Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adult Friend Finder


  • This topic is locked This topic is locked
26 replies to this topic

#1 MomOf1OfEach

MomOf1OfEach

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 April 2009 - 09:17 AM

Greetings! Yesterday I went to look up movie times on Fandango and noticed that the Adult Friend Finder ads (top banner ad and right panel ad) were all porn-type content. I actually sent a nasty e-mail to them until I realized that it was not them, it was ME! (Sorry Fandango - i didn't know). I've run a BitDefender Deep Scan and Malware Bytes Full Scan but neither removed this problem. I can't pinpoint what I did to get this infection, but I had problems in the recent past with "Antivirus 2009" and just got that cleaned about 2 weeks ago. I'm running BitDefender as part of my startup. Hope someone can help. Thanks in advance!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Chrysie at 7:57:08.50 on Sun 04/12/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1211 [GMT -6:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
FW: BitDefender Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Chrysie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {4CEE92E5-739F-4CEA-959A-C0D8855E27D7} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {91EEBF35-BBA9-41FA-BC5C-1BEFC3ACA9BF} - No File
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeBridge]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [S3Trayp] S3trayp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\system32\dcsws2.dll
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1221018618234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221018764265
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {20B17AB5-B234-44C9-A1A0-DF364936255B} = 218.93.202.110,218.93.202.111
TCP: {4C3735FB-2BB5-4686-B358-9FFF71647914} = 218.93.202.110,218.93.202.111
Filter: text/html - {eaf4c28b-4a06-4a23-948f-6bc763e50b87} -
AppInit_DLLs: jeayit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrysie\applic~1\mozilla\firefox\profiles\fqplvl9n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

============= SERVICES / DRIVERS ===============

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 98304]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2009\BDVEDISK.sys [2008-10-6 82696]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 118784]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6 216032]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-2-3 104328]
R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2007-7-11 714240]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-3-15 21656]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2008-7-17 118784]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-9-10 33752]

=============== Created Last 30 ================

2009-04-12 06:57 <DIR> --d----- c:\program files\Trend Micro
2009-04-01 16:44 <DIR> --d----- c:\program files\Datel
2009-04-01 16:43 19,805 a----r-- c:\windows\system32\drivers\usbio.sys
2009-03-24 19:50 375 a------- c:\windows\system32\BDUpdateV1.xml
2009-03-15 21:55 <DIR> --d----- c:\docume~1\chrysie\applic~1\Windows Search
2009-03-15 16:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Macrium
2009-03-15 16:50 <DIR> --d----- c:\program files\Macrium
2009-03-15 11:53 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-03-15 11:52 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-03-15 11:52 <DIR> --d----- c:\windows\system32\Lang
2009-03-15 11:47 <DIR> --d----- c:\program files\VIA
2009-03-15 11:46 21,656 a------- c:\windows\system32\drivers\xfilt.sys
2009-03-15 11:46 12,952 a------- c:\windows\system32\drivers\videX32.sys
2009-03-15 11:45 69,632 a------- c:\windows\system32\vuins32.dll
2009-03-15 11:45 42,496 a------- c:\windows\system32\drivers\fetnd5bv.sys
2009-03-15 11:45 337,320 -------- c:\windows\system32\difxapi.dll
2009-03-15 11:45 <DIR> --d----- c:\windows\vnDrvBas
2009-03-15 11:44 <DIR> --d----- c:\program files\S3
2009-03-15 11:44 553 a------- c:\windows\USetup.iss
2009-03-15 11:43 <DIR> --d----- c:\program files\Realtek
2009-03-15 10:46 606,684 ac------ c:\windows\system32\dllcache\ltmdmnt.sys
2009-03-15 10:46 606,684 a------- c:\windows\system32\drivers\ltmdmnt.sys
2009-03-15 10:45 27,165 ac------ c:\windows\system32\dllcache\fetnd5.sys
2009-03-15 10:45 27,165 a------- c:\windows\system32\drivers\fetnd5.sys
2009-03-15 10:45 5,376 ac------ c:\windows\system32\dllcache\viaide.sys
2009-03-15 10:45 5,376 a------- c:\windows\system32\drivers\viaide.sys
2009-03-15 10:21 3,328 ac------ c:\windows\system32\dllcache\pciide.sys
2009-03-15 10:21 3,328 a------- c:\windows\system32\drivers\pciide.sys
2009-03-14 19:29 16 a------- c:\temp\asdict.dat
2009-03-14 16:41 <DIR> --d----- c:\program files\Microsoft
2009-03-14 16:40 <DIR> --d----- c:\docume~1\chrysie\applic~1\Windows Desktop Search
2009-03-14 16:38 <DIR> --d----- c:\program files\Windows Desktop Search
2009-03-14 16:36 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-03-14 16:36 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-03-14 16:36 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-03-14 16:33 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-03-14 16:10 81,984 a------- c:\windows\system32\bdod.bin
2009-03-14 16:06 850 a------- c:\windows\system32\ProductTweaks.xml
2009-03-14 16:06 385 a------- c:\windows\system32\user_gensett.xml
2009-03-14 16:03 <DIR> --d----- c:\docume~1\chrysie\applic~1\BitDefender
2009-03-14 16:02 <DIR> --d----- c:\program files\BitDefender
2009-03-14 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-03-14 16:00 <DIR> --d----- c:\program files\common files\BitDefender

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 09:54 104,328 a------- c:\windows\system32\drivers\bdfndisf.sys
2009-03-30 08:15 142,248 a------- c:\docume~1\chrysie\applic~1\GDIPFONTCACHEV1.DAT
2009-03-04 14:30 117,088 a------- c:\windows\hpoins11.dat
2009-03-03 12:02 1,744 a------- c:\windows\system32\d3d9caps.dat
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys

============= FINISH: 7:57:49.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:03 PM

Posted 12 April 2009 - 01:02 PM

Hi MomOf1OfEach
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up. I am a student here at BC so all my posts will be checked by one of our experts, so there may be a slight delay between posts.

Please respond to this if you still require help.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 MomOf1OfEach

MomOf1OfEach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 12 April 2009 - 01:06 PM

Hi Maranatha,

Thanks for reaching out. I absolutely still need help.

Regards,
MomOf1OfEach

#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:03 PM

Posted 12 April 2009 - 07:03 PM

Hi
OK I'll be back with you ASAP.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:03 PM

Posted 14 April 2009 - 12:20 AM

Hi MomOf1OfEach
Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#6 MomOf1OfEach

MomOf1OfEach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 14 April 2009 - 08:43 AM

I disabled BitDefender but it continued to pop up during the ComboFix operation warning me that I was at risk because the Virus Scan was disabled. I hope it did not mess this process up.

Here is the log:

ComboFix 09-04-14.08 - Chrysie 04/14/2009 7:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1234 [GMT -6:00]
Running from: c:\documents and settings\Chrysie\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *enabled*
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
c:\windows\system32\TDSSbndv.dat
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.

2009-04-14 12:57 . 2009-04-14 13:30 121 ----a-w c:\windows\bdagent.INI
2009-04-13 16:50 . 2009-04-13 16:50 -------- d-----w c:\program files\Mob Wars Toolbar
2009-04-12 12:57 . 2009-04-12 12:57 -------- d-----w c:\program files\Trend Micro
2009-04-01 22:44 . 2009-04-01 22:44 -------- d-----w c:\program files\Datel
2009-04-01 22:43 . 2001-05-07 10:56 19805 ----a-r c:\windows\system32\drivers\usbio.sys
2009-03-25 01:50 . 2009-04-14 12:45 754 ----a-w c:\windows\system32\BDUpdateV1.xml
2009-03-16 03:55 . 2009-03-16 03:55 -------- d-----w c:\documents and settings\Chrysie\Application Data\Windows Search
2009-03-15 22:51 . 2009-03-15 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\Macrium
2009-03-15 22:50 . 2009-03-15 22:50 -------- d-----w c:\program files\Macrium
2009-03-15 17:53 . 2009-03-15 17:53 146650 ----a-w c:\windows\system32\BuzzingBee.wav
2009-03-15 17:52 . 2009-03-15 17:53 940794 ----a-w c:\windows\system32\LoopyMusic.wav
2009-03-15 17:52 . 2009-03-15 17:52 -------- d-----w c:\windows\system32\Lang
2009-03-15 17:47 . 2009-03-15 17:47 -------- d-----w c:\program files\VIA
2009-03-15 17:46 . 2008-09-25 23:58 21656 ----a-w c:\windows\system32\drivers\xfilt.sys
2009-03-15 17:46 . 2008-09-25 23:57 12952 ----a-w c:\windows\system32\drivers\videX32.sys
2009-03-15 17:45 . 2007-02-27 22:14 42496 ----a-w c:\windows\system32\drivers\fetnd5bv.sys
2009-03-15 17:45 . 2006-10-27 22:26 69632 ----a-w c:\windows\system32\vuins32.dll
2009-03-15 17:45 . 2005-11-17 21:46 337320 ------w c:\windows\system32\difxapi.dll
2009-03-15 17:45 . 2009-03-15 17:45 -------- d-----w c:\windows\vnDrvBas
2009-03-15 17:44 . 2009-03-15 17:44 -------- d-----w c:\program files\S3
2009-03-15 17:44 . 2007-11-14 21:18 553 ----a-w c:\windows\USetup.iss
2009-03-15 16:46 . 2004-08-04 04:41 606684 -c--a-w c:\windows\system32\dllcache\ltmdmnt.sys
2009-03-15 16:46 . 2004-08-04 04:41 606684 ----a-w c:\windows\system32\drivers\ltmdmnt.sys
2009-03-15 16:45 . 2001-08-17 18:13 27165 -c--a-w c:\windows\system32\dllcache\fetnd5.sys
2009-03-15 16:45 . 2001-08-17 18:13 27165 ----a-w c:\windows\system32\drivers\fetnd5.sys
2009-03-15 16:45 . 2008-04-13 18:40 5376 -c--a-w c:\windows\system32\dllcache\viaide.sys
2009-03-15 16:45 . 2008-04-13 18:40 5376 ----a-w c:\windows\system32\drivers\viaide.sys
2009-03-15 16:21 . 2001-08-17 19:51 3328 -c--a-w c:\windows\system32\dllcache\pciide.sys
2009-03-15 16:21 . 2001-08-17 19:51 3328 ----a-w c:\windows\system32\drivers\pciide.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 13:19 . 2009-03-14 22:10 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-13 20:42 . 2008-09-11 05:03 142648 ----a-w c:\documents and settings\Chrysie\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 21:47 . 2008-09-29 18:58 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-11 21:56 . 2008-10-09 22:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-10 05:27 . 2008-09-10 03:49 142648 ----a-w c:\documents and settings\Chrysie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 22:05 . 2008-11-14 18:52 -------- d-----w c:\documents and settings\Chrysie\Application Data\FileZilla
2009-04-06 21:32 . 2008-10-09 22:37 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 . 2008-10-09 22:37 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 13:58 . 2008-11-27 16:14 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-01 15:54 . 2009-02-03 23:03 104328 ----a-w c:\windows\system32\drivers\bdfndisf.sys
2009-03-15 17:44 . 2008-10-08 16:30 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 17:44 . 2009-03-15 17:43 1659 ----a-w C:\RHDSetup.log
2009-03-15 17:43 . 2009-03-15 17:43 -------- d-----w c:\program files\Realtek
2009-03-14 22:42 . 2009-03-14 22:42 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-14 22:41 . 2009-03-14 22:41 -------- d-----w c:\program files\Microsoft
2009-03-14 22:40 . 2009-03-14 22:40 -------- d-----w c:\documents and settings\Chrysie\Application Data\Windows Desktop Search
2009-03-14 22:38 . 2009-03-14 22:38 -------- d-----w c:\program files\Windows Desktop Search
2009-03-14 22:34 . 2009-03-14 22:33 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-14 22:05 . 2009-03-14 22:02 -------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-03-14 22:03 . 2009-03-14 22:03 -------- d-----w c:\documents and settings\Chrysie\Application Data\BitDefender
2009-03-14 22:03 . 2009-03-14 22:00 -------- d-----w c:\program files\Common Files\BitDefender
2009-03-14 22:02 . 2009-03-14 22:02 -------- d-----w c:\program files\BitDefender
2009-03-14 21:56 . 2008-09-10 04:52 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-04 20:30 . 2009-03-04 19:47 117088 ----a-w c:\windows\hpoins11.dat
2009-03-04 20:30 . 2009-03-01 16:17 -------- d-----w c:\documents and settings\Chrysie\Application Data\HP
2009-03-04 20:29 . 2009-02-26 02:34 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-04 20:03 . 2009-03-04 20:03 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-04 20:02 . 2009-03-04 20:00 -------- d-----w c:\program files\Common Files\HP
2009-03-04 19:58 . 2008-09-23 15:19 -------- d-----w c:\program files\Hewlett-Packard
2009-03-03 18:02 . 2008-09-17 02:28 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-03 17:55 . 2009-03-03 17:55 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-03 17:45 . 2008-09-10 22:18 -------- d-----w c:\program files\Common Files\Adobe
2009-03-03 17:41 . 2009-03-03 17:41 -------- d-----w c:\program files\Adobe Media Player
2009-03-03 17:21 . 2009-03-03 17:21 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-03 16:08 . 2009-03-03 15:50 -------- d-----w c:\program files\Adobe Photoshop CS4 Trial
2009-02-28 15:42 . 2009-02-28 15:41 510 ----a-w C:\updatedatfix.log
2009-02-28 15:42 . 2009-02-26 02:08 -------- d-----w c:\program files\HP
2009-02-27 22:58 . 2009-02-27 17:00 -------- d-----w c:\documents and settings\Chrysie\Application Data\Download Manager
2009-02-27 14:24 . 2009-02-27 14:24 130 ----a-w c:\documents and settings\Chrysie\Local Settings\Application Data\fusioncache.dat
2009-02-27 10:01 . 2009-02-27 10:01 -------- d-----w c:\program files\MSXML 4.0
2009-02-26 02:28 . 2009-02-26 02:28 -------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-02-26 02:14 . 2009-02-26 02:14 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-02-24 15:40 . 2009-02-24 15:40 -------- d-----w c:\program files\7-Zip
2009-02-18 17:21 . 2009-02-18 17:21 -------- d-----w c:\program files\MSBuild
2009-02-18 17:21 . 2009-02-18 17:21 -------- d-----w c:\program files\Reference Assemblies
2009-02-11 21:54 . 2009-02-11 21:41 180 ----a-w C:\split.log
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-04-01 15:2008-10-30 23:34 54:10 . c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0adb501b-f9c4-4c02-a9ed-2f605a0586e0}"= "c:\program files\Mob Wars Toolbar\Helper.dll" [2009-04-13 219648]

[HKEY_CLASSES_ROOT\clsid\{0adb501b-f9c4-4c02-a9ed-2f605a0586e0}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{D18FE26B-D137-491C-98FB-175D79F04CB6}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28A27F58-704F-40E1-8053-28E909FBF604}]
2009-04-13 16:50 1266688 ----a-w c:\program files\Mob Wars Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6857857C-15D3-435D-AF19-E0217298B416}"= "c:\program files\Mob Wars Toolbar\Toolbar.dll" [2009-04-13 1266688]

[HKEY_CLASSES_ROOT\clsid\{6857857c-15d3-435d-af19-e0217298b416}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{AD0FF573-4DD1-4CF7-AA25-41280783CA54}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6857857C-15D3-435D-AF19-E0217298B416}"= "c:\program files\Mob Wars Toolbar\Toolbar.dll" [2009-04-13 1266688]

[HKEY_CLASSES_ROOT\clsid\{6857857c-15d3-435d-af19-e0217298b416}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{AD0FF573-4DD1-4CF7-AA25-41280783CA54}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-01 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-07 17421824]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2007-06-11 176128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jeayit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2008-05-20 15328]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2008-09-25 21656]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 98304]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-10-06 82696]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 118784]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2009-04-01 104328]
S3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\S3gIGPm.sys [2007-07-11 714240]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-01 c:\windows\Tasks\Chrysie_Full xml.job
- c:\program files\Macrium\Reflect\reflect.exe [2009-01-10 20:08]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4CEE92E5-739F-4CEA-959A-C0D8855E27D7} - (no file)
BHO-{91EEBF35-BBA9-41FA-BC5C-1BEFC3ACA9BF} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-AdobeBridge - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\dcsws2.dll
TCP: {20B17AB5-B234-44C9-A1A0-DF364936255B} = 218.93.202.110,218.93.202.111
TCP: {4C3735FB-2BB5-4686-B358-9FFF71647914} = 218.93.202.110,218.93.202.111
FF - ProfilePath - c:\documents and settings\Chrysie\Application Data\Mozilla\Firefox\Profiles\fqplvl9n.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Chrysie\Application Data\Mozilla\Firefox\Profiles\fqplvl9n.default\extensions\{18b8f08d-62fe-4dfc-ad6c-9ce46515d5ec}\components\Engine.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 07:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Setup"="020940E-7876-4C02-055F-6F53"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\dcsws2.dll

- - - - - - - > 'explorer.exe'(2184)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\searchindexer.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\HPZinw12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-14 13:37

Pre-Run: 39,884,783,616 bytes free
Post-Run: 40,825,880,576 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

282 --- E O F --- 2009-03-15 09:07

#7 MomOf1OfEach

MomOf1OfEach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 15 April 2009 - 07:13 PM

Well, it's been 35 hours and so far no porn. I've rebooted at least 3 times since I ran ComboFix.exe. Do I need to do anything else?

Edited by MomOf1OfEach, 15 April 2009 - 07:19 PM.


#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:03 PM

Posted 15 April 2009 - 08:47 PM

Hi
That's good to hear, yes there are a few things left to do, sorry for the wait. I had a storm move through where I live and lost my Internet.

I'll be back to you ASAP.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:03 PM

Posted 17 April 2009 - 07:52 PM

Hi

Please do the following.

Please backup your registry using ERUNT before proceeding to any of the steps.

Download ERUNT from Derfisch or Aumha and save it to your desktop.

Use the setup program to install ERUNT on your computer
Click ERUNT.Setup.exe to install ERUNT and backup your registry.
Uncheck the "Create NTREGOPT desktop icon” box.
In the window that comes up to Create an ERUNT entry to the Start up folder select No.

By Default the backup location is C:\windows\erunt\ (current date)
Click OK to continue with the registry backup.
If the folder does not exist then let ERUNT create the folder for you by clicking Yes
You should see a progress bar when ERUNT is backing up the Windows Registry.
After ERUNT has completed the Windows Registry backup. Click OK to exit ERUNT

Now do this.

Open “Notepad” Copy the contents of the code box below to the blank Notepad.
Click "File" > "Save as"
In the "Save In" box at the top click the down arrow and select DeskTop

In the “File name” type in: fix.reg
In the “Save As Type” select: All Files
Once saved, Go to your desktop double click “fix.reg file” and let it merge with the registry.

REGEDIT 4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Now do this.

Download RootRepeal.zip to your Desktop.
  • Extract the compressed file to it's own folder.
  • Open the folder and doubleclick on RootRepeal.exe to run it.
  • Click on the Report tab, and then click on: Scan
  • A window opens asking what to include in the scan.
  • Check the following boxes then click OK:
    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services
  • You will then be asked which drive to scan.
  • Check C: (or the drive your operating system is installed on, if not C)
  • Click OK once again.
The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Let me know that the fix.reg merged successfully.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#10 MomOf1OfEach

MomOf1OfEach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 18 April 2009 - 08:48 AM

Well, RootRepeal did not complete. I received this RootRepeal_crash report:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e77a
Attempt to read from address: 0x00b81004

I ran it 2x to be sure. Same exact message.

Later...

OK - after shutting this IE window RootRepeal ran successfully. As did the registry merge. Here is the RootRepeal log:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/18 07:50
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 4c7788b3.sys
Image Path: C:\WINDOWS\System32\Drivers\4c7788b3.sys
Address: 0xAD2D8000 Size: 143744 File Visible: No
Status: -

Name: c2627640.sys
Image Path: C:\WINDOWS\System32\Drivers\c2627640.sys
Address: 0xAD24B000 Size: 574976 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7C37000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA618000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xADDB8000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{39EEEC89-98EB-421E-89EE-416DD7513383}\RP287\change.log
Status: Size mismatch (API: 86866, Raw: 86502)

SSDT
-------------------
#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xae23bc90

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xae23bd7e

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xae23bbf4

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xae23bec4

Edited by MomOf1OfEach, 18 April 2009 - 09:22 AM.


#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:03 PM

Posted 19 April 2009 - 01:03 AM

Hi
OK, We need to have a couple files checked, please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.
http://www.bleepingcomputer.com/forums/t/218799/adult-friend-finder/?p=1228363
suspect:: 
C:\WINDOWS\System32\Drivers\4c7788b3.sys
C:\WINDOWS\System32\Drivers\c2627640.sys

Please post the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 MomOf1OfEach

MomOf1OfEach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 19 April 2009 - 10:57 AM

Here's the log:

ComboFix 09-04-19.05 - Chrysie 04/19/2009 8:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1202 [GMT -6:00]
Running from: c:\documents and settings\Chrysie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chrysie\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-18 13:34 . 2009-04-18 13:34 -------- d-----w c:\program files\ERUNT
2009-04-16 18:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 18:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 18:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 18:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 18:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 18:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 18:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 18:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 18:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 18:46 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 18:46 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 18:46 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 12:57 . 2009-04-14 14:50 121 ----a-w c:\windows\bdagent.INI
2009-04-13 16:50 . 2009-04-13 16:50 -------- d-----w c:\program files\Mob Wars Toolbar
2009-04-12 12:57 . 2009-04-12 12:57 -------- d-----w c:\program files\Trend Micro
2009-04-01 22:44 . 2009-04-01 22:44 -------- d-----w c:\program files\Datel
2009-04-01 22:43 . 2001-05-07 10:56 19805 ----a-r c:\windows\system32\drivers\usbio.sys
2009-03-25 01:50 . 2009-04-19 14:25 450 ----a-w c:\windows\system32\BDUpdateV1.xml
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 13:19 . 2008-09-10 03:49 143040 ----a-w c:\documents and settings\Chrysie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-17 09:11 . 2009-03-14 22:10 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-13 20:42 . 2008-09-11 05:03 142648 ----a-w c:\documents and settings\Chrysie\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 21:47 . 2008-09-29 18:58 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-11 21:56 . 2008-10-09 22:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-07 22:05 . 2008-11-14 18:52 -------- d-----w c:\documents and settings\Chrysie\Application Data\FileZilla
2009-04-06 21:32 . 2008-10-09 22:37 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 . 2008-10-09 22:37 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 13:58 . 2008-11-27 16:14 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-01 15:54 . 2009-02-03 23:03 104328 ----a-w c:\windows\system32\drivers\bdfndisf.sys
2009-03-16 03:55 . 2009-03-16 03:55 -------- d-----w c:\documents and settings\Chrysie\Application Data\Windows Search
2009-03-15 22:51 . 2009-03-15 22:51 -------- d-----w c:\documents and settings\All Users\Application Data\Macrium
2009-03-15 22:50 . 2009-03-15 22:50 -------- d-----w c:\program files\Macrium
2009-03-15 17:47 . 2009-03-15 17:47 -------- d-----w c:\program files\VIA
2009-03-15 17:44 . 2009-03-15 17:44 -------- d-----w c:\program files\S3
2009-03-15 17:44 . 2008-10-08 16:30 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-15 17:44 . 2009-03-15 17:43 1659 ----a-w C:\RHDSetup.log
2009-03-15 17:43 . 2009-03-15 17:43 -------- d-----w c:\program files\Realtek
2009-03-14 22:42 . 2009-03-14 22:42 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-14 22:41 . 2009-03-14 22:41 -------- d-----w c:\program files\Microsoft
2009-03-14 22:40 . 2009-03-14 22:40 -------- d-----w c:\documents and settings\Chrysie\Application Data\Windows Desktop Search
2009-03-14 22:38 . 2009-03-14 22:38 -------- d-----w c:\program files\Windows Desktop Search
2009-03-14 22:34 . 2009-03-14 22:33 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-14 22:05 . 2009-03-14 22:02 -------- d-----w c:\documents and settings\All Users\Application Data\BitDefender
2009-03-14 22:03 . 2009-03-14 22:03 -------- d-----w c:\documents and settings\Chrysie\Application Data\BitDefender
2009-03-14 22:03 . 2009-03-14 22:00 -------- d-----w c:\program files\Common Files\BitDefender
2009-03-14 22:02 . 2009-03-14 22:02 -------- d-----w c:\program files\BitDefender
2009-03-14 21:56 . 2008-09-10 04:52 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 20:30 . 2009-03-04 19:47 117088 ----a-w c:\windows\hpoins11.dat
2009-03-04 20:30 . 2009-03-01 16:17 -------- d-----w c:\documents and settings\Chrysie\Application Data\HP
2009-03-04 20:29 . 2009-02-26 02:34 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-03-04 20:03 . 2009-03-04 20:03 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-03-04 20:02 . 2009-03-04 20:00 -------- d-----w c:\program files\Common Files\HP
2009-03-04 19:58 . 2008-09-23 15:19 -------- d-----w c:\program files\Hewlett-Packard
2009-03-03 18:02 . 2008-09-17 02:28 1744 ----a-w c:\windows\system32\d3d9caps.dat
2009-03-03 17:55 . 2009-03-03 17:55 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-03 17:45 . 2008-09-10 22:18 -------- d-----w c:\program files\Common Files\Adobe
2009-03-03 17:41 . 2009-03-03 17:41 -------- d-----w c:\program files\Adobe Media Player
2009-03-03 17:21 . 2009-03-03 17:21 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-03-03 16:08 . 2009-03-03 15:50 -------- d-----w c:\program files\Adobe Photoshop CS4 Trial
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 15:42 . 2009-02-28 15:41 510 ----a-w C:\updatedatfix.log
2009-02-28 15:42 . 2009-02-26 02:08 -------- d-----w c:\program files\HP
2009-02-27 22:58 . 2009-02-27 17:00 -------- d-----w c:\documents and settings\Chrysie\Application Data\Download Manager
2009-02-27 14:24 . 2009-02-27 14:24 130 ----a-w c:\documents and settings\Chrysie\Local Settings\Application Data\fusioncache.dat
2009-02-27 10:01 . 2009-02-27 10:01 -------- d-----w c:\program files\MSXML 4.0
2009-02-26 02:28 . 2009-02-26 02:28 -------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-02-26 02:14 . 2009-02-26 02:14 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-02-24 15:40 . 2009-02-24 15:40 -------- d-----w c:\program files\7-Zip
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-18 17:21 . 2009-02-18 17:21 -------- d-----w c:\program files\MSBuild
2009-02-18 17:21 . 2009-02-18 17:21 -------- d-----w c:\program files\Reference Assemblies
2009-02-11 21:54 . 2009-02-11 21:41 180 ----a-w C:\split.log
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 01:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-04-01 15:2008-10-30 23:34 54:10 . c:\program files\mozilla firefox\components\FFComm.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-14_13.30.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-17 09:12 . 2009-04-17 09:12 16384 c:\windows\Temp\Perflib_Perfdata_120.dat
+ 2008-09-10 03:55 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2008-09-10 03:55 . 2007-07-27 15:41 26488 c:\windows\system32\spupdsvc.exe
+ 2009-03-14 22:36 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00 . 2009-03-15 16:47 94882 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-04-17 13:19 94882 c:\windows\system32\perfc009.dat
+ 2008-09-10 03:31 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
- 2008-09-10 03:31 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
+ 2004-08-04 12:00 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2004-08-04 12:00 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
+ 2007-08-14 00:54 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2007-08-14 00:54 . 2008-12-20 23:15 52224 c:\windows\system32\msfeedsbs.dll
- 2008-09-10 03:31 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2008-09-10 03:31 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 27648 c:\windows\system32\jsproxy.dll
- 2007-08-14 00:39 . 2008-12-19 09:10 13824 c:\windows\system32\ieudinit.exe
+ 2007-08-14 00:39 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
- 2004-08-04 12:00 . 2008-12-20 23:15 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
+ 2004-08-04 12:00 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-04 12:00 . 2008-12-19 09:10 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-14 00:36 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2007-08-14 00:36 . 2008-12-20 23:15 63488 c:\windows\system32\icardie.dll
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2004-08-04 12:00 . 2009-02-06 10:39 35328 c:\windows\system32\dllcache\sc.exe
+ 2007-08-14 00:36 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-08-14 00:36 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2008-09-10 20:51 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-09-10 20:51 . 2008-12-20 23:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2007-08-14 00:54 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2007-08-14 00:54 . 2008-12-20 23:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-09-10 20:50 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2008-09-10 20:50 . 2008-12-19 09:10 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-08-14 00:39 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
- 2007-08-14 00:39 . 2008-12-20 23:15 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2007-08-14 00:45 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
- 2007-08-14 00:45 . 2007-08-14 00:45 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-14 00:39 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-14 00:39 . 2008-12-19 09:10 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-09-10 20:50 . 2008-12-20 23:15 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-09-10 20:50 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-09-10 13:00 . 2009-04-17 09:01 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2009-04-17 09:04 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\pngfilt.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 52224 c:\windows\ie7updates\KB963027-IE7\msfeedsbs.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 27648 c:\windows\ie7updates\KB963027-IE7\jsproxy.dll
+ 2009-04-17 09:04 . 2008-12-19 09:10 13824 c:\windows\ie7updates\KB963027-IE7\ieudinit.exe
+ 2009-04-17 09:04 . 2008-12-20 23:15 44544 c:\windows\ie7updates\KB963027-IE7\iernonce.dll
+ 2009-04-17 09:04 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB963027-IE7\ieencode.dll
+ 2009-04-17 09:04 . 2008-12-19 09:10 70656 c:\windows\ie7updates\KB963027-IE7\ie4uinit.exe
+ 2009-04-17 09:04 . 2008-12-20 23:15 63488 c:\windows\ie7updates\KB963027-IE7\icardie.dll
- 2008-09-10 13:00 . 2009-03-16 03:28 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2004-08-04 12:00 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
+ 2004-08-04 12:00 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2008-09-10 03:31 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2008-09-10 03:31 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2008-09-10 03:31 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2009-03-15 16:47 510444 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2009-04-17 13:19 510444 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2008-12-20 23:15 102912 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 477696 c:\windows\system32\mshtmled.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2007-08-14 00:54 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
- 2007-08-14 00:54 . 2008-12-20 23:15 459264 c:\windows\system32\msfeeds.dll
- 2008-09-10 03:31 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
+ 2008-09-10 03:31 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2008-09-10 03:31 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2008-09-10 03:31 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2008-09-10 03:31 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2004-08-04 12:00 . 2009-03-21 14:06 989696 c:\windows\system32\kernel32.dll
- 2004-08-04 12:00 . 2008-04-14 00:11 989696 c:\windows\system32\kernel32.dll
+ 2009-01-16 16:26 . 2009-04-17 09:13 224600 c:\windows\system32\inetsrv\MetaBase.bin
+ 2007-08-14 00:34 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
- 2007-07-11 18:27 . 2008-12-20 23:15 383488 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 18:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
- 2004-08-04 12:00 . 2008-12-19 05:23 161792 c:\windows\system32\ieakui.dll
+ 2004-08-04 12:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2008-06-23 15:09 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\wininet.dll
- 2008-06-23 15:09 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\wininet.dll
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2007-08-14 00:54 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-14 00:54 . 2008-12-20 23:15 233472 c:\windows\system32\dllcache\webcheck.dll
- 2007-08-14 00:44 . 2008-12-20 23:15 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-14 00:44 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-14 00:44 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 00:44 . 2008-12-20 23:15 102912 c:\windows\system32\dllcache\occache.dll
+ 2007-08-14 00:54 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
- 2007-08-14 00:54 . 2008-12-20 23:15 671232 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-14 00:44 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
- 2007-08-14 00:44 . 2008-12-20 23:15 193024 c:\windows\system32\dllcache\msrating.dll
- 2007-08-14 00:54 . 2008-12-20 23:15 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-14 00:54 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-09-10 20:51 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2008-09-10 20:51 . 2008-12-20 23:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2007-08-14 00:43 . 2009-02-28 04:54 636072 c:\windows\system32\dllcache\iexplore.exe
+ 2008-09-10 20:50 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-08-14 00:39 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2008-09-10 20:50 . 2008-12-20 23:15 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-09-10 20:50 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2004-08-04 12:00 . 2008-12-19 05:23 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
- 2007-08-14 00:39 . 2008-12-20 23:15 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-14 00:39 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-14 00:39 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2007-08-14 00:39 . 2008-12-20 23:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2007-08-14 00:54 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
- 2007-08-14 00:54 . 2008-12-20 23:15 133120 c:\windows\system32\dllcache\extmgr.dll
- 2007-08-14 00:35 . 2008-12-20 23:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2007-08-14 00:35 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2007-08-14 00:35 . 2008-12-20 23:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-14 00:35 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-14 00:39 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
- 2007-08-14 00:39 . 2008-12-20 23:15 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
- 2004-08-04 12:00 . 2008-12-20 23:15 124928 c:\windows\system32\advpack.dll
- 2008-09-10 13:00 . 2009-03-16 03:28 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-09-10 13:00 . 2009-04-17 09:01 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-09-10 13:00 . 2009-03-16 03:28 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2009-04-17 09:04 . 2008-12-20 23:15 826368 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 233472 c:\windows\ie7updates\KB963027-IE7\webcheck.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 105984 c:\windows\ie7updates\KB963027-IE7\url.dll
+ 2009-04-17 09:04 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB963027-IE7\spuninst\updspapi.dll
+ 2009-04-17 09:04 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB963027-IE7\spuninst\spuninst.exe
+ 2009-04-17 09:04 . 2008-12-20 23:15 102912 c:\windows\ie7updates\KB963027-IE7\occache.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 671232 c:\windows\ie7updates\KB963027-IE7\mstime.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 193024 c:\windows\ie7updates\KB963027-IE7\msrating.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 477696 c:\windows\ie7updates\KB963027-IE7\mshtmled.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 459264 c:\windows\ie7updates\KB963027-IE7\msfeeds.dll
+ 2009-04-17 09:04 . 2008-12-19 05:25 634024 c:\windows\ie7updates\KB963027-IE7\iexplore.exe
+ 2009-04-17 09:04 . 2008-12-20 23:15 267776 c:\windows\ie7updates\KB963027-IE7\iertutil.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 384512 c:\windows\ie7updates\KB963027-IE7\iedkcs32.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 383488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dll
+ 2009-04-17 09:04 . 2008-12-19 05:23 161792 c:\windows\ie7updates\KB963027-IE7\ieakui.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 230400 c:\windows\ie7updates\KB963027-IE7\ieaksie.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 153088 c:\windows\ie7updates\KB963027-IE7\ieakeng.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 133120 c:\windows\ie7updates\KB963027-IE7\extmgr.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 214528 c:\windows\ie7updates\KB963027-IE7\dxtrans.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 347136 c:\windows\ie7updates\KB963027-IE7\dxtmsft.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 124928 c:\windows\ie7updates\KB963027-IE7\advpack.dll
+ 2009-04-18 13:35 . 2009-04-18 13:35 184320 c:\windows\ERDNT\4-18-2009\Users\00000002\UsrClass.dat
+ 2009-04-18 13:35 . 2005-10-20 18:02 163328 c:\windows\ERDNT\4-18-2009\ERDNT.EXE
- 2004-08-04 12:00 . 2008-12-20 23:15 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 1160192 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
- 2004-08-04 12:00 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2009-02-20 18:09 3595264 c:\windows\system32\mshtml.dll
+ 2007-08-14 00:54 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
+ 2007-02-12 22:10 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat
- 2007-02-12 22:10 . 2007-04-17 09:32 2455488 c:\windows\system32\ieapfltr.dat
+ 2008-09-09 20:58 . 2009-04-17 09:12 2284504 c:\windows\system32\FNTCACHE.DAT
- 2008-06-26 08:15 . 2008-12-20 23:15 1160192 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-26 08:15 . 2009-02-20 18:09 1160192 c:\windows\system32\dllcache\urlmon.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-15 01:26 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-15 01:26 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 01:26 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-15 01:26 . 2008-08-14 09:33 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-15 01:26 . 2009-02-08 01:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2008-10-15 01:26 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-15 01:26 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-06-23 15:09 . 2009-02-20 18:09 3595264 c:\windows\system32\dllcache\mshtml.dll
+ 2008-09-10 20:50 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2008-09-10 20:50 . 2007-04-17 09:32 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2008-09-10 20:50 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-04-17 09:04 . 2008-12-20 23:15 1160192 c:\windows\ie7updates\KB963027-IE7\urlmon.dll
+ 2009-04-17 09:04 . 2009-01-17 04:35 3594752 c:\windows\ie7updates\KB963027-IE7\mshtml.dll
+ 2009-04-17 09:04 . 2008-12-20 23:15 6066688 c:\windows\ie7updates\KB963027-IE7\ieframe.dll
+ 2009-04-17 09:04 . 2007-04-17 09:32 2455488 c:\windows\ie7updates\KB963027-IE7\ieapfltr.dat
+ 2009-04-18 13:35 . 2009-04-18 13:35 5484544 c:\windows\ERDNT\4-18-2009\Users\00000001\NTUSER.DAT
+ 2008-10-15 01:26 . 2009-02-06 11:08 2189056 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 01:26 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 01:26 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 01:26 . 2008-08-14 09:33 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 01:26 . 2009-02-08 01:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-15 01:26 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-15 01:26 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-09-10 20:47 . 2009-04-06 14:57 24921544 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28A27F58-704F-40E1-8053-28E909FBF604}]
2009-04-13 16:50 1266688 ----a-w c:\program files\Mob Wars Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6857857C-15D3-435D-AF19-E0217298B416}"= "c:\program files\Mob Wars Toolbar\Toolbar.dll" [2009-04-13 1266688]

[HKEY_CLASSES_ROOT\clsid\{6857857c-15d3-435d-af19-e0217298b416}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{AD0FF573-4DD1-4CF7-AA25-41280783CA54}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6857857C-15D3-435D-AF19-E0217298B416}"= "c:\program files\Mob Wars Toolbar\Toolbar.dll" [2009-04-13 1266688]

[HKEY_CLASSES_ROOT\clsid\{6857857c-15d3-435d-af19-e0217298b416}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{AD0FF573-4DD1-4CF7-AA25-41280783CA54}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-15 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-07 17421824]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2007-06-11 176128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jeayit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2008-05-20 15328]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2008-09-25 21656]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 98304]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-10-06 82696]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 118784]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2009-04-01 104328]
S3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\S3gIGPm.sys [2007-07-11 714240]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - 4C7788B3
*NewlyCreated* - C2627640
*Deregistered* - 4c7788b3
*Deregistered* - c2627640

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-01 c:\windows\Tasks\Chrysie_Full xml.job
- c:\program files\Macrium\Reflect\reflect.exe [2009-01-10 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\dcsws2.dll
TCP: {20B17AB5-B234-44C9-A1A0-DF364936255B} = 218.93.202.110,218.93.202.111
TCP: {4C3735FB-2BB5-4686-B358-9FFF71647914} = 218.93.202.110,218.93.202.111
FF - ProfilePath - c:\documents and settings\Chrysie\Application Data\Mozilla\Firefox\Profiles\fqplvl9n.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Chrysie\Application Data\Mozilla\Firefox\Profiles\fqplvl9n.default\extensions\{18b8f08d-62fe-4dfc-ad6c-9ce46515d5ec}\components\Engine.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 08:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Setup"="EXPIRED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\dcsws2.dll

- - - - - - - > 'explorer.exe'(2708)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-19 8:52
ComboFix-quarantined-files.txt 2009-04-19 14:52
ComboFix2.txt 2009-04-14 13:37

Pre-Run: 40,266,510,336 bytes free
Post-Run: 40,412,430,336 bytes free

476 --- E O F --- 2009-04-17 09:05

#13 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:03 PM

Posted 19 April 2009 - 07:59 PM

Hi
OK please do the following.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.
Driver::
4C7788B3
C2627640
File::
C:\WINDOWS\System32\Drivers\4c7788b3.sys
C:\WINDOWS\System32\Drivers\c2627640.sys

Please post the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#14 MomOf1OfEach

MomOf1OfEach
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 20 April 2009 - 12:45 AM

OK Maranatha. Here is the log:

ComboFix 09-04-20.02 - Chrysie 04/19/2009 23:20.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1287 [GMT -6:00]
Running from: c:\documents and settings\Chrysie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chrysie\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
FW: BitDefender Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\System32\Drivers\4c7788b3.sys
c:\windows\System32\Drivers\c2627640.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_4C7788B3
-------\Legacy_C2627640



((((((((((((((((((((((((((((( SnapShot_2009-04-19_14.48.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-20 05:30 . 2009-04-20 05:30 16384 c:\windows\Temp\Perflib_Perfdata_d0.dat
+ 2009-03-14 22:10 . 2009-04-20 05:28 81984 c:\windows\system32\bdod.bin
- 2009-03-14 22:10 . 2009-04-17 09:11 81984 c:\windows\system32\bdod.bin
+ 2009-01-16 16:26 . 2009-04-20 05:30 224601 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28A27F58-704F-40E1-8053-28E909FBF604}]
2009-04-13 16:50 1266688 ----a-w c:\program files\Mob Wars Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6857857C-15D3-435D-AF19-E0217298B416}"= "c:\program files\Mob Wars Toolbar\Toolbar.dll" [2009-04-13 1266688]

[HKEY_CLASSES_ROOT\clsid\{6857857c-15d3-435d-af19-e0217298b416}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{AD0FF573-4DD1-4CF7-AA25-41280783CA54}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6857857C-15D3-435D-AF19-E0217298B416}"= "c:\program files\Mob Wars Toolbar\Toolbar.dll" [2009-04-13 1266688]

[HKEY_CLASSES_ROOT\clsid\{6857857c-15d3-435d-af19-e0217298b416}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{AD0FF573-4DD1-4CF7-AA25-41280783CA54}]
[HKEY_CLASSES_ROOT\FCTB000058757.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-15 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-04-01 69632]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-11-07 17421824]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" - c:\windows\system32\S3Trayp.exe [2007-06-11 176128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-20 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jeayit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 118784]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2008-05-20 15328]
S0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\DRIVERS\xfilt.sys [2008-09-25 21656]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-20 98304]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-10-06 82696]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-20 118784]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]
S3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys [2009-04-01 104328]
S3 S3GIGP;S3GIGP;c:\windows\system32\DRIVERS\S3gIGPm.sys [2007-07-11 714240]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-01 c:\windows\Tasks\Chrysie_Full xml.job
- c:\program files\Macrium\Reflect\reflect.exe [2009-01-10 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\dcsws2.dll
TCP: {20B17AB5-B234-44C9-A1A0-DF364936255B} = 218.93.202.110,218.93.202.111
TCP: {4C3735FB-2BB5-4686-B358-9FFF71647914} = 218.93.202.110,218.93.202.111
FF - ProfilePath - c:\documents and settings\Chrysie\Application Data\Mozilla\Firefox\Profiles\fqplvl9n.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58757&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Chrysie\Application Data\Mozilla\Firefox\Profiles\fqplvl9n.default\extensions\{18b8f08d-62fe-4dfc-ad6c-9ce46515d5ec}\components\Engine.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 23:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Setup"="EXPIRED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\dcsws2.dll

- - - - - - - > 'explorer.exe'(4004)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\BitDefender\BitDefender 2009\seccenter.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-04-20 23:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 05:41
ComboFix2.txt 2009-04-19 14:52
ComboFix3.txt 2009-04-14 13:37

Pre-Run: 40,343,474,176 bytes free
Post-Run: 40,371,617,792 bytes free

190 --- E O F --- 2009-04-17 09:05

#15 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:03 PM

Posted 20 April 2009 - 04:28 PM

Hi
OK looks good.

Please run ERUNT to back up your register.

This came back,
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jeayit.dll

So I would like you to Double click on the fix.reg file that is on your desktop again and let me know that it merged successfully.

If you no longer have it, let me know and I'll post the instructions again.

If it merges, Then please post a new DDS log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users