21:30 <DIR> d-------- C:\Deckard
2008-08-02 21:11 . 2008-08-02 21:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 21:11 . 2008-08-02 21:11 <DIR> d-------- C:\Documents and Settings\Bev\Application Data\Malwarebytes
2008-08-02 21:11 . 2008-08-02 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 21:11 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 21:11 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 00:21 . 2008-07-27 00:21 <DIR> d-------- C:\Documents and Settings\Bev\Application Data\FRISK Software
2008-07-22 23:16 . 2008-07-22 23:16 <DIR> d-------- C:\WINDOWS\484E1A3C94D942309AE4467EE6B40180.TMP
2008-07-22 00:16 . 2008-07-22 00:16 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-21 23:18 . 2008-07-21 23:18 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-21 23:18 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-21 22:29 . 2008-07-21 22:29 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-21 22:29 . 2008-08-03 15:57 <DIR> d-------- C:\SDFix
2008-07-21 20:36 . 2008-07-21 20:36 <DIR> d-------- C:\VundoFix Backups
2008-07-19 00:27 . 2008-07-19 00:27 <DIR> d-------- C:\Program Files\Panda Security
2008-07-19 00:27 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-19 00:02 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-18 23:31 . 2008-07-19 00:08 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-12 02:46 . 2008-07-12 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-12 02:45 . 2008-07-12 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-12 01:38 . 2008-07-12 01:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-12 01:38 . 2008-07-12 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 01:32 . 2008-07-12 01:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-11 22:59 . 2008-07-11 22:59 <DIR> d-------- C:\programfiles
2008-07-11 18:29 . 2008-07-11 18:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-11 18:29 . 2008-07-11 18:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-11 18:03 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-11 18:03 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-11 18:03 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-11 18:03 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 20:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-03 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 19:57 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2008-07-22 03:18 --------- d-----w C:\Program Files\Java
2008-07-19 03:27 3,158 ----a-w C:\WINDOWS\system32\tmp.reg
2008-07-12 05:34 --------- d-----w C:\Documents and Settings\Bev\Application Data\Lavasoft
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-11-20 16:31 48,704 ----a-w C:\Documents and Settings\Bev\Application Data\GDIPFONTCACHEV1.DAT
2002-05-28 13:19 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-05-20 13:22 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2002-05-20 13:20 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2002-05-20 13:02 225,280 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
2008-04-14 18:11 56 --sh--r C:\WINDOWS\system32\3C808A273C.sys
2008-04-14 18:12 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-05-28 09:16 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 13:04 327680]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2008-04-21 15:25 1597832]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Bev\\My Documents\\security utils\\jxpiinstall.exe"=

R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\drivers\FStopW.sys [2008-03-28 14:06]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 FPAVServer;F-PROT Antivirus for Windows system;C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [2008-04-21 21:26]
S4 HMMVERW;HMMVERW;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HMMVERW.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1146c890-a2c9-11dc-b589-00123fb3b37f}]
\Shell\AutoRun\command - E:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-06-24 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-POINTER - point32.exe


.
------- Supplementary Scan -------
.
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 19:30:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-04 19:31:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-04 23:31:09

Pre-Run: 143,000,440,832 bytes free
Post-Run: 142,918,844,416 bytes free

164 --- E O F --- 2008-07-27 04:18:14

Attached Files



#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 AM

Posted 04 August 2008 - 10:16 PM

Hi SMShadowman,


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HMMVERW.exe 
C:\WINDOWS\system32\tmp.reg
Folder:: 
C:\VundoFix Backups
Driver:: 
HMMVERW
DirLook::
C:\programfiles


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 SMShadowman

SMShadowman
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 04 August 2008 - 10:46 PM

Hello SifuMike:
Thanks again for all of the help.

ComboFix
ComboFix 08-08-04.01 - Bev 2008-08-04 23:37:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.680 [GMT -4:00]
Running from: C:\Documents and Settings\Bev\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bev\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HMMVERW
-------\Service_HMMVERW


((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-02 21:30 . 2008-08-02 21:30 <DIR> d-------- C:\Deckard
2008-08-02 21:11 . 2008-08-02 21:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 21:11 . 2008-08-02 21:11 <DIR> d-------- C:\Documents and Settings\Bev\Application Data\Malwarebytes
2008-08-02 21:11 . 2008-08-02 21:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 21:11 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 21:11 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 00:21 . 2008-07-27 00:21 <DIR> d-------- C:\Documents and Settings\Bev\Application Data\FRISK Software
2008-07-22 23:16 . 2008-07-22 23:16 <DIR> d-------- C:\WINDOWS\484E1A3C94D942309AE4467EE6B40180.TMP
2008-07-22 00:16 . 2008-07-22 00:16 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-21 23:18 . 2008-07-21 23:18 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-21 23:18 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-21 22:29 . 2008-07-21 22:29 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-21 22:29 . 2008-08-03 15:57 <DIR> d-------- C:\SDFix
2008-07-21 20:36 . 2008-07-21 20:36 <DIR> d-------- C:\VundoFix Backups
2008-07-19 00:27 . 2008-07-19 00:27 <DIR> d-------- C:\Program Files\Panda Security
2008-07-19 00:27 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-19 00:02 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-07-18 23:31 . 2008-07-19 00:08 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-07-12 02:46 . 2008-07-12 02:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-12 02:45 . 2008-07-12 02:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-07-12 01:38 . 2008-07-12 01:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-12 01:38 . 2008-07-12 01:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-12 01:32 . 2008-07-12 01:32 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-07-11 22:59 . 2008-07-11 22:59 <DIR> d-------- C:\programfiles
2008-07-11 18:29 . 2008-07-11 18:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-11 18:29 . 2008-07-11 18:29 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-11 18:03 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-11 18:03 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-11 18:03 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-07-11 18:03 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-03 20:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-03 20:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-03 19:57 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2008-07-22 03:18 --------- d-----w C:\Program Files\Java
2008-07-19 03:27 3,158 ----a-w C:\WINDOWS\system32\tmp.reg
2008-07-12 05:34 --------- d-----w C:\Documents and Settings\Bev\Application Data\Lavasoft
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-11-20 16:31 48,704 ----a-w C:\Documents and Settings\Bev\Application Data\GDIPFONTCACHEV1.DAT
2002-05-28 13:19 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-05-20 13:22 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2002-05-20 13:20 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
2002-05-20 13:02 225,280 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2001-08-03 23:29 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
2008-04-14 18:11 56 --sh--r C:\WINDOWS\system32\3C808A273C.sys
2008-04-14 18:12 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\programfiles ----

2008-08-03 16:08 7238 --a------ C:\programfiles\FirefoxPortable\Data\profile\bookmarkbackups\bookmarks-2008-08-03.json
2008-08-03 16:08 65536 --a------ C:\programfiles\FirefoxPortable\Data\profile\cert8.db
2008-08-03 16:08 6144 --a------ C:\programfiles\FirefoxPortable\Data\profile\formhistory.sqlite
2008-08-03 16:08 6144 --a------ C:\programfiles\FirefoxPortable\Data\profile\downloads.sqlite
2008-08-03 16:08 4181 --a------ C:\programfiles\FirefoxPortable\Data\profile\localstore.rdf
2008-08-03 16:08 4096 --a------ C:\programfiles\FirefoxPortable\Data\profile\OfflineCache\index.sqlite
2008-08-03 16:08 282624 --a------ C:\programfiles\FirefoxPortable\Data\profile\places.sqlite
2008-08-03 16:08 2338 --a------ C:\programfiles\FirefoxPortable\Data\profile\prefs.js
2008-08-03 16:08 21106688 --a------ C:\programfiles\FirefoxPortable\Data\profile\urlclassifier3.sqlite
2008-08-03 16:08 2048 --a------ C:\programfiles\FirefoxPortable\Data\profile\webappsstore.sqlite
2008-08-03 16:08 19456 --a------ C:\programfiles\FirefoxPortable\Data\profile\cookies.sqlite
2008-08-03 16:08 16384 --a------ C:\programfiles\FirefoxPortable\Data\profile\key3.db
2008-08-03 16:07 138 --a------ C:\programfiles\FirefoxPortable\Data\settings\FirefoxPortableSettings.ini
2008-08-03 16:07 1096449 --a------ C:\programfiles\FirefoxPortable\Data\profile\XUL.mfl
2008-07-27 03:51 7238 --a------ C:\programfiles\FirefoxPortable\Data\profile\bookmarkbackups\bookmarks-2008-07-27.json
2008-07-27 03:45 1557 --a------ C:\programfiles\FirefoxPortable\Data\profile\blocklist.xml
2008-07-27 03:39 9798 --a------ C:\programfiles\FirefoxPortable\Data\profile\pluginreg.dat
2008-07-23 23:45 7238 --a------ C:\programfiles\FirefoxPortable\Data\profile\bookmarkbackups\bookmarks-2008-07-23.json
2008-07-22 23:30 7238 --a------ C:\programfiles\FirefoxPortable\Data\profile\bookmarkbackups\bookmarks-2008-07-22.json
2008-07-21 23:24 2000440 --a------ C:\programfiles\FirefoxPortable\Data\profile\XPC.mfl
2008-07-21 20:34 5127 --a------ C:\programfiles\FirefoxPortable\Data\profile\bookmarkbackups\bookmarks-2008-07-21.json
2008-07-12 01:33 2032 --a------ C:\programfiles\FirefoxPortable\Data\profile\mimeTypes.rdf
2008-07-11 23:01 96192 --a------ C:\programfiles\FirefoxPortable\Data\profile\xpti.dat
2008-07-11 23:01 8 --a------ C:\programfiles\FirefoxPortable\Data\profile\signons3.txt
2008-07-11 23:01 7168 --a------ C:\programfiles\FirefoxPortable\Data\profile\content-prefs.sqlite
2008-07-11 23:01 2048 --a------ C:\programfiles\FirefoxPortable\Data\profile\search.sqlite
2008-07-11 23:01 2048 --a------ C:\programfiles\FirefoxPortable\Data\profile\permissions.sqlite
2008-07-11 23:01 199 --a------ C:\programfiles\FirefoxPortable\Data\profile\compatibility.ini
2008-07-11 23:01 16384 --a------ C:\programfiles\FirefoxPortable\Data\profile\secmod.db
2008-07-11 23:01 142730 --a------ C:\programfiles\FirefoxPortable\Data\profile\compreg.dat
2008-07-11 23:01 136 --a------ C:\programfiles\FirefoxPortable\Data\profile\extensions.ini
2008-07-11 23:01 1173 --a------ C:\programfiles\FirefoxPortable\Data\profile\extensions.rdf
2008-07-11 23:01 106 --a------ C:\programfiles\FirefoxPortable\Data\profile\extensions.cache
2008-06-17 16:09 23224 --a------ C:\programfiles\FirefoxPortable\Other\Source\FirefoxPortable.nsi
2008-06-17 16:09 143976 --a------ C:\programfiles\FirefoxPortable\FirefoxPortable.exe
2008-06-17 16:08 966 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherLANG_SIMPCHINESE.nsh
2008-06-17 16:07 1074 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherLANG_JAPANESE.nsh
2008-06-17 16:06 1390 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherLANG_GERMAN.nsh
2008-06-17 16:06 1371 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherLANG_ITALIAN.nsh
2008-06-17 16:05 1433 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherLANG_FRENCH.nsh
2008-06-17 16:05 1230 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherLANG_ENGLISH.nsh
2008-06-17 16:04 936 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comInstallerLANG_ENGLISH.nsh
2008-06-17 15:58 897 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherOptionsForm.ini
2008-06-17 15:41 616 --a------ C:\programfiles\FirefoxPortable\App\AppInfo\appinfo.ini
2008-06-17 15:37 10038 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comInstaller.nsi
2008-06-17 15:35 10919 --a------ C:\programfiles\FirefoxPortable\Data\profile\bookmarks.html
2008-06-17 15:35 10919 --a------ C:\programfiles\FirefoxPortable\App\DefaultData\profile\bookmarks.html
2008-06-17 15:30 6882 --a------ C:\programfiles\FirefoxPortable\App\firefox\uninstall\uninstall.log
2008-06-17 15:03 8534 --a------ C:\programfiles\FirefoxPortable\help.html
2008-06-17 12:43 771 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherOptionsLANG_SIMPCHINESE.nsh
2008-06-17 12:41 1039 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherOptionsLANG_ITALIAN.nsh
2008-06-17 12:39 1060 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherOptionsLANG_GERMAN.nsh
2008-06-17 12:36 1015 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherOptionsLANG_FRENCH.nsh
2008-06-17 10:01 905 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comLauncherOptionsLANG_ENGLISH.nsh
2008-06-04 23:01 1370 --a------ C:\programfiles\FirefoxPortable\App\DefaultData\profile\prefs.js
2008-05-29 16:09 9715200 --a------ C:\programfiles\FirefoxPortable\App\firefox\xul.dll
2008-05-29 16:09 87552 --a------ C:\programfiles\FirefoxPortable\App\firefox\nssutil3.dll
2008-05-29 16:09 697856 --a------ C:\programfiles\FirefoxPortable\App\firefox\nss3.dll
2008-05-29 16:09 65536 --a------ C:\programfiles\FirefoxPortable\App\firefox\plugins\npnul32.dll
2008-05-29 16:09 414208 --a------ C:\programfiles\FirefoxPortable\App\firefox\sqlite3.dll
2008-05-29 16:09 304640 --a------ C:\programfiles\FirefoxPortable\App\firefox\nssckbi.dll
2008-05-29 16:09 241664 --a------ C:\programfiles\FirefoxPortable\App\firefox\updater.exe
2008-05-29 16:09 23040 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\browserdirprovider.dll
2008-05-29 16:09 20480 --a------ C:\programfiles\FirefoxPortable\App\firefox\plc4.dll
2008-05-29 16:09 17920 --a------ C:\programfiles\FirefoxPortable\App\firefox\xpcom.dll
2008-05-29 16:09 17408 --a------ C:\programfiles\FirefoxPortable\App\firefox\plds4.dll
2008-05-29 16:09 136704 --a------ C:\programfiles\FirefoxPortable\App\firefox\ssl3.dll
2008-05-29 16:09 134144 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\brwsrcmp.dll
2008-05-29 16:09 103936 --a------ C:\programfiles\FirefoxPortable\App\firefox\smime3.dll
2008-05-29 16:09 103936 --a------ C:\programfiles\FirefoxPortable\App\firefox\nssdbm3.dll
2008-05-29 16:08 710144 --a------ C:\programfiles\FirefoxPortable\App\firefox\mozcrt19.dll
2008-05-29 16:08 695808 --a------ C:\programfiles\FirefoxPortable\App\firefox\js3250.dll
2008-05-29 16:08 507544 --a------ C:\programfiles\FirefoxPortable\App\firefox\uninstall\helper.exe
2008-05-29 16:08 307712 --a------ C:\programfiles\FirefoxPortable\App\firefox\firefox.exe
2008-05-29 16:08 198144 --a------ C:\programfiles\FirefoxPortable\App\firefox\nspr4.dll
2008-05-29 16:08 185856 --a------ C:\programfiles\FirefoxPortable\App\firefox\crashreporter.exe
2008-05-29 16:08 17408 --a------ C:\programfiles\FirefoxPortable\App\firefox\AccessibleMarshal.dll
2008-05-29 10:24 9998 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\XPCOMUtils.jsm
2008-05-29 10:24 981 --a------ C:\programfiles\FirefoxPortable\App\firefox\blocklist.xml
2008-05-29 10:24 9790 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsTaggingService.js
2008-05-29 10:24 9504 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\charsetData.properties
2008-05-29 10:24 915 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\pref\firefox-branding.js
2008-05-29 10:24 876 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\classic.manifest
2008-05-29 10:24 87 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\autoconfig\platform.js
2008-05-29 10:24 858 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\grabber.gif
2008-05-29 10:24 85 --a------ C:\programfiles\FirefoxPortable\App\firefox\greprefs\xpinstall.js
2008-05-29 10:24 8427 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\dtd\xhtml11.dtd
2008-05-29 10:24 841 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-remove-row.gif
2008-05-29 10:24 841 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-remove-row-hover.gif
2008-05-29 10:24 841 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-remove-column.gif
2008-05-29 10:24 841 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-remove-column-hover.gif
2008-05-29 10:24 835 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-remove-row-active.gif
2008-05-29 10:24 835 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-remove-column-active.gif
2008-05-29 10:24 826 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-row-after.gif
2008-05-29 10:24 826 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-row-after-hover.gif
2008-05-29 10:24 826 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-column-after.gif
2008-05-29 10:24 826 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-column-after-hover.gif
2008-05-29 10:24 825 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-row-before.gif
2008-05-29 10:24 825 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-row-before-hover.gif
2008-05-29 10:24 825 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-column-before.gif
2008-05-29 10:24 825 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-column-before-hover.gif
2008-05-29 10:24 792 --a------ C:\programfiles\FirefoxPortable\App\firefox\searchplugins\yahoo.xml
2008-05-29 10:24 77051 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsMicrosummaryService.js
2008-05-29 10:24 7585 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\PluralForm.jsm
2008-05-29 10:24 75773 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsSessionStore.js
2008-05-29 10:24 7296 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\autoconfig\prefcalls.js
2008-05-29 10:24 728 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\browser.manifest
2008-05-29 10:24 72548 --a------ C:\programfiles\FirefoxPortable\App\firefox\greprefs\all.js
2008-05-29 10:24 7139 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\profile\bookmarks.html
2008-05-29 10:24 706 --a------ C:\programfiles\FirefoxPortable\App\firefox\updater.ini
2008-05-29 10:24 7039 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\ISO8601DateUtils.jsm
2008-05-29 10:24 6920 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsWebHandlerApp.js
2008-05-29 10:24 69 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\pippki.manifest
2008-05-29 10:24 6721 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\JSON.jsm
2008-05-29 10:24 6719 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\fonts\mathfontUnicode.properties
2008-05-29 10:24 6667 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\txEXSLTRegExFunctions.js
2008-05-29 10:24 663 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\profile\chrome\userContent-example.css
2008-05-29 10:24 66215 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\FeedProcessor.js
2008-05-29 10:24 64412 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\Microformats.js
2008-05-29 10:24 63788 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\dtd\mathml.dtd
2008-05-29 10:24 6308 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\ua.css
2008-05-29 10:24 6247 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsDefaultCLH.js
2008-05-29 10:24 619 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\html\folder.png
2008-05-29 10:24 609731 --a------ C:\programfiles\FirefoxPortable\App\firefox\dictionaries\en-US.dic
2008-05-29 10:24 59 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\arrowd.gif
2008-05-29 10:24 58856 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\utils.js
2008-05-29 10:24 583 --a------ C:\programfiles\FirefoxPortable\App\firefox\crashreporter-override.ini
2008-05-29 10:24 58 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-column-after-active.gif
2008-05-29 10:24 5737 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsDownloadManagerUI.js
2008-05-29 10:24 57 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-row-before-active.gif
2008-05-29 10:24 57 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-row-after-active.gif
2008-05-29 10:24 57 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\table-add-column-before-active.gif
2008-05-29 10:24 5649 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\langGroups.properties
2008-05-29 10:24 56411 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\fonts\mathfont.properties
2008-05-29 10:24 56 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\arrow.gif
2008-05-29 10:24 5493 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\fonts\mathfontSTIXNonUnicode.properties
2008-05-29 10:24 5490 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\language.properties
2008-05-29 10:24 517 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\toolkit.manifest
2008-05-29 10:24 51214 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsHandlerService.js
2008-05-29 10:24 50466 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsUrlClassifierLib.js
2008-05-29 10:24 5005 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsContentDispatchChooser.js
2008-05-29 10:24 49694 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\FeedWriter.js
2008-05-29 10:24 49331 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\storage-Legacy.js
2008-05-29 10:24 476 --a------ C:\programfiles\FirefoxPortable\App\firefox\softokn3.chk
2008-05-29 10:24 476 --a------ C:\programfiles\FirefoxPortable\App\firefox\freebl3.chk
2008-05-29 10:24 467870 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\en-US.jar
2008-05-29 10:24 44033 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsLoginManager.js
2008-05-29 10:24 44 --a------ C:\programfiles\FirefoxPortable\App\firefox\platform.ini
2008-05-29 10:24 439 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\reporter.manifest
2008-05-29 10:24 4302 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsLoginInfo.js
2008-05-29 10:24 41776 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsHelperAppDlg.js
2008-05-29 10:24 4090 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\entityTables\html40Symbols.properties
2008-05-29 10:24 40367 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsLoginManagerPrompter.js
2008-05-29 10:24 39662 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\comm.jar
2008-05-29 10:24 39550 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\reporter.jar
2008-05-29 10:24 3954 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\fonts\mathfontSymbol.properties
2008-05-29 10:24 3902 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\fonts\mathfontStandardSymbolsL.properties
2008-05-29 10:24 38499 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\entityTables\transliterate.properties
2008-05-29 10:24 38238 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\fuelApplication.js
2008-05-29 10:24 3690 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\entityTables\html40Latin1.properties
2008-05-29 10:24 36039 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsLivemarkService.js
2008-05-29 10:24 356 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\profile\mimeTypes.rdf
2008-05-29 10:24 3558 --a------ C:\programfiles\FirefoxPortable\App\firefox\crashreporter.ini
2008-05-29 10:24 35300 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\pref\firefox.js
2008-05-29 10:24 348188 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\browser.xpt
2008-05-29 10:24 347 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\profile\prefs.js
2008-05-29 10:24 33990 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\WebContentConverter.js
2008-05-29 10:24 33805 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsPlacesTransactionsService.js
2008-05-29 10:24 3378 --a------ C:\programfiles\FirefoxPortable\App\firefox\greprefs\security-prefs.js
2008-05-29 10:24 331325 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsExtensionManager.js
2008-05-29 10:24 3268 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsTryToClose.js
2008-05-29 10:24 3142 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\pluginGlue.js
2008-05-29 10:24 31393 --a------ C:\programfiles\FirefoxPortable\App\firefox\LICENSE
2008-05-29 10:24 3114 --a------ C:\programfiles\FirefoxPortable\App\firefox\dictionaries\en-US.aff
2008-05-29 10:24 30979 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsBrowserContentHandler.js
2008-05-29 10:24 3079 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsURLFormatter.js
2008-05-29 10:24 306533 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\pippki.jar
2008-05-29 10:24 3037 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\viewsource.css
2008-05-29 10:24 3033 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\fonts\mathfontSTIXSize1.properties
2008-05-29 10:24 30004 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\entityTables\mathml20.properties
2008-05-29 10:24 29973 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsContentPrefService.js
2008-05-29 10:24 2927 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\aboutRobots.js
2008-05-29 10:24 2854 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsSetDefaultBrowser.js
2008-05-29 10:24 28032 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsBrowserGlue.js
2008-05-29 10:24 2738 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\debug.js
2008-05-29 10:24 27331 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsBlocklistService.js
2008-05-29 10:24 2642 --a------ C:\programfiles\FirefoxPortable\App\firefox\searchplugins\eBay.xml
2008-05-29 10:24 25339 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\FeedConverter.js
2008-05-29 10:24 25176 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsSafebrowsingApplication.js
2008-05-29 10:24 24273 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsSearchSuggestions.js
2008-05-29 10:24 2396 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\entityTables\html40Special.properties
2008-05-29 10:24 233472 --a------ C:\programfiles\FirefoxPortable\App\firefox\freebl3.dll
2008-05-29 10:24 232 --a------ C:\programfiles\FirefoxPortable\App\firefox\browserconfig.properties
2008-05-29 10:24 2295 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\svg.css
2008-05-29 10:24 224 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\pref\firefox-l10n.js
2008-05-29 10:24 2193 --a------ C:\programfiles\FirefoxPortable\App\firefox\searchplugins\answers.xml
2008-05-29 10:24 21420 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsPostUpdateWin.js
2008-05-29 10:24 2080 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\wincharset.properties
2008-05-29 10:24 208 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\pref\reporter.js
2008-05-29 10:24 2025 --a------ C:\programfiles\FirefoxPortable\App\firefox\application.ini
2008-05-29 10:24 19984 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsUrlClassifierListManager.js
2008-05-29 10:24 1967 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\entityTables\htmlEntityVersions.properties
2008-05-29 10:24 1906464 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\toolkit.jar
2008-05-29 10:24 1879834 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\browser.jar
2008-05-29 10:24 1861 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\designmode.css
2008-05-29 10:24 181 --a------ C:\programfiles\FirefoxPortable\App\firefox\README.txt
2008-05-29 10:24 17380 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\DownloadUtils.jsm
2008-05-29 10:24 1706 --a------ C:\programfiles\FirefoxPortable\App\firefox\searchplugins\google.xml
2008-05-29 10:24 15416 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\forms.css
2008-05-29 10:24 1534 --a------ C:\programfiles\FirefoxPortable\App\firefox\searchplugins\creativecommons.xml
2008-05-29 10:24 153 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\profile\localstore.rdf
2008-05-29 10:24 151552 --a------ C:\programfiles\FirefoxPortable\App\firefox\softokn3.dll
2008-05-29 10:24 1494 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\jsconsole-clhandler.js
2008-05-29 10:24 14664 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\mathml.css
2008-05-29 10:24 144 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\comm.manifest
2008-05-29 10:24 1423934 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\classic.jar
2008-05-29 10:24 1394 --a------ C:\programfiles\FirefoxPortable\App\firefox\searchplugins\amazondotcom.xml
2008-05-29 10:24 1384 --a------ C:\programfiles\FirefoxPortable\App\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf
2008-05-29 10:24 13682 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsProxyAutoConfig.js
2008-05-29 10:24 1306 --a------ C:\programfiles\FirefoxPortable\App\firefox\chrome\en-US.manifest
2008-05-29 10:24 126 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\pref\channel-prefs.js
2008-05-29 10:24 12513 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsSidebar.js
2008-05-29 10:24 122 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\loading-image.gif
2008-05-29 10:24 1178 --a------ C:\programfiles\FirefoxPortable\App\firefox\searchplugins\wikipedia.xml
2008-05-29 10:24 117 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\hiddenWindow.html
2008-05-29 10:24 11659 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsAddonRepository.js
2008-05-29 10:24 11608 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\quirk.css
2008-05-29 10:24 11511 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\contenteditable.css
2008-05-29 10:24 11428 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsSessionStartup.js
2008-05-29 10:24 11392 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\charsetalias.properties
2008-05-29 10:24 11261 --a------ C:\programfiles\FirefoxPortable\App\firefox\modules\distribution.js
2008-05-29 10:24 112 --a------ C:\programfiles\FirefoxPortable\App\firefox\old-homepage-default.properties
2008-05-29 10:24 111828 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsUpdateService.js
2008-05-29 10:24 11096 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\html.css
2008-05-29 10:24 110638 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsSearchService.js
2008-05-29 10:24 1078 --a------ C:\programfiles\FirefoxPortable\App\firefox\defaults\profile\chrome\userChrome-example.css
2008-05-29 10:24 10740 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\EditorOverride.css
2008-05-29 10:24 106 --a------ C:\programfiles\FirefoxPortable\App\firefox\res\broken-image.gif
2008-05-19 13:23 22486 --a------ C:\programfiles\FirefoxPortable\App\AppInfo\appicon.ico
2008-05-12 10:33 663 --a------ C:\programfiles\FirefoxPortable\Data\profile\chrome\userContent-example.css
2008-05-12 10:33 663 --a------ C:\programfiles\FirefoxPortable\App\DefaultData\profile\chrome\userContent-example.css
2008-05-12 10:33 356 --a------ C:\programfiles\FirefoxPortable\App\DefaultData\profile\mimeTypes.rdf
2008-05-12 10:33 153 --a------ C:\programfiles\FirefoxPortable\App\DefaultData\profile\localstore.rdf
2008-05-12 10:33 1078 --a------ C:\programfiles\FirefoxPortable\Data\profile\chrome\userChrome-example.css
2008-05-12 10:33 1078 --a------ C:\programfiles\FirefoxPortable\App\DefaultData\profile\chrome\userChrome-example.css
2008-05-04 20:46 7633 --a------ C:\programfiles\FirefoxPortable\Other\Source\EULA.rtf
2008-04-11 15:30 2394 --a------ C:\programfiles\FirefoxPortable\App\firefox\components\nsIQTScriptablePlugin.xpt
2008-04-05 15:28 942 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comInstallerLANG_JAPANESE.nsi
2007-12-21 04:17 1123 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comInstallerLANG_ITALIAN.nsh
2007-12-21 04:16 1122 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comInstallerLANG_GERMAN.nsh
2007-12-21 04:15 1156 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comInstallerLANG_FRENCH.nsh
2007-12-20 21:42 757 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comInstallerLANG_SIMPCHINESE.nsh
2007-10-22 16:44 9144 --a------ C:\programfiles\FirefoxPortable\Other\Source\Readme.txt
2007-10-22 16:24 2409 --a------ C:\programfiles\FirefoxPortable\Other\Source\ReplaceInFile.nsh
2007-10-22 12:14 216 --a------ C:\programfiles\FirefoxPortable\Other\Help\images\help_background_footer.png
2007-10-22 12:09 283 --a------ C:\programfiles\FirefoxPortable\Other\Help\images\help_background_header.png
2007-10-22 12:06 8576 --a------ C:\programfiles\FirefoxPortable\Other\Help\images\help_logo_top.png
2007-10-22 11:46 2396 --a------ C:\programfiles\FirefoxPortable\Other\Help\images\donation_button.png
2007-10-22 11:40 2550 --a------ C:\programfiles\FirefoxPortable\Other\Help\images\favicon.ico
2007-10-22 11:30 52574 --a------ C:\programfiles\FirefoxPortable\Other\Source\PortableApps.comInstaller.bmp
2007-10-11 16:31 52780 --a------ C:\programfiles\FirefoxPortable\Other\Source\FirefoxPortable.jpg
2007-02-22 14:31 1646 --a------ C:\programfiles\FirefoxPortable\Other\Source\StrRep.nsh
2006-09-22 10:19 537 --a------ C:\programfiles\FirefoxPortable\Other\Source\FirefoxPortable.ini
2006-09-15 00:58 52 --a------ C:\programfiles\FirefoxPortable\App\DefaultData\settings\FirefoxPortableSettings.ini
2006-08-14 08:50 1071 --a------ C:\programfiles\FirefoxPortable\Other\Source\Attrib.nsh
2006-08-02 16:01 120 --a------ C:\programfiles\FirefoxPortable\Other\Source\AppSource.txt
2006-07-26 16:36 173 --a------ C:\programfiles\FirefoxPortable\App\readme.txt
2005-11-29 16:58 18322 --a------ C:\programfiles\FirefoxPortable\Other\Source\License.txt
2005-05-12 18:54 63 --a------ C:\programfiles\FirefoxPortable\Data\plugins\plugins_readme.txt
2005-05-12 18:54 63 --a------ C:\programfiles\FirefoxPortable\App\DefaultData\plugins\plugins_readme.txt


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 22:12 221184]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 12:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 12:44 81920]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2002-05-28 09:16 86016]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 13:04 327680]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 15:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 15:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 15:50 114688]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"F-PROT Antivirus Tray application"="C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe" [2008-04-21 15:25 1597832]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 339968 C:\WINDOWS\stsystra.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Documents and Settings\\Bev\\My Documents\\security utils\\jxpiinstall.exe"=

R0 FPAV_RTP;FPAV_RTP;C:\WINDOWS\system32\drivers\FStopW.sys [2008-03-28 14:06]
R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 FPAVServer;F-PROT Antivirus for Windows system;C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [2008-04-21 21:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1146c890-a2c9-11dc-b589-00123fb3b37f}]
\Shell\AutoRun\command - E:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-06-24 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 23:39:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-04 23:40:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 03:40:49
ComboFix2.txt 2008-08-04 23:31:13

Pre-Run: 142,901,993,472 bytes free
Post-Run: 142,891,941,888 bytes free

414 --- E O F --- 2008-07-27 04:18:14



------------------------------------------
Hijack This
------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:17 PM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon DSL.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1132859832331
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150211599328
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6016 bytes

Attached Files



#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 AM

Posted 05 August 2008 - 01:05 PM

Hi SMShadowman,

There is a new version of ComboFix released, so please delete combofix.exe from the Desktop by right-clicking on the ComboFix icon and selecting Delete.

Then download a fresh copy of ComboFix from Bleeping Computer to your Desktop

IMPORTANT !!! combofix.exe MUST be on your Desktop

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\system32\tmp.reg

Folder:: 
C:\VundoFix Backups


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users