Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Hijack (Firefox/IE)


  • Please log in to reply
17 replies to this topic

#1 BarbarianSteve

BarbarianSteve

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 13 February 2009 - 04:08 AM

I've spent all night trying to get rid of this particular problem, and been through a half dozen virus/malware scanning programs, a combofix cycle, multiple HJTs, an attempt at Kaspersky online scan (which failed to update) and still the problem persists. I've tried following other users' threads with the same problem but finally I'm at the end of my rope with this particular issue and finally asking for outside help.

DDS log and attach.txt are below.




DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 3:02:21.09 on Fri 02/13/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1431 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CachemanXP\CachemanXP.exe
e:\installed\utilities\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
E:\Installed\utils\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\installed\DAEMON Tools Lite\daemon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
E:\Installed\utilities\Logitech\SetPoint\SetPoint.exe
E:\Utilities\ipmsg206\ipmsg.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Installed\utils\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://forums.somethingawful.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [SkinClock] e:\installed\utils\atomic alarm clock\AtomicAlarmClock.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [Google Update] "c:\documents and settings\owner.steve-5b99b5dca\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DAEMON Tools Lite] "e:\installed\daemon tools lite\daemon.exe" -autorun
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "e:\installed\utilities\quicktime\qttask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\owner~1.ste\startm~1\programs\startup\shortc~1.lnk - e:\utilities\ipmsg206\ipmsg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - e:\installed\utilities\logitech\setpoint\SetPoint.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Trusted Zone: hotmail.com
Trusted Zone: trendmicro.com
Trusted Zone: whilst.org
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.ste\applic~1\mozilla\firefox\profiles\03lm59w5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\owner.steve-5b99b5dca\application data\mozilla\firefox\profiles\03lm59w5.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: e:\installed\utils\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\owner.steve-5b99b5dca\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: e:\installed\download manager\npfpdlm.dll
FF - plugin: e:\installed\utilities\quicktime\plugins\npqtplugin.dll
FF - plugin: e:\installed\utilities\quicktime\plugins\npqtplugin2.dll
FF - plugin: e:\installed\utilities\quicktime\plugins\npqtplugin3.dll
FF - plugin: e:\installed\utilities\quicktime\plugins\npqtplugin4.dll
FF - plugin: e:\installed\utilities\quicktime\plugins\npqtplugin5.dll
FF - plugin: e:\installed\utilities\quicktime\plugins\npqtplugin6.dll
FF - plugin: e:\installed\utilities\quicktime\plugins\npqtplugin7.dll
FF - plugin: e:\installed\utils\acrobat reader 8.0\reader\browser\nppdf32.dll
FF - plugin: e:\installed\utils\mozilla firefox\plugins\npWebLaunch.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-13 64160]
R2 CachemanXPService;CachemanXP;c:\program files\cachemanxp\CachemanXP.exe [2007-9-9 208384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
S1 SSHDRV85;SSHDRV85;\??\c:\windows\system32\drivers\sshdrv85.sys --> c:\windows\system32\drivers\SSHDRV85.sys [?]
S3 jatmlano;jatmlano;\??\c:\docume~1\owner~1.ste\locals~1\temp\jatmlano.sys --> c:\docume~1\owner~1.ste\locals~1\temp\jatmlano.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2007-5-10 166720]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]

=============== Created Last 30 ================

2009-02-13 02:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 02:26 161,792 a------- c:\windows\SWREG.exe
2009-02-13 02:26 98,816 a------- c:\windows\sed.exe
2009-02-13 02:19 <DIR> --d----- c:\program files\Trend Micro
2009-02-13 01:31 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-13 01:20 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-13 01:19 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-23 22:17 <DIR> --d----- c:\program files\AM Std
2009-01-20 06:07 604 -------- c:\windows\Sof2.INI
2009-01-18 08:53 <DIR> --d----- C:\Google
2009-01-17 12:39 <DIR> --d----- c:\docume~1\owner~1.ste\applic~1\Unity
2009-01-17 12:38 <DIR> --d----- c:\program files\Unity
2009-01-16 11:40 <DIR> --d----- c:\docume~1\owner~1.ste\applic~1\Command & Conquer 3 Kane's Wrath

==================== Find3M ====================

2009-02-08 13:29 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-02-08 13:29 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-01-10 22:14 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-01 17:48 279,712 a------- c:\windows\system32\drivers\atksgt.sys
2008-12-12 01:48 12,067 a------t c:\windows\system32\SIntf16.dll
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-11-25 17:00 51,472 a------- c:\windows\system32\imagecfg.exe
2008-10-22 11:09 22,328 a------- c:\docume~1\owner~1.ste\applic~1\PnkBstrK.sys
2003-12-18 10:33 20,102 a------- c:\program files\Readme.txt
2003-09-03 06:46 10,960 a------- c:\program files\EULA.txt

============= FINISH: 3:02:41.89 ===============

Attached Files


Edited by BarbarianSteve, 13 February 2009 - 04:13 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:21 AM

Posted 13 February 2009 - 05:09 PM

Hello BarbarianSteve,

Posted Image

Could you please post the original ComboFix report? :thumbup2: I'd like to see what was removed already. If not, then please have another run with it and post the report.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 BarbarianSteve

BarbarianSteve
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 13 February 2009 - 11:16 PM

I will post a combofix log post haste the moment I'm able to break away from real life. Thank you for being here to help. :thumbup2:

#4 BarbarianSteve

BarbarianSteve
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 14 February 2009 - 09:54 AM

Current ComboFix log.txt
Also, going to bed now, I shall be back later





ComboFix 09-02-12.03 - Owner 2009-02-14 8:48:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1752 [GMT -6:00]
Running from: c:\documents and settings\Owner.STEVE-5B99B5DCA\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxdxcbadeo.sys
c:\windows\system32\drivers\gaopdxpuyxwjpu.sys
c:\windows\system32\gaopdxeiuympfd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-13 04:01 . 2009-02-13 04:01 <DIR> d-------- c:\program files\jv16 PowerTools 2009
2009-02-13 04:01 . 2009-02-13 04:01 23 --ahs---- c:\windows\system32\edacded0_x.dat
2009-02-13 04:01 . 2009-02-13 04:01 23 --a------ c:\windows\system32\bcdadac7_x.xml
2009-02-13 03:52 . 2009-02-13 03:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 03:52 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 03:52 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-13 02:19 . 2009-02-13 02:19 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 01:31 . 2009-01-18 15:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-13 01:20 . 2009-01-18 15:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-13 01:19 . 2009-02-13 01:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-13 01:19 . 2009-02-13 01:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-13 01:05 . 2009-02-13 08:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-27 18:51 . 2009-01-27 19:52 <DIR> d-------- c:\program files\Trillian
2009-01-23 22:17 . 2009-01-23 22:17 <DIR> d-------- c:\program files\AM Std
2009-01-23 19:55 . 2009-01-23 19:55 <DIR> d-------- c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\teamspeak2
2009-01-20 06:07 . 2009-01-21 06:22 604 --------- c:\windows\Sof2.INI
2009-01-18 08:53 . 2009-01-18 08:53 <DIR> d-------- C:\Google
2009-01-17 12:39 . 2009-01-17 12:39 <DIR> d-------- c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Unity
2009-01-17 12:38 . 2009-01-17 12:38 <DIR> d-------- c:\program files\Unity
2009-01-16 11:40 . 2009-01-16 11:40 <DIR> d-------- c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Command & Conquer 3 Kane's Wrath

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 21:52 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Azureus
2009-02-13 07:19 --------- d-----w c:\program files\Lavasoft
2009-02-08 19:29 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2009-02-08 19:29 110,592 ----a-w c:\windows\system32\OpenAL32.dll
2009-02-08 16:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-08 16:07 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\OpenOffice.org2
2009-02-02 04:14 --------- d-----w c:\program files\Postal2
2009-02-02 04:12 --------- d-----w c:\program files\TuneUp Utilities 2007
2009-01-29 22:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-29 22:49 --------- d-----w c:\program files\AGEIA Technologies
2009-01-24 05:53 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\IGN_DLM
2009-01-24 01:55 --------- d-----w c:\program files\Teamspeak2_RC2
2009-01-18 14:52 --------- d-----w c:\program files\Google
2009-01-11 04:18 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\DAEMON Tools Lite
2009-01-11 04:17 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\DAEMON Tools Pro
2009-01-11 04:17 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\DAEMON Tools
2009-01-11 04:16 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-11 04:14 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-10 20:35 --------- d-----w c:\program files\MSN Messenger
2009-01-10 20:34 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-10 20:34 --------- d-----w c:\program files\Microsoft
2009-01-10 20:33 --------- d-----w c:\program files\Windows Live
2009-01-10 20:29 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-09 07:15 --------- d-----w c:\documents and settings\All Users\Application Data\Media Center Programs
2009-01-05 20:58 --------- d-----w c:\program files\TSO
2009-01-01 23:48 279,712 ----a-w c:\windows\system32\drivers\atksgt.sys
2008-12-12 07:48 12,067 ----atw c:\windows\system32\SIntf16.dll
2008-12-03 04:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
2008-11-25 23:00 51,472 ----a-w c:\windows\system32\imagecfg.exe
2008-10-22 17:09 22,328 ----a-w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\PnkBstrK.sys
2003-12-18 16:33 20,102 ----a-w c:\program files\Readme.txt
2003-09-03 12:46 10,960 ----a-w c:\program files\EULA.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="e:\installed\utils\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-06-11 1737216]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"Google Update"="c:\documents and settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"DAEMON Tools Lite"="e:\installed\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="e:\installed\utilities\QuickTime\qttask.exe" [2006-09-01 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
IPMSG for Win32.lnk - c:\program files\IPMsg\ipmsg.exe [2006-01-01 159744]

c:\documents and settings\Owner.STEVE-5B99B5DCA\Start Menu\Programs\Startup\
Shortcut to ipmsg.lnk - e:\utilities\ipmsg206\ipmsg.exe [2004-09-08 159744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - e:\installed\utilities\Logitech\SetPoint\SetPoint.exe [2008-11-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 e:\installed\utils\Acrobat Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-04 04:16 133104 c:\documents and settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-08-01 12:36 1103216 c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-10 21:56 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 12:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 14:57 282624 e:\installed\utilities\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 02:01 32768 e:\installed\utilities\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-13 23:24 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
--a------ 2007-09-26 17:05 734264 c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a--c--- 2005-01-07 19:07 61952 c:\windows\system32\HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 12:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="e:\installed\utilities\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Utilities\\ipmsg206\\ipmsg.exe"=
"e:\\Installed\\utils\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Installed\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Installed\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"e:\\Installed\\ArmA\\arma.exe"=
"e:\\Installed\\STALKER\\bin\\XR_3DA.exe"=
"e:\\Installed\\STALKER\\bin\\dedicated\\XR_3DA.exe"=
"e:\\Installed\\Hellgate London\\Launcher.exe"=
"e:\\Installed\\STALKER CLEAR SKY\\bin\\xrEngine.exe"=
"e:\\Installed\\STALKER CLEAR SKY\\bin\\dedicated\\xrEngine.exe"=
"e:\\Installed\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\Installed\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\Installed\\Far Cry 2\\bin\\FC2Editor.exe"=
"e:\\Installed\\Star Wars Empire at war\\swfoc.exe"=
"e:\\Installed\\Sacred 2 - Fallen Angel\\system\\s2gs.exe"=
"e:\\Installed\\Sacred 2 - Fallen Angel\\system\\sacred2.exe"=
"e:\\Installed\\SWAT 4\\Content\\System\\Swat4.exe"=
"e:\\Installed\\steam\\steamapps\\lljkdeadweight\\synergy\\hl2.exe"=
"e:\\Installed\\steam\\steamapps\\lljkdeadweight\\zombie panic! source\\hl2.exe"=
"e:\\Installed\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"e:\\Games\\Images & Install\\Left 4 Dead\\left4dead.exe"=
"e:\\Installed\\Tribes2\\GameData\\Tribes2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Installed\\Tribes Vengeance\\Program\\Bin\\TV_CD_DVD.exe"=
"e:\\Installed\\Boiling Point\\Xenus.exe"=
"e:\\Installed\\Soldier of Fortune Payback\\sof3.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-13 64160]
R2 CachemanXPService;CachemanXP;c:\program files\CachemanXP\CachemanXP.exe [2007-09-09 208384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
S1 SSHDRV85;SSHDRV85;\??\c:\windows\system32\drivers\SSHDRV85.sys --> c:\windows\system32\drivers\SSHDRV85.sys [?]
S3 jatmlano;jatmlano;\??\c:\docume~1\OWNER~1.STE\LOCALS~1\Temp\jatmlano.sys --> c:\docume~1\OWNER~1.STE\LOCALS~1\Temp\jatmlano.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2007-05-10 166720]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3bbcfd6-2a59-11dc-962f-0018f3f0a45a}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]

2009-02-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 15:34]

2009-02-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-682003330-455379687-1003.job
- c:\documents and settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:16]

2007-07-21 c:\windows\Tasks\Super Fast Reboot.job
- c:\progra~1\SUPERF~1\restart.exe [2004-05-05 07:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.somethingawful.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: hotmail.com
Trusted Zone: trendmicro.com
Trusted Zone: whilst.org
FF - ProfilePath - c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Mozilla\Firefox\Profiles\03lm59w5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Mozilla\Firefox\Profiles\03lm59w5.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: e:\installed\utils\Mozilla Firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: e:\installed\Download Manager\npfpdlm.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: e:\installed\utils\Acrobat Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: e:\installed\utils\Mozilla Firefox\plugins\npWebLaunch.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 08:51:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-682003330-455379687-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-57989841-682003330-455379687-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{19CA61FA-71F7-DC99-4F3D-FF6698238E11}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-57989841-682003330-455379687-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:76,e8,cc,d2,44,a4,4d,e0,5f,86,84,17,f4,2d,5c,ab,5f,c1,eb,7e,f6,d0,74,
6a,18,4d,c4,f9,83,c4,1b,b2,56,c3,9c,44,f2,c1,87,5a,35,3d,af,d2,0c,c0,5f,13,\
"??"=hex:71,87,e1,30,9d,f8,f3,0f,02,01,6d,23,81,92,d0,f9

[HKEY_USERS\S-1-5-21-57989841-682003330-455379687-1003\Software\SecuROM\License information*]
"datasecu"=hex:53,17,6a,22,ef,b7,51,a0,eb,52,35,83,14,8d,d9,b2,58,8b,65,39,0d,
e3,56,8d,0c,89,61,ac,af,a6,2c,7a,7f,f7,a5,68,cc,10,2b,f5,15,c3,ae,8b,34,53,\
"rkeysecu"=hex:ef,f8,9c,65,19,43,a2,df,4a,12,51,be,2c,38,c1,0a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-02-14 8:53:06
ComboFix-quarantined-files.txt 2009-02-14 14:53:04
ComboFix2.txt 2009-02-13 08:37:38

Pre-Run: 10,069,463,040 bytes free
Post-Run: 10,064,150,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /3GB /Userva=2900 /usepmtimer

278 --- E O F --- 2008-07-09 20:00:00

Edited by BarbarianSteve, 14 February 2009 - 10:14 AM.


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:21 AM

Posted 16 February 2009 - 03:41 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\edacded0_x.dat
c:\windows\system32\bcdadac7_x.xml
c:\docume~1\OWNER~1.STE\LOCALS~1\Temp\jatmlano.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please also let me know how it's running now. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 BarbarianSteve

BarbarianSteve
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 February 2009 - 07:17 PM

It's still hijacking my search results and preventing AV/antimalware programs from updating.


Here's my combofix

ComboFix 09-02-15.01 - Owner 2009-02-16 18:10:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1534 [GMT -6:00]
Running from: c:\documents and settings\Owner.STEVE-5B99B5DCA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.STEVE-5B99B5DCA\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\docume~1\OWNER~1.STE\LOCALS~1\Temp\jatmlano.sys
c:\windows\system32\bcdadac7_x.xml
c:\windows\system32\edacded0_x.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bcdadac7_x.xml
c:\windows\system32\edacded0_x.dat

.
((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-13 04:01 . 2009-02-13 04:01 <DIR> d-------- c:\program files\jv16 PowerTools 2009
2009-02-13 03:52 . 2009-02-13 03:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 03:52 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 03:52 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-13 02:19 . 2009-02-13 02:19 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 01:31 . 2009-01-18 15:35 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-13 01:20 . 2009-01-18 15:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-13 01:19 . 2009-02-13 01:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-13 01:19 . 2009-02-13 01:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-13 01:05 . 2009-02-15 21:27 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-27 18:51 . 2009-01-27 19:52 <DIR> d-------- c:\program files\Trillian
2009-01-23 22:17 . 2009-01-23 22:17 <DIR> d-------- c:\program files\AM Std
2009-01-23 19:55 . 2009-01-23 19:55 <DIR> d-------- c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\teamspeak2
2009-01-20 06:07 . 2009-01-21 06:22 604 --------- c:\windows\Sof2.INI
2009-01-18 08:53 . 2009-01-18 08:53 <DIR> d-------- C:\Google
2009-01-17 12:39 . 2009-01-17 12:39 <DIR> d-------- c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Unity
2009-01-17 12:38 . 2009-01-17 12:38 <DIR> d-------- c:\program files\Unity

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 21:04 138,784 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-16 21:04 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-16 21:01 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-16 17:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-16 16:12 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Azureus
2009-02-16 03:44 22,328 ----a-w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\PnkBstrK.sys
2009-02-15 09:54 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\DAEMON Tools Pro
2009-02-15 08:33 --------- d-----w c:\documents and settings\All Users\Application Data\Ubisoft
2009-02-13 07:19 --------- d-----w c:\program files\Lavasoft
2009-02-08 19:29 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2009-02-08 19:29 110,592 ----a-w c:\windows\system32\OpenAL32.dll
2009-02-08 16:07 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\OpenOffice.org2
2009-02-02 04:14 --------- d-----w c:\program files\Postal2
2009-02-02 04:12 --------- d-----w c:\program files\TuneUp Utilities 2007
2009-01-29 22:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-29 22:49 --------- d-----w c:\program files\AGEIA Technologies
2009-01-24 05:53 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\IGN_DLM
2009-01-24 01:55 --------- d-----w c:\program files\Teamspeak2_RC2
2009-01-18 14:52 --------- d-----w c:\program files\Google
2009-01-16 17:40 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Command & Conquer 3 Kane's Wrath
2009-01-11 04:18 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\DAEMON Tools Lite
2009-01-11 04:17 --------- d-----w c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\DAEMON Tools
2009-01-11 04:16 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-11 04:14 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-10 20:35 --------- d-----w c:\program files\MSN Messenger
2009-01-10 20:34 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-10 20:34 --------- d-----w c:\program files\Microsoft
2009-01-10 20:33 --------- d-----w c:\program files\Windows Live
2009-01-10 20:29 --------- d-----w c:\program files\Common Files\Windows Live
2009-01-09 07:15 --------- d-----w c:\documents and settings\All Users\Application Data\Media Center Programs
2009-01-05 20:58 --------- d-----w c:\program files\TSO
2009-01-01 23:48 279,712 ----a-w c:\windows\system32\drivers\atksgt.sys
2008-12-12 07:48 12,067 ----atw c:\windows\system32\SIntf16.dll
2008-12-03 04:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
2008-11-25 23:00 51,472 ----a-w c:\windows\system32\imagecfg.exe
2003-12-18 16:33 20,102 ----a-w c:\program files\Readme.txt
2003-09-03 12:46 10,960 ----a-w c:\program files\EULA.txt
.

((((((((((((((((((((((((((((( SnapShot@2009-02-14_ 8.51.56.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-08 19:29:27 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2009-02-15 10:11:30 53,248 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2009-02-08 19:29:28 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2009-02-15 10:11:30 12,800 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2009-02-08 19:29:28 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2009-02-15 10:11:30 473,600 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2009-02-08 19:29:22 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:21 2,676,224 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:23 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:23 2,846,720 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:23 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:24 563,712 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:24 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:25 567,296 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:24 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:25 576,000 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:25 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:26 577,024 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:25 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:27 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:26 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:28 577,536 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:26 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:28 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:28 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2009-02-15 10:11:30 578,560 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2009-02-08 19:29:28 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2009-02-15 10:11:31 145,920 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2009-02-08 19:29:28 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2009-02-15 10:11:31 159,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2009-02-08 19:29:28 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2009-02-15 10:11:31 364,544 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2009-02-08 19:29:28 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2009-02-15 10:11:31 178,176 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2009-02-08 19:29:27 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2009-02-15 10:11:29 223,232 ----a-w c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2009-02-15 10:20:30 295,606 ----a-r c:\windows\Installer\{9A996B6A-846E-4A89-B9C4-17546B7BE49F}\Burnout.exe
+ 2009-02-16 03:27:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_138.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock"="e:\installed\utils\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-06-11 1737216]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"Google Update"="c:\documents and settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"DAEMON Tools Lite"="e:\installed\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"QuickTime Task"="e:\installed\utilities\QuickTime\qttask.exe" [2006-09-01 282624]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
IPMSG for Win32.lnk - c:\program files\IPMsg\ipmsg.exe [2006-01-01 159744]

c:\documents and settings\Owner.STEVE-5B99B5DCA\Start Menu\Programs\Startup\
Shortcut to ipmsg.lnk - e:\utilities\ipmsg206\ipmsg.exe [2004-09-08 159744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - e:\installed\utilities\Logitech\SetPoint\SetPoint.exe [2008-11-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 02:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 e:\installed\utils\Acrobat Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-04 04:16 133104 c:\documents and settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2008-08-01 12:36 1103216 c:\program files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-10 21:56 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-10-07 12:33 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 14:57 282624 e:\installed\utilities\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 02:01 32768 e:\installed\utilities\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-13 23:24 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
--a------ 2007-09-26 17:05 734264 c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a--c--- 2005-01-07 19:07 61952 c:\windows\system32\HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 12:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="e:\installed\utilities\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Utilities\\ipmsg206\\ipmsg.exe"=
"e:\\Installed\\utils\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\Installed\\Crysis\\Bin32\\Crysis.exe"=
"e:\\Installed\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"e:\\Installed\\ArmA\\arma.exe"=
"e:\\Installed\\STALKER\\bin\\XR_3DA.exe"=
"e:\\Installed\\STALKER\\bin\\dedicated\\XR_3DA.exe"=
"e:\\Installed\\Hellgate London\\Launcher.exe"=
"e:\\Installed\\STALKER CLEAR SKY\\bin\\xrEngine.exe"=
"e:\\Installed\\STALKER CLEAR SKY\\bin\\dedicated\\xrEngine.exe"=
"e:\\Installed\\Far Cry 2\\bin\\FarCry2.exe"=
"e:\\Installed\\Far Cry 2\\bin\\FC2Launcher.exe"=
"e:\\Installed\\Far Cry 2\\bin\\FC2Editor.exe"=
"e:\\Installed\\Star Wars Empire at war\\swfoc.exe"=
"e:\\Installed\\Sacred 2 - Fallen Angel\\system\\s2gs.exe"=
"e:\\Installed\\Sacred 2 - Fallen Angel\\system\\sacred2.exe"=
"e:\\Installed\\SWAT 4\\Content\\System\\Swat4.exe"=
"e:\\Installed\\steam\\steamapps\\lljkdeadweight\\synergy\\hl2.exe"=
"e:\\Installed\\steam\\steamapps\\lljkdeadweight\\zombie panic! source\\hl2.exe"=
"e:\\Installed\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"e:\\Games\\Images & Install\\Left 4 Dead\\left4dead.exe"=
"e:\\Installed\\Tribes2\\GameData\\Tribes2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Installed\\Tribes Vengeance\\Program\\Bin\\TV_CD_DVD.exe"=
"e:\\Installed\\Boiling Point\\Xenus.exe"=
"e:\\Installed\\Soldier of Fortune Payback\\sof3.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"e:\\Installed\\Burnout™ Paradise Ultimate\\BurnoutLauncher.exe"=
"e:\\Installed\\Burnout™ Paradise Ultimate\\BurnoutConfigTool.exe"=
"e:\\Installed\\Burnout™ Paradise Ultimate\\BurnoutParadise.exe"=
"e:\\Installed\\etqw\\etqwded.exe"=
"e:\\Installed\\etqw\\etqw.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-13 64160]
R2 CachemanXPService;CachemanXP;c:\program files\CachemanXP\CachemanXP.exe [2007-09-09 208384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
S1 SSHDRV85;SSHDRV85;\??\c:\windows\system32\drivers\SSHDRV85.sys --> c:\windows\system32\drivers\SSHDRV85.sys [?]
S3 jatmlano;jatmlano;\??\c:\docume~1\OWNER~1.STE\LOCALS~1\Temp\jatmlano.sys --> c:\docume~1\OWNER~1.STE\LOCALS~1\Temp\jatmlano.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 s3m;s3m;c:\windows\system32\drivers\s3m.sys [2007-05-10 166720]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PNKBSTRA
*NewlyCreated* - PNKBSTRK
*Deregistered* - PnkBstrK

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3bbcfd6-2a59-11dc-962f-0018f3f0a45a}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-14 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]

2009-02-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 15:34]

2009-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-682003330-455379687-1003.job
- c:\documents and settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 04:16]

2007-07-21 c:\windows\Tasks\Super Fast Reboot.job
- c:\progra~1\SUPERF~1\restart.exe [2004-05-05 07:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.somethingawful.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: hotmail.com
Trusted Zone: trendmicro.com
Trusted Zone: whilst.org
FF - ProfilePath - c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Mozilla\Firefox\Profiles\03lm59w5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Owner.STEVE-5B99B5DCA\Application Data\Mozilla\Firefox\Profiles\03lm59w5.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: e:\installed\utils\Mozilla Firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: e:\installed\Download Manager\npfpdlm.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: e:\installed\utilities\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: e:\installed\utils\Acrobat Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: e:\installed\utils\Mozilla Firefox\plugins\npWebLaunch.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 18:12:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-682003330-455379687-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-57989841-682003330-455379687-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{19CA61FA-71F7-DC99-4F3D-FF6698238E11}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-57989841-682003330-455379687-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:76,e8,cc,d2,44,a4,4d,e0,5f,86,84,17,f4,2d,5c,ab,5f,c1,eb,7e,f6,d0,74,
6a,18,4d,c4,f9,83,c4,1b,b2,56,c3,9c,44,f2,c1,87,5a,35,3d,af,d2,0c,c0,5f,13,\
"??"=hex:71,87,e1,30,9d,f8,f3,0f,02,01,6d,23,81,92,d0,f9

[HKEY_USERS\S-1-5-21-57989841-682003330-455379687-1003\Software\SecuROM\License information*]
"datasecu"=hex:35,55,92,d8,e9,85,57,95,54,0b,22,64,4e,61,22,64,bb,1a,f3,cc,8f,
eb,40,04,99,1d,c4,69,27,9a,a7,c8,b9,c2,81,4f,8f,41,ac,41,fa,7c,33,b2,f6,ce,\
"rkeysecu"=hex:03,ce,b6,d6,e0,b3,d0,67,c8,67,b8,e8,e4,78,91,77
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
Completion time: 2009-02-16 18:14:22
ComboFix-quarantined-files.txt 2009-02-17 00:14:20
ComboFix2.txt 2009-02-14 14:53:07
ComboFix3.txt 2009-02-13 08:37:38

Pre-Run: 11,673,161,728 bytes free
Post-Run: 11,662,913,536 bytes free

330 --- E O F --- 2008-07-09 20:00:00


=====================================================
here's my HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:07 PM, on 2/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CachemanXP\CachemanXP.exe
e:\installed\utilities\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Installed\utils\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\installed\DAEMON Tools Lite\daemon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
E:\Installed\utilities\Logitech\SetPoint\SetPoint.exe
E:\Utilities\ipmsg206\ipmsg.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
E:\Installed\utils\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "E:\installed\utilities\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [SkinClock] E:\Installed\utils\Atomic Alarm Clock\AtomicAlarmClock.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\installed\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Shortcut to ipmsg.lnk = E:\Utilities\ipmsg206\ipmsg.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Installed\utilities\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O15 - Trusted Zone: *.hotmail.com
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.whilst.org
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMSAccessU - Unknown owner - e:\installed\utilities\CDBurnerXP\NMSAccessU.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6151 bytes

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:21 AM

Posted 16 February 2009 - 07:21 PM

Hello,

Do you have a router?

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 BarbarianSteve

BarbarianSteve
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 February 2009 - 08:37 PM

Yes, it's a D-Link router provided by the DSL/Telecoms company we use.


GooredFix v1.91 by jpshortstuff
Log created at 19:36 on 16/02/2009 running Option #1 (Owner)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="E:\Installed\utils\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="E:\Installed\utils\Mozilla Firefox\components"

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:21 AM

Posted 16 February 2009 - 08:54 PM

You can delete GooredFix. :thumbup2:

Disconnect your computer from the router. Reset the router and put a password on it. Have a run with MBAM, then reconnect to your computer and see if it's better. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 BarbarianSteve

BarbarianSteve
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 February 2009 - 11:27 PM

MBAM found 2 instances of a DNSChanger trojan and claims it fixed them but I'm still getting the same problem.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:21 AM

Posted 16 February 2009 - 11:35 PM

Can I see the report please? Did you reset the router?

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 BarbarianSteve

BarbarianSteve
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 February 2009 - 11:49 PM

Completely like a total moron I forgot to save the MBAM log (unless it auto-saves it somewhere), but here's the smitfraud log



SmitFraudFix v2.396

Scan done at 22:46:20.39, Mon 02/16/2009
Run from C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CachemanXP\CachemanXP.exe
e:\installed\utilities\CDBurnerXP\NMSAccessU.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Installed\utils\Atomic Alarm Clock\AtomicAlarmClock.exe
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\installed\DAEMON Tools Lite\daemon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
E:\Installed\utilities\Logitech\SetPoint\SetPoint.exe
E:\Utilities\ipmsg206\ipmsg.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
E:\Installed\utils\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner.STEVE-5B99B5DCA


C:\DOCUME~1\OWNER~1.STE\LOCALS~1\Temp


C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Application Data


Start Menu


C:\DOCUME~1\OWNER~1.STE\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2CFCF67C-F1E7-4C2B-B3C5-FE8E7E904AF4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2CFCF67C-F1E7-4C2B-B3C5-FE8E7E904AF4}: DhcpNameServer=66.82.4.8
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2CFCF67C-F1E7-4C2B-B3C5-FE8E7E904AF4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2CFCF67C-F1E7-4C2B-B3C5-FE8E7E904AF4}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=66.82.4.8
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


Scanning for wininet.dll infection


End

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:21 AM

Posted 16 February 2009 - 11:58 PM

It's all right. You're not a moron, and the report might be there still. Just click on the "logs" tab and the latest one should be there..........did the entries delete from MBAM? I don't see anything in the SmitfraudFix report. You can delete SmitfraudFix. Also, you never mentioned anything about the router?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 BarbarianSteve

BarbarianSteve
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 17 February 2009 - 12:43 AM

The router is a D-Link, provided by our ISP/phone company. I passworded it per your suggestion. Here's the last MBAM log, and yes I told it to delete the dnschanger entries. I need to get up rather early tomorrow so I'm heading to bed now, I will post the results of your next suggestions tomorrow.



Malwarebytes' Anti-Malware 1.28
Database version: 1211
Windows 5.1.2600 Service Pack 2

9/26/2008 10:19:45 PM
mbam-log-2008-09-26 (22-19-45).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 483599
Time elapsed: 1 hour(s), 41 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 53

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Local Settings\Temp\lwpwer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Local Settings\Temporary Internet Files\Content.IE5\BAR8KM0V\Uninstaller[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\4.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\5.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\7.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E0ECEE70-BC54-4D83-BE61-4BD18D15AD04}\RP106\A0024489.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\eldm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MicroAV.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR974.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR975.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR976.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YUR977.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Application Data\Adobe\Player.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\rwlfsdmk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\peltodgx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\onfwbsak.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\fbxrqtwn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\dfmlxbpkqma.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Application Data\TmpRecentIcons\Micro Antivirus 2009.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Desktop\QUALITY PORN.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Local Settings\Temp\sft_ver1.1454.0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.STEVE-5B99B5DCA\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:21 AM

Posted 17 February 2009 - 11:04 AM

Well there it is....you had a nasty rootkit on top of everything else. :thumbup2:

Download the HostsXpert Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program

Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter.

Click on Start, Control Panel, select the Network and Internet Connections category or double click on Network Connections, depending on which View you are using. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item. Write down the settings in case you should need to change them back. Select the radio dial that says Obtain DNS servers automatically.
Press OK twice to get out of the properties screen and reboot if it asks. If it does not prompt you to reboot go ahead and reboot manually.

As always, let me know how you come out. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users