Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Firefox Google Hijack


  • This topic is locked This topic is locked
31 replies to this topic

#1 purplepurple

purplepurple

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 05 August 2008 - 07:52 PM

Hey,

I'm normally pretty good with these things but I just can't find the problem or get rid of it. Mainly the only problem is that when I google something and click a link from google I get redirected to spam sites, usually smartbizsearch.com. Works fine if I c/p the links into the browser or use any other page.

Hopefully someone can help.

Inc Hijack This! log.

==

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:40 PM, on 8/5/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2049230628-377949977-3238098125-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Eurolinx Poker - {78AB8510-2944-4c6c-86E7-6412C2383349} - C:\Microgaming\Poker\EurolinxPokerMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B7DBE6-8054-4271-9774-C64A3AFE2F25}: NameServer = 192.168.4.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.4.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.4.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 9316 bytes

BC AdBot (Login to Remove)

 


#2 purplepurple

purplepurple
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 06 August 2008 - 12:43 PM

Bump for help!

#3 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:04:52 PM

Posted 18 August 2008 - 09:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

Please do not bump your topic, it only delays things more

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
If you have not downloaded HiJackThis yet:
Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
In your reply:
  • Fresh HJT log
  • Kaspersky Online Scanner log
Thanks


Harry

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook

#4 purplepurple

purplepurple
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 19 August 2008 - 02:07 PM

There is no save as text option in Kasp online scanner.

But it claims to have found Trojan.Win32.BHO.fdh and Trojan.Win32.Delf.czb, but they were in a bit torrent download file and not any running processes or system files.

Hijack this is below.

==

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:06 PM, on 8/19/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Users\Purple\AppData\Local\Temp\Adobelm_Cleanup.0001
C:\Users\Purple\AppData\Local\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Poker Tracker Omaha\pto.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2049230628-377949977-3238098125-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Eurolinx Poker - {78AB8510-2944-4c6c-86E7-6412C2383349} - C:\Microgaming\Poker\EurolinxPokerMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B7DBE6-8054-4271-9774-C64A3AFE2F25}: NameServer = 192.168.4.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.4.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.4.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.4.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.4.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 9828 bytes

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 19 August 2008 - 11:42 PM

Hello, PurplePurple.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.

We need to run ComboFix.In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 purplepurple

purplepurple
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 20 August 2008 - 12:22 AM

I ran it once and it rebooted right away, ran it again and it rebooted after 5 minutes, came back saying it was preparing the log file but it endlessly spammed

SED: -e expression #1, char 25: unmatched parentheses
SED: -e expression #1, char 6: unmatched parentheses
SED: -e expression #1, char 25: unmatched parentheses
SED: -e expression #1, char 6: unmatched parentheses
SED: -e expression #1, char 25: unmatched parentheses
SED: -e expression #1, char 6: unmatched parentheses
SED: -e expression #1, char 25: unmatched parentheses
SED: -e expression #1, char 6: unmatched parentheses
SED: -e expression #1, char 25: unmatched parentheses

So I closed it and ran it a third time, it did the same thing but gave a combofix log after 30s.

Note: my firefox google searches are still hijacked.

==

ComboFix 08-08-18.05 - Purple 08/19/2008 23:15:19.3 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.2.1033.18.2120 [GMT -6:00]
Running from: C:\Users\Purple\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Windows\system32\drivers\msliksurserv.sys
C:\Windows\system32\msliksurcredo.dll
C:\Windows\system32\msliksurdns.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 05:18 --------- d-----w C:\Users\Purple\AppData\Roaming\Skype
2008-08-20 05:06 0 ----a-w C:\Windows\system32\drivers\lvuvc.hs
2008-08-20 04:57 --------- d-----w C:\Users\Purple\AppData\Roaming\skypePM
2008-08-20 04:48 --------- d-----w C:\Users\Purple\AppData\Roaming\FileZilla
2008-08-20 04:48 --------- d-----w C:\Program Files\Poker Tracker Omaha
2008-08-19 09:35 --------- d-----w C:\Program Files\Poker Tracker V2
2008-08-19 08:39 --------- d-----w C:\Program Files\Full Tilt Poker
2008-08-15 09:09 --------- d-----w C:\Program Files\Windows Mail
2008-08-15 09:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-09 02:48 --------- d-----w C:\Users\Purple\AppData\Roaming\Microgaming
2008-08-03 05:31 691 ----a-w C:\Users\Purple\AppData\Roaming\GetValue.vbs
2008-08-03 05:31 35 ----a-w C:\Users\Purple\AppData\Roaming\SetValue.bat
2008-08-03 05:31 3,900 ----a-w C:\Windows\System32\tmp.reg
2008-08-03 04:26 --------- d-----w C:\Program Files\Trend Micro
2008-08-03 04:25 --------- d-----w C:\Program Files\PokerEV
2008-08-02 01:01 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-07-30 19:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-30 08:03 --------- d-----w C:\Users\Purple\AppData\Roaming\Azureus
2008-07-30 02:40 --------- d-----w C:\ProgramData\Avira
2008-07-30 02:40 --------- d-----w C:\Program Files\Avira
2008-07-30 01:07 --------- d-----w C:\Program Files\Celeb Poker
2008-07-29 17:23 --------- d-----w C:\Program Files\Steam
2008-07-29 17:22 --------- d-----w C:\Users\Purple\AppData\Roaming\OpenOffice.org2
2008-07-29 01:49 --------- d-----w C:\Program Files\FileZilla Client
2008-07-28 23:10 --------- d-----w C:\ProgramData\FLEXnet
2008-07-28 23:04 --------- d-----w C:\Program Files\Bonjour
2008-07-28 22:42 --------- d-----w C:\Program Files\PowerISO
2008-07-27 01:42 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-07-25 02:25 --------- d-----w C:\ProgramData\avg8
2008-07-25 02:06 --------- d-----w C:\Program Files\Common Files\Steam
2008-07-24 02:11 --------- d-----w C:\Program Files\AVG
2008-07-21 17:49 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-21 17:49 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-07-21 17:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-07-13 23:06 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-07-13 20:26 --------- d-----w C:\Program Files\UltimateBet
2008-07-09 06:21 174 --sha-w C:\Program Files\desktop.ini
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Journal
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Defender
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Calendar
2008-07-09 06:03 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-09 06:03 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-09 05:44 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-09 05:44 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-09 03:03 --------- d-----w C:\ProgramData\media center programs
2008-07-09 02:05 --------- d-----w C:\ProgramData\Funcom
2008-07-07 07:40 56,108 ----a-w C:\Windows\system32\drivers\scdemu.sys
2008-07-07 06:02 --------- d---a-w C:\ProgramData\TEMP
2008-07-07 01:55 --------- d---a-w C:\Program Files\Cake Poker
2008-07-06 13:09 --------- d-----w C:\Program Files\Azureus
2008-07-06 02:32 --------- d-----w C:\Program Files\DC++
2008-07-06 01:59 --------- d-----w C:\ProgramData\Rosetta Stone
2008-07-06 01:16 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-06 01:14 --------- d-----w C:\Program Files\Rosetta Stone
2008-07-05 08:30 --------- d-----w C:\Program Files\The Rosetta Stone
2008-07-04 04:18 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-02 19:33 82,432 ----a-w C:\Windows\System32\IEDFix.C.exe
2008-06-29 23:48 --------- d-----w C:\Program Files\ATI
2008-06-29 23:42 --------- d-----w C:\ProgramData\ATI
2008-06-29 23:35 --------- d-----w C:\Program Files\ATI Technologies
2008-06-29 22:57 --------- d-----w C:\Users\Purple\AppData\Roaming\Binary Fortress Software
2008-06-29 22:55 --------- d-----w C:\Program Files\DisplayFusion
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 02:36 --------- d-----w C:\Program Files\QuickTime
2008-06-26 02:35 --------- d-----w C:\ProgramData\Apple Computer
2008-06-26 02:34 --------- d-----w C:\ProgramData\Apple
2008-06-26 02:34 --------- d-----w C:\Program Files\Apple Software Update
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-25 04:19 --------- d-----w C:\Program Files\PokerStars
2008-06-24 21:01 --------- d-----w C:\ProgramData\Cake Poker
2008-06-23 04:39 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-06-23 00:40 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-06-23 00:21 --------- d-----w C:\Program Files\ISO Commander
2008-06-23 00:17 --------- d-----w C:\ProgramData\QuickTime
2008-06-22 03:02 --------- d-----w C:\ProgramData\Yahoo!
2008-06-22 03:00 --------- d-----w C:\Program Files\Yahoo!
2008-06-19 03:31 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-03 03:35 413,696 ----a-w C:\Windows\System32\ATIDEMGX.dll
2008-06-03 03:35 327,680 ----a-w C:\Windows\System32\atipdlxx.dll
2008-06-03 03:35 159,744 ----a-w C:\Windows\System32\atitmmxx.dll
2008-06-03 03:34 43,520 ----a-w C:\Windows\System32\ati2edxx.dll
2008-06-03 03:34 266,240 ----a-w C:\Windows\System32\Ati2evxx.dll
2008-06-03 03:34 262,144 ----a-w C:\Windows\System32\Oemdspif.dll
2008-06-03 03:33 684,032 ----a-w C:\Windows\System32\Ati2evxx.exe
2008-06-03 03:19 3,401,216 ----a-w C:\Windows\System32\atiumdag.dll
2008-06-03 03:02 4,398,080 ----a-w C:\Windows\System32\atiumdva.dll
2008-06-03 02:50 49,664 ----a-w C:\Windows\System32\amdpcom32.dll
2008-06-03 02:49 32,256 ----a-w C:\Windows\System32\atiadlxx.dll
2008-06-03 02:48 10,043,392 ----a-w C:\Windows\System32\atioglxx.dll
2008-05-29 15:35 86,528 ----a-w C:\Windows\System32\VACFix.exe
2008-05-24 00:21 81,920 ----a-w C:\Windows\System32\404Fix.exe
2008-03-13 05:17 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-13 05:17 32 ----a-w C:\ProgramData\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [10/18/2007 11:34 AM 5724184]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 02:21 PM 50528]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM 21718312]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM 1233920]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 03:39 AM 486856]
"DisplayFusion"="C:\Program Files\DisplayFusion\DisplayFusion.exe" [04/27/2008 10:13 AM 548528]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM 202240]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM 4670704]
"WindowsWelcomeCenter"="oobefldr.dll" [01/18/2008 11:36 PM 2153472 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe" [04/26/2007 02:54 PM 774168]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [04/26/2007 03:22 PM 1132056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM 132496]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM 563984]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM 39792]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [01/12/2006 09:52 PM 483328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM 33648]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM 61440]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM 266497]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [02/29/2008 03:12 AM 76304 C:\Windows\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [05/10/2007 02:51 PM 19456 C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [05/10/2007 02:52 PM 19968 C:\Windows\System32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG" [X]
"CtxfiReg"="CTXFIREG.exe" [05/10/2007 02:48 PM 43520 C:\Windows\System32\CTXFIREG.EXE]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [1/8/2008 2:28:31 AM 25214]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [7/21/2008 11:49:20 AM 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [08/17/2006 03:57 PM 86016]

[HKLM\~\startupfolder\C:^Users^Purple^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Purple\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 10/25/2007 04:37 PM 2178832 C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mikogo]
--a------ 04/28/2008 08:27 PM 2285568 C:\Program Files\Mikogo\Mikogo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 05/27/2008 10:50 AM 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 03/31/2008 05:57 PM 1271032 c:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 11/19/2007 11:25 AM 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 10/24/2005 05:53 PM 307200 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C87F9CBC-1D8D-4F13-8952-45C873886CE4}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{AB03C224-8C5E-4E88-A1BB-25E89883F04A}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3A94DE1D-C3CE-488B-8F95-47E5590D8D8D}"= UDP:C:\Program Files\Steam\Steam.exe:Steam Client
"{F5D3A09C-0E0B-4752-9D9A-5D4C0B5CB147}"= TCP:C:\Program Files\Steam\Steam.exe:Steam Client
"TCP Query User{085F0A64-BC94-4930-8D69-FA2429D4B8B6}C:\\program files\\steam\\steamapps\\purplelight\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\purplelight\day of defeat source\hl2.exe:hl2
"UDP Query User{A4465529-3993-4F4E-8BED-9ADB7746A445}C:\\program files\\steam\\steamapps\\purplelight\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\purplelight\day of defeat source\hl2.exe:hl2
"TCP Query User{6295CC0F-E75E-4868-9DC0-5677ED8A3F7D}C:\\users\\purple\\desktop\\acidmax2120\\mirc.exe"= UDP:C:\users\purple\desktop\acidmax2120\mirc.exe:mirc.exe
"UDP Query User{95530623-8E3C-4EB5-B8F3-3A7E42EE205D}C:\\users\\purple\\desktop\\acidmax2120\\mirc.exe"= TCP:C:\users\purple\desktop\acidmax2120\mirc.exe:mirc.exe
"TCP Query User{019CE703-E609-459C-BD73-50C997EAA3B7}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{DF021826-272F-451B-A627-26F1A5052A9E}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{95E32606-D5AC-40F3-9C4B-9FC2F9E2B4D9}C:\\program files\\world of warcraft\\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe:Blizzard Downloader
"UDP Query User{310CB42C-269F-444A-9D66-7EFEC97FBFA4}C:\\program files\\world of warcraft\\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe:Blizzard Downloader
"TCP Query User{6F116502-36C4-419F-932E-B8B8AB868094}C:\\program files\\world of warcraft\\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe:Blizzard Downloader
"UDP Query User{EF2AFE4B-9F33-4E24-9C0C-7B0D86180A64}C:\\program files\\world of warcraft\\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe:Blizzard Downloader
"{81D7A93B-2F3A-4038-BD1D-69435319AB76}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{19D1A13D-9E12-49EB-9F7F-C2F63CC05FBF}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1D3CA8EC-6F52-41BA-924E-FBBCAAF04D35}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D267949-16B5-42D5-8938-7709828BC887}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7DE46056-3D4D-45B7-A3F5-857A3A26D64F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4853D0CA-5556-4CCD-A0A0-C422277EC2FA}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{E4D73A7F-FA0C-427A-BAB6-8153776074F9}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{964FB068-5950-42F4-A1ED-24E7813C60F9}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{234A334B-DCCD-4EA1-A1E8-8D68E0BBE557}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{B31D1526-28F2-4764-88E0-1FDC0ED44427}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{506B7391-3E7E-4097-819F-145F68A03F78}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{F7E0C036-7593-4B3A-B867-A0EA4D95258C}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{AA96580D-CA8A-4DBE-B7F8-7F70703C6900}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{69E764E4-ACC1-4FB3-B3B9-98C37C86591D}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{CC6F53D2-06BF-4874-A715-ABC5C5A5483E}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{942EA83F-9626-47B4-B950-802E731E9580}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3CE2E706-6404-48E0-A01B-A05B6663A497}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{322ADA22-AA98-4F85-85B3-7F56A43D9070}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3BA54A16-085F-4746-B23C-5D361D05F26C}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{79D85419-7499-4452-9528-02F920C474C9}"= TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{66CFD9E9-10A3-495B-B527-8E3C23A0E7B6}"= inRosettaStoneLtdServices.exe:Rosetta Stone Online Component (inbound)
"{4D4E5009-0CDD-48E7-B729-E248AD1C5E13}"= RosettaStoneVersion3.exe:Rosetta Stone V3 Application (inbound)
"{228C9869-8BD0-45D3-84C8-AD3AF75C6463}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 pgsql-8.3;PostgreSQL Database Server 8.3;C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe runservice -w -N pgsql-8.3 -D C:\Program Files\PostgreSQL\8.3\data\ []
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [06/03/2008 12:22 AM]
R3 ha20x2k;Creative 20X HAL Driver;C:\Windows\system32\drivers\ha20x2k.sys [05/11/2007 09:28 AM]
S2 IcRecUsb;IC Recorder Driver;C:\Windows\system32\Drivers\IcRecUsb.sys [10/02/2001 01:37 AM]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [07/21/2008 11:45 AM]
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [01/04/2007 03:38 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac09108a-d231-11dc-8a8b-001a4d4cab56}]
\shell\AutoRun\command - E:\SETUP.EXE
\shell\configure\command - E:\SETUP.EXE
\shell\install\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d85f2446-4c9c-11dc-98c6-806e6f6e6963}]
\shell\AutoRun\command - E:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5bfbe9c-40dd-11dd-af78-001a4d4cab56}]
\shell\AutoRun\command - E:\Launcher\VEdV1Launcher.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-WinampAgent - C:\Program Files\Winamp\wianmpa.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Purple\AppData\Roaming\Mozilla\Firefox\Profiles\zzlnlsg9.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
.
------- File Associations (Beta) -------
.
VBEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
VBSFile="%SystemRoot%\System32\WScript.exe" "%1" %*
vbefile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
vbsfile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
jsefile\shell\open\command=%SystemRoot%\System32\WScript.exe "%1" %*
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 23:18:12
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\Purple\AppData\Local\Temp\~DFC883.tmp 0 bytes
C:\Users\Purple\AppData\Local\Microsoft\Messenger\fieldofrainbows@hotmail.com\SharingMetadata\Working\database_D8C8_A118_C8A0_F5C2\$db_clean$ 0 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 08/19/2008 23:19:54
ComboFix-quarantined-files.txt 2008-08-20 05:19:31

Pre-Run: 5,733,507,072 bytes free
Post-Run: 5,701,484,544 bytes free

272 --- E O F --- 2008-08-15 09:04:13

Edited by purplepurple, 20 August 2008 - 12:23 AM.


#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 20 August 2008 - 11:34 AM

Hello, PurplePurple.
We need to execute a Batch File
  • Go to Start -> Run, and type "notepad" into the box.
  • Press ok.
  • Copy and paste the following code into notepad:
    @echo off
    Ftype >Log.txt
    For %%g in (
    batfile
    cmdfile
    comfile
    exefile
    piffile
    scrfile
    regedit
    regfile
    txtfile
    chm.file
    inffile
    inifile
    VBEFile
    VBSFile
    JSEFile
    JSFFile
    ) do @swreg query "hkcr\%%g\shell" /s >>Log.txt
    start Notepad Log.txt
    del fix.bat
  • Go to File -> Save
  • To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
  • Enter fix.bat into the "File name:" box just above the "Save as Type" box.
  • Double click fix.bat on your desktop.
A report will be produced. Please SAVE this report (using File -> Save As) to your desktop or another location where you can find it.

We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/t/161722/cant-get-rid-of-firefox-google-hijack/?p=917762
  • Where it says "Browse to the file you want to submit", press the "Browse" button, and browse to the report you saved earlier.
  • Press the Posted Image button.
Please DO NOT post that log as a reply, simply upload it as explained above.

Good luck!

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 purplepurple

purplepurple
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 20 August 2008 - 12:46 PM

Uploaded per your instructions.

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 20 August 2008 - 01:42 PM

Alright. Thank you. It may be a day or so before we have a chance to look through that report completely. Rest assured I haven't forgotten about you and we're working on that as fast as possible :thumbsup:

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:52 PM

Posted 20 August 2008 - 10:24 PM

Hello, PurplePurple.

Have another one for ya:

We need to execute a Batch File
  • Go to Start -> Run, and type "notepad" into the box.
  • Press ok.
  • Copy and paste the following code into notepad:
    @echo off
    (
    dir /a/tc/od "%system%\drivers"
    dir /a/tc/od "%systemroot%\system32"
    dir /a/tc/od "%systemroot%\system32\dllcache"
    dir /a/tc/od "%systemroot%\system"
    dir /a/tc/od "%systemroot%"
    dir /a/tc/od %Systemdrive%
    dir /a/tc/od "%commonprogramfiles%"
    dir /a/tc/od "%programfiles%"
    )>Log.txt
    Start Notepad Log.txt
    del fix.bat
  • Go to File -> Save
  • To the right of "Save as Type:" in the bottom of the window, change the ComboBox to "All Files"
  • Enter fix.bat into the "File name:" box just above the "Save as Type" box.
  • Double click fix.bat on your desktop.
A report will be produced. Please SAVE this report (using File -> Save As) to your desktop or another location where you can find it.

We need to upload a file for further inspection
  • Please go to this page.
  • Where it asks for the "Link to where the file was requested" copy and paste in
    http://www.bleepingcomputer.com/forums/t/161722/cant-get-rid-of-firefox-google-hijack/?p=917762
  • Where it says "Browse to the file you want to submit", press the "Browse" button, and browse to the report you saved earlier.
  • Press the Posted Image button.
Please DO NOT post that log as a reply, simply upload it as explained above.

Good luck!

Also curious: How many times was that message spammed across the screen?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 purplepurple

purplepurple
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 21 August 2008 - 12:19 AM

Uploaded again per your request, and thanks for the help.

#12 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 21 August 2008 - 07:34 AM

How many times was that message spammed across the screen?

Hello, please run ComboFix once more & tell us how many times those error messages were spammed across the screen

#13 purplepurple

purplepurple
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 21 August 2008 - 03:14 PM

I ran it again and it downloaded a new version when I started it, the screen flashed and it rebooted the first time before it got to the stages. Ran it again when the computer came back up and it spammed that message 20-25 times and actually completed the log on the second try this time.

Below's the log, fwiw.

P.S. Firefox google searches are def still hijacked. It's also worth noting it only hijacks the main google search, things like news and images aren't hijacked.

==

ComboFix 08-08-19.06 - Purple 08/21/2008 14:06:56.5 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.2.1033.18.2253 [GMT -6:00]
Running from: C:\Users\Purple\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 20:06 --------- d-----w C:\Users\Purple\AppData\Roaming\Skype
2008-08-21 20:05 --------- d-----w C:\Users\Purple\AppData\Roaming\skypePM
2008-08-21 20:00 --------- d-----w C:\Users\Purple\AppData\Roaming\Azureus
2008-08-21 08:14 --------- d-----w C:\Users\Purple\AppData\Roaming\FileZilla
2008-08-21 03:00 --------- d-----w C:\Program Files\Common Files\Canon
2008-08-21 02:48 --------- d-----w C:\Users\Purple\AppData\Roaming\Canon
2008-08-21 02:46 --------- d-----w C:\Program Files\Canon
2008-08-20 23:04 0 ----a-w C:\Windows\system32\drivers\lvuvc.hs
2008-08-20 23:01 --------- d-----w C:\Program Files\Poker Tracker Omaha
2008-08-20 22:34 --------- d-----w C:\Program Files\Full Tilt Poker
2008-08-20 18:51 --------- d-----w C:\Program Files\Poker Tracker V2
2008-08-15 09:09 --------- d-----w C:\Program Files\Windows Mail
2008-08-15 09:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-09 02:48 --------- d-----w C:\Users\Purple\AppData\Roaming\Microgaming
2008-08-03 05:31 691 ----a-w C:\Users\Purple\AppData\Roaming\GetValue.vbs
2008-08-03 05:31 35 ----a-w C:\Users\Purple\AppData\Roaming\SetValue.bat
2008-08-03 05:31 3,900 ----a-w C:\Windows\System32\tmp.reg
2008-08-03 04:26 --------- d-----w C:\Program Files\Trend Micro
2008-08-03 04:25 --------- d-----w C:\Program Files\PokerEV
2008-08-02 01:01 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-07-30 19:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-30 02:40 --------- d-----w C:\ProgramData\Avira
2008-07-30 02:40 --------- d-----w C:\Program Files\Avira
2008-07-30 01:07 --------- d-----w C:\Program Files\Celeb Poker
2008-07-29 17:23 --------- d-----w C:\Program Files\Steam
2008-07-29 17:22 --------- d-----w C:\Users\Purple\AppData\Roaming\OpenOffice.org2
2008-07-29 01:49 --------- d-----w C:\Program Files\FileZilla Client
2008-07-28 23:10 --------- d-----w C:\ProgramData\FLEXnet
2008-07-28 23:04 --------- d-----w C:\Program Files\Bonjour
2008-07-28 22:42 --------- d-----w C:\Program Files\PowerISO
2008-07-27 01:42 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-07-25 02:25 --------- d-----w C:\ProgramData\avg8
2008-07-25 02:06 --------- d-----w C:\Program Files\Common Files\Steam
2008-07-24 02:11 --------- d-----w C:\Program Files\AVG
2008-07-21 17:49 --------- d-----w C:\Program Files\Common Files\Logitech
2008-07-21 17:49 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-07-21 17:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-16 01:32 2,048 ----a-w C:\Windows\System32\tzres.dll
2008-07-13 23:06 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-07-13 20:26 --------- d-----w C:\Program Files\UltimateBet
2008-07-09 06:21 174 --sha-w C:\Program Files\desktop.ini
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Sidebar
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Journal
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Defender
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Collaboration
2008-07-09 06:13 --------- d-----w C:\Program Files\Windows Calendar
2008-07-09 06:03 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-07-09 06:03 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-07-09 05:44 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-07-09 05:44 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-07-09 03:03 --------- d-----w C:\ProgramData\media center programs
2008-07-09 02:05 --------- d-----w C:\ProgramData\Funcom
2008-07-07 07:40 56,108 ----a-w C:\Windows\system32\drivers\scdemu.sys
2008-07-07 06:02 --------- d---a-w C:\ProgramData\TEMP
2008-07-07 01:55 --------- d---a-w C:\Program Files\Cake Poker
2008-07-06 13:09 --------- d-----w C:\Program Files\Azureus
2008-07-06 02:32 --------- d-----w C:\Program Files\DC++
2008-07-06 01:59 --------- d-----w C:\ProgramData\Rosetta Stone
2008-07-06 01:16 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-06 01:14 --------- d-----w C:\Program Files\Rosetta Stone
2008-07-05 08:30 --------- d-----w C:\Program Files\The Rosetta Stone
2008-07-04 04:18 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-02 19:33 82,432 ----a-w C:\Windows\System32\IEDFix.C.exe
2008-06-29 23:48 --------- d-----w C:\Program Files\ATI
2008-06-29 23:42 --------- d-----w C:\ProgramData\ATI
2008-06-29 23:35 --------- d-----w C:\Program Files\ATI Technologies
2008-06-29 22:57 --------- d-----w C:\Users\Purple\AppData\Roaming\Binary Fortress Software
2008-06-29 22:55 --------- d-----w C:\Program Files\DisplayFusion
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 02:36 --------- d-----w C:\Program Files\QuickTime
2008-06-26 02:35 --------- d-----w C:\ProgramData\Apple Computer
2008-06-26 02:34 --------- d-----w C:\ProgramData\Apple
2008-06-26 02:34 --------- d-----w C:\Program Files\Apple Software Update
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-25 04:19 --------- d-----w C:\Program Files\PokerStars
2008-06-24 21:01 --------- d-----w C:\ProgramData\Cake Poker
2008-06-23 04:39 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-06-23 00:40 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-06-23 00:21 --------- d-----w C:\Program Files\ISO Commander
2008-06-23 00:17 --------- d-----w C:\ProgramData\QuickTime
2008-06-22 03:02 --------- d-----w C:\ProgramData\Yahoo!
2008-06-22 03:00 --------- d-----w C:\Program Files\Yahoo!
2008-06-19 03:31 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-03 03:35 413,696 ----a-w C:\Windows\System32\ATIDEMGX.dll
2008-06-03 03:35 327,680 ----a-w C:\Windows\System32\atipdlxx.dll
2008-06-03 03:35 159,744 ----a-w C:\Windows\System32\atitmmxx.dll
2008-06-03 03:34 43,520 ----a-w C:\Windows\System32\ati2edxx.dll
2008-06-03 03:34 266,240 ----a-w C:\Windows\System32\Ati2evxx.dll
2008-06-03 03:34 262,144 ----a-w C:\Windows\System32\Oemdspif.dll
2008-06-03 03:33 684,032 ----a-w C:\Windows\System32\Ati2evxx.exe
2008-06-03 03:19 3,401,216 ----a-w C:\Windows\System32\atiumdag.dll
2008-06-03 03:02 4,398,080 ----a-w C:\Windows\System32\atiumdva.dll
2008-06-03 02:50 49,664 ----a-w C:\Windows\System32\amdpcom32.dll
2008-06-03 02:49 32,256 ----a-w C:\Windows\System32\atiadlxx.dll
2008-06-03 02:48 10,043,392 ----a-w C:\Windows\System32\atioglxx.dll
2008-05-29 15:35 86,528 ----a-w C:\Windows\System32\VACFix.exe
.

((((((((((((((((((((((((((((( snapshot@Tue 08-19-2008_23.18.41.58 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-10 05:47:57 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-08-21 02:47:42 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-08-10 05:47:56 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-08-21 02:47:41 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-08-10 05:47:57 143,360 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-08-21 02:47:42 143,360 ----a-w C:\Windows\inf\infstrng.dat
- 2008-08-20 05:06:49 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-21 20:03:28 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-20 05:06:49 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-21 20:03:28 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-20 05:07:32 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-21 20:05:11 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-20 05:09:16 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-21 20:04:26 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-21 20:04:26 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-08-20 02:46:02 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-21 02:46:04 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-20 02:46:02 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-21 02:46:04 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-20 02:46:02 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-21 02:46:04 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-20 04:51:46 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-08-21 20:00:53 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2006-07-07 18:13:56 180,224 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_3krn.inf_88fbef60\CNDCRUSB.dll
+ 2005-06-01 21:45:38 40,960 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_3krn.inf_88fbef60\CNDNDlg.exe
+ 2006-07-07 18:13:44 163,840 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_3krn.inf_88fbef60\CNDURUSB.dll
+ 2006-07-05 19:17:08 212,992 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_3krn.inf_88fbef60\DSLLRUSB.dll
+ 2005-02-01 15:33:38 356,352 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_3krn.inf_88fbef60\rcDcd.dll
+ 2005-02-01 15:33:38 270,336 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_3krn.inf_88fbef60\rcParse.dll
+ 2006-07-07 18:13:56 180,224 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_5d.inf_61c8c33c\CNDCRUSB.dll
+ 2005-06-01 21:45:38 40,960 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_5d.inf_61c8c33c\CNDNDlg.exe
+ 2006-07-07 18:13:44 163,840 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_5d.inf_61c8c33c\CNDURUSB.dll
+ 2006-07-05 19:17:08 212,992 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_5d.inf_61c8c33c\DSLLRUSB.dll
+ 2005-02-01 15:33:38 356,352 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_5d.inf_61c8c33c\rcDcd.dll
+ 2005-02-01 15:33:38 270,336 ----a-w C:\Windows\System32\DriverStore\FileRepository\cap_5d.inf_61c8c33c\rcParse.dll
- 2008-08-20 05:13:59 105,448 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-08-21 20:10:00 105,448 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-20 05:13:59 599,942 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-08-21 20:10:00 599,942 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-20 05:09:25 9,868 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2049230628-377949977-3238098125-1000_UserData.bin
+ 2008-08-21 20:05:32 9,916 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2049230628-377949977-3238098125-1000_UserData.bin
- 2008-08-20 05:09:17 57,548 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-21 20:05:32 57,720 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [10/18/2007 11:34 AM 5724184]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 02:21 PM 50528]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM 21718312]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM 1233920]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [04/01/2008 03:39 AM 486856]
"DisplayFusion"="C:\Program Files\DisplayFusion\DisplayFusion.exe" [04/27/2008 10:13 AM 548528]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/18/2008 11:33 PM 202240]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM 4670704]
"WindowsWelcomeCenter"="oobefldr.dll" [01/18/2008 11:36 PM 2153472 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe" [04/26/2007 02:54 PM 774168]
"Launch LGDCore"="C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" [04/26/2007 03:22 PM 1132056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM 132496]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 04:33 PM 563984]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM 39792]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [01/12/2006 09:52 PM 483328]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM 33648]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [01/21/2008 12:17 PM 61440]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM 266497]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [02/29/2008 03:12 AM 76304 C:\Windows\KHALMNPR.Exe]
"CTHelper"="CTHELPER.EXE" [05/10/2007 02:51 PM 19456 C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [05/10/2007 02:52 PM 19968 C:\Windows\System32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG" [X]
"CtxfiReg"="CTXFIREG.exe" [05/10/2007 02:48 PM 43520 C:\Windows\System32\CTXFIREG.EXE]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\Windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [1/8/2008 2:28:31 AM 25214]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [7/21/2008 11:49:20 AM 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [08/17/2006 03:57 PM 86016]

[HKLM\~\startupfolder\C:^Users^Purple^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Purple\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 10/25/2007 04:37 PM 2178832 C:\Program Files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mikogo]
--a------ 04/28/2008 08:27 PM 2285568 C:\Program Files\Mikogo\Mikogo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 05/27/2008 10:50 AM 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 03/31/2008 05:57 PM 1271032 c:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 11/19/2007 11:25 AM 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 10/24/2005 05:53 PM 307200 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C87F9CBC-1D8D-4F13-8952-45C873886CE4}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{AB03C224-8C5E-4E88-A1BB-25E89883F04A}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3A94DE1D-C3CE-488B-8F95-47E5590D8D8D}"= UDP:C:\Program Files\Steam\Steam.exe:Steam Client
"{F5D3A09C-0E0B-4752-9D9A-5D4C0B5CB147}"= TCP:C:\Program Files\Steam\Steam.exe:Steam Client
"TCP Query User{085F0A64-BC94-4930-8D69-FA2429D4B8B6}C:\\program files\\steam\\steamapps\\purplelight\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\purplelight\day of defeat source\hl2.exe:hl2
"UDP Query User{A4465529-3993-4F4E-8BED-9ADB7746A445}C:\\program files\\steam\\steamapps\\purplelight\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\purplelight\day of defeat source\hl2.exe:hl2
"TCP Query User{6295CC0F-E75E-4868-9DC0-5677ED8A3F7D}C:\\users\\purple\\desktop\\acidmax2120\\mirc.exe"= UDP:C:\users\purple\desktop\acidmax2120\mirc.exe:mirc.exe
"UDP Query User{95530623-8E3C-4EB5-B8F3-3A7E42EE205D}C:\\users\\purple\\desktop\\acidmax2120\\mirc.exe"= TCP:C:\users\purple\desktop\acidmax2120\mirc.exe:mirc.exe
"TCP Query User{019CE703-E609-459C-BD73-50C997EAA3B7}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{DF021826-272F-451B-A627-26F1A5052A9E}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{95E32606-D5AC-40F3-9C4B-9FC2F9E2B4D9}C:\\program files\\world of warcraft\\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe:Blizzard Downloader
"UDP Query User{310CB42C-269F-444A-9D66-7EFEC97FBFA4}C:\\program files\\world of warcraft\\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.1.3.6898-to-2.2.0.7272-enus-downloader.exe:Blizzard Downloader
"TCP Query User{6F116502-36C4-419F-932E-B8B8AB868094}C:\\program files\\world of warcraft\\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe:Blizzard Downloader
"UDP Query User{EF2AFE4B-9F33-4E24-9C0C-7B0D86180A64}C:\\program files\\world of warcraft\\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.2.0.7272-to-2.2.2.7318-enus-downloader.exe:Blizzard Downloader
"{81D7A93B-2F3A-4038-BD1D-69435319AB76}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{19D1A13D-9E12-49EB-9F7F-C2F63CC05FBF}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1D3CA8EC-6F52-41BA-924E-FBBCAAF04D35}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D267949-16B5-42D5-8938-7709828BC887}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7DE46056-3D4D-45B7-A3F5-857A3A26D64F}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4853D0CA-5556-4CCD-A0A0-C422277EC2FA}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{E4D73A7F-FA0C-427A-BAB6-8153776074F9}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{964FB068-5950-42F4-A1ED-24E7813C60F9}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{234A334B-DCCD-4EA1-A1E8-8D68E0BBE557}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{B31D1526-28F2-4764-88E0-1FDC0ED44427}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{506B7391-3E7E-4097-819F-145F68A03F78}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{F7E0C036-7593-4B3A-B867-A0EA4D95258C}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{AA96580D-CA8A-4DBE-B7F8-7F70703C6900}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{69E764E4-ACC1-4FB3-B3B9-98C37C86591D}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{CC6F53D2-06BF-4874-A715-ABC5C5A5483E}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{942EA83F-9626-47B4-B950-802E731E9580}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3CE2E706-6404-48E0-A01B-A05B6663A497}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{322ADA22-AA98-4F85-85B3-7F56A43D9070}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{3BA54A16-085F-4746-B23C-5D361D05F26C}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{79D85419-7499-4452-9528-02F920C474C9}"= TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{66CFD9E9-10A3-495B-B527-8E3C23A0E7B6}"= inRosettaStoneLtdServices.exe:Rosetta Stone Online Component (inbound)
"{4D4E5009-0CDD-48E7-B729-E248AD1C5E13}"= RosettaStoneVersion3.exe:Rosetta Stone V3 Application (inbound)
"{228C9869-8BD0-45D3-84C8-AD3AF75C6463}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 pgsql-8.3;PostgreSQL Database Server 8.3;C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe runservice -w -N pgsql-8.3 -D C:\Program Files\PostgreSQL\8.3\data\ []
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [06/03/2008 12:22 AM]
R3 ha20x2k;Creative 20X HAL Driver;C:\Windows\system32\drivers\ha20x2k.sys [05/11/2007 09:28 AM]
S2 IcRecUsb;IC Recorder Driver;C:\Windows\system32\Drivers\IcRecUsb.sys [10/02/2001 01:37 AM]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [07/21/2008 11:45 AM]
S4 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [01/04/2007 03:38 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac09108a-d231-11dc-8a8b-001a4d4cab56}]
\shell\AutoRun\command - E:\SETUP.EXE
\shell\configure\command - E:\SETUP.EXE
\shell\install\command - E:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d85f2446-4c9c-11dc-98c6-806e6f6e6963}]
\shell\AutoRun\command - E:\Run.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5bfbe9c-40dd-11dd-af78-001a4d4cab56}]
\shell\AutoRun\command - E:\SETUP.EXE
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Purple\AppData\Roaming\Mozilla\Firefox\Profiles\zzlnlsg9.default\
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-21 14:10:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 08/21/2008 14:12:55
ComboFix-quarantined-files.txt 2008-08-21 20:12:24
ComboFix2.txt 2008-08-20 05:19:56

Pre-Run: 8,845,889,536 bytes free
Post-Run: 8,863,899,648 bytes free

299 --- E O F --- 2008-08-15 09:04:13

Edited by purplepurple, 21 August 2008 - 03:17 PM.


#14 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:05:52 AM

Posted 21 August 2008 - 03:28 PM

Ran it again when the computer came back up and it spammed that message 20-25 times

Can you recollect which stage those error messages started appearing?

#15 purplepurple

purplepurple
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 21 August 2008 - 03:53 PM

Ran it again when the computer came back up and it spammed that message 20-25 times

Can you recollect which stage those error messages started appearing?


Yeah its as soon as it goes into the log compilation phase after it finishes the multiple stages part.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users