Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google Redirect Victim: Oh the Horror!


  • This topic is locked This topic is locked
18 replies to this topic

#1 agoodlysize

agoodlysize

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 10 July 2009 - 09:12 PM

Hello folks,

Had AVG installed, somehow contracted this little bugger, and after firing salvos of Avast, Avira (currently installed), AdAware, Malwarebytes, Spybot- S&D, Eset, etc., he stands in the clearing haze, untouched.

So, I throw myself upon your mercy.

I have a firewall installed (ZoneAlarm), HJT ready to go, and ComboFix Downloaded if we need it.

Any and all help would be GREATLY appreciated, as well as what I need to do to prevent infections like this one in the future.

And now, my log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Jesse Coleman at 21:42:37.10 on Fri 07/10/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.496 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jesse Coleman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240534924484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240534916750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jessec~1\applic~1\mozilla\firefox\profiles\vdfh8n79.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-10 64160]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-10 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-10 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-10 55640]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2009-1-22 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2009-1-22 25216]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-1-22 38400]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVEX15.SYS [?]

=============== Created Last 30 ================

2009-07-10 21:22 268 a---h--- C:\sqmdata00.sqm
2009-07-10 21:22 244 a---h--- C:\sqmnoopt00.sqm
2009-07-10 21:05 <DIR> --d----- c:\program files\Trend Micro
2009-07-10 17:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-10 17:31 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-10 17:24 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 17:24 <DIR> --d----- c:\program files\Lavasoft
2009-07-10 16:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-10 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-10 13:48 <DIR> --d----- c:\program files\AskBarDis
2009-07-10 13:48 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-07-10 13:47 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-07-10 13:47 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-07-10 13:47 <DIR> --d----- c:\program files\Zone Labs
2009-07-10 13:47 350,192 a------- c:\windows\system32\vsconfig.xml
2009-07-10 13:46 <DIR> --d----- c:\windows\Internet Logs
2009-07-10 13:32 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 13:32 <DIR> --d----- c:\program files\Avira
2009-07-10 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-10 04:12 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-10 04:12 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-10 04:12 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-09 08:29 <DIR> --d----- c:\docume~1\jessec~1\applic~1\Malwarebytes
2009-07-09 08:29 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 08:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-09 08:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 08:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 00:37 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-22 00:37 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-22 00:36 <DIR> --d----- c:\program files\iPod
2009-06-22 00:36 <DIR> --d----- c:\program files\iTunes
2009-06-22 00:21 <DIR> --d----- c:\docume~1\jessec~1\applic~1\GlarySoft
2009-06-22 00:12 <DIR> --d----- c:\program files\Glary Utilities

==================== Find3M ====================

2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-28 20:24 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-24 14:36 176,496 a------- c:\windows\hpwins19.dat
2009-04-23 22:21 561,152 a------- c:\windows\AJScreensaver.scr
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-05-07 04:34 15,523,560 a------- c:\program files\U1 Setup.exe

============= FINISH: 21:44:40.46 ===============

Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:54 PM

Posted 19 July 2009 - 10:03 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 agoodlysize

agoodlysize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 20 July 2009 - 08:01 PM

DDS (Ver_09-06-26.01) - NTFSx86
Run by Jesse Coleman at 20:57:07.50 on Mon 07/20/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.486 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Elantech\ETDCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Jesse Coleman\My Documents\Dark Room 0.8b\DarkRoom.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jesse Coleman\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [12612654] c:\documents and settings\all users\application data\12612654\12612654.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240534924484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240534916750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jessec~1\applic~1\mozilla\firefox\profiles\vdfh8n79.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-10 64160]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-10 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-10 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-10 55640]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2009-1-22 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2009-1-22 25216]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-1-22 38400]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVEX15.SYS [?]

=============== Created Last 30 ================

2009-07-18 20:08 268 a---h--- C:\sqmdata03.sqm
2009-07-18 20:08 244 a---h--- C:\sqmnoopt03.sqm
2009-07-18 18:28 268 a---h--- C:\sqmdata02.sqm
2009-07-18 18:28 244 a---h--- C:\sqmnoopt02.sqm
2009-07-15 01:25 118 a------- c:\windows\system32\MRT.INI
2009-07-14 10:56 268 a---h--- C:\sqmdata01.sqm
2009-07-14 10:56 244 a---h--- C:\sqmnoopt01.sqm
2009-07-13 11:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12612654
2009-07-12 11:39 <DIR> --d----- c:\windows\system32\LogFiles
2009-07-10 21:22 268 a---h--- C:\sqmdata00.sqm
2009-07-10 21:22 244 a---h--- C:\sqmnoopt00.sqm
2009-07-10 21:05 <DIR> --d----- c:\program files\Trend Micro
2009-07-10 17:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-10 17:31 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-10 17:24 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 17:24 <DIR> --d----- c:\program files\Lavasoft
2009-07-10 16:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-10 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-10 13:48 <DIR> --d----- c:\program files\AskBarDis
2009-07-10 13:48 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-07-10 13:47 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-07-10 13:47 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-07-10 13:47 <DIR> --d----- c:\program files\Zone Labs
2009-07-10 13:47 350,192 a------- c:\windows\system32\vsconfig.xml
2009-07-10 13:46 <DIR> --d----- c:\windows\Internet Logs
2009-07-10 13:32 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 13:32 <DIR> --d----- c:\program files\Avira
2009-07-10 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-10 04:12 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-10 04:12 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-10 04:12 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-09 08:29 <DIR> --d----- c:\docume~1\jessec~1\applic~1\Malwarebytes
2009-07-09 08:29 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 08:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-09 08:29 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 08:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 03:00 91 a------- c:\windows\system32\hjgruiwdjuktel.dat
2009-07-08 02:59 18,944 a------- c:\windows\system32\hjgruikcolewmy.dll
2009-07-08 02:58 113,522 a------- c:\windows\system32\hjgruiqbrfqmja.dat
2009-07-08 02:58 43,008 a------- c:\windows\system32\hjgruiijpiqqow.dll
2009-07-08 02:58 67,072 -------- c:\windows\system32\drivers\hjgruixwkkdaxt.sys
2009-06-22 00:37 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-22 00:37 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-22 00:36 <DIR> --d----- c:\program files\iPod
2009-06-22 00:36 <DIR> --d----- c:\program files\iTunes
2009-06-22 00:21 <DIR> --d----- c:\docume~1\jessec~1\applic~1\GlarySoft
2009-06-22 00:12 <DIR> --d----- c:\program files\Glary Utilities

==================== Find3M ====================

2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-28 20:24 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-24 14:36 176,496 a------- c:\windows\hpwins19.dat
2009-04-23 22:21 561,152 a------- c:\windows\AJScreensaver.scr
2008-05-07 04:34 15,523,560 a------- c:\program files\U1 Setup.exe

============= FINISH: 20:58:06.56 ===============

Attached Files



#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:54 PM

Posted 21 July 2009 - 11:16 AM

Hello agoodlysize, and welcome to BleepingComputer.com! I will be handling your log to help you get cleaned up. :thumbup2:

Please take note of the following:
  • I will start working on your malware issues, this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clean. Just because a symptom disappears does not mean your system is clean.
  • Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
  • Please don't run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
  • If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
    NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure.
  • Please reply to this thread. Do not start a new topic.
Now please give me a bit of time to review your logs, I will get back to you as soon as possible. Note that reviewing your log(s) requires an amount of research, so please be patient. Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:54 PM

Posted 21 July 2009 - 07:18 PM

Hello there, agoodlysize!



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:cool: Uninstall a program using Add or Remove Programs:
  • Go to Start -> Control Panel -> Add or Remove Programs.
    • A list of programs installed will be "populated"; this may take a bit of time.
  • Uninstall Ask Toolbar if it is listed by clicking the entry, selecting the Remove (or Change/Remove) button, and follow the on-screen uninstallation instructions.
    The Ask Toolbar Add or Remove Programs entry corresponds to a program that is not recommended. For more info, see this reference: Current Practices of IAC/Ask Toolbars.
:) Temporarily disable Spybot - Search and Destroy's TeaTimer as it will interfere with the changes you will make on your system:
  • Launch Spybot - Search & Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • Go to the Mode menu and make sure Advanced mode is selected.
  • You may be presented with a warning dialog. If so, press Yes.
  • On the left hand side, click on Tools, then click on the Resident icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of over-all system settings) active" box.
  • Click on the System Startup icon in the list.
  • Uncheck the "TeaTimer" box and OK any prompts.
  • If Teatimer gives you a warning that changes were made, click the Allow change box when prompted.
  • Exit/Close Spybot - S&D and reboot your computer.
    (You can re-enable Spybot's TeaTimer once your system is clean by reversing these steps.)
  • Download ResetTeaTimer.zip and save to your Desktop. Extract (unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entries set by TeaTimer and it from restoring them upon reactivation).
:thumbup2: Download and run sUBs' ComboFix:
  • Please download ComboFix from any of the links below and save it to your Desktop.
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double-click ComboFix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once installed, you should see a screen prompt that says: "The Recovery Console was successfully installed.".
  • Click Yes to allow ComboFix to continue scanning for malware.
    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you (located at C:\ComboFix.txt). Post the entire contents of that report in your next reply for further review, and so we may continue cleansing the system.

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your Operating System such as preventing it from ever starting again.


:) Scan for rootkits with GMER:
  • Download GMER from one of the following locations and save it to your Desktop:
  • Disconnect from the Internet and close all running programs and open windows (so that you have nothing open and are at the Desktop).
  • VERY IMPORTANT: Temporarily disable any real-time active protection so your security programs will not conflict with GMER's driver.
  • Double-click on the randomly named GMER exe file (i.e., n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    NOTE: If you downloaded the zipped version, extract the file to its own folder (such as C:\gmer) first prior to double-clicking on gmer.exe:
    Posted ImageGMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. IMPORTANT: Do NOT use the computer while the scan is in progress!
  • If you receive a WARNING about rootkit activity and are asked to fully scan your system, click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

    NOTES:
    * If you encounter any problems, try running GMER in Safe Mode.
    * Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries!


So in your next reply, please post the entire contents of:
  • C:\ComboFix.txt
  • the GMER log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 agoodlysize

agoodlysize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 22 July 2009 - 04:12 PM

COMBOFIX LOG:

ComboFix 09-07-22.01 - Jesse Coleman 07/22/2009 16:03.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.583 [GMT -4:00]
Running from: c:\documents and settings\Jesse Coleman\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jesse Coleman\XP Deluxe Protector
c:\documents and settings\Jesse Coleman\XP Deluxe Protector\xpdeluxe.exe
c:\recycler\S-1-5-21-2057533861-2189527281-249409757-1003
c:\windows\system32\drivers\hjgruixwkkdaxt.sys
c:\windows\system32\gdi32lib.dll
c:\windows\system32\hjgruiijpiqqow.dll
c:\windows\system32\hjgruikcolewmy.dll
c:\windows\system32\hjgruiqbrfqmja.dat
c:\windows\system32\hjgruiwdjuktel.dat

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{AC907EA6-59BC-4576-8A6B-DAC903AB0DE6}\RP15\A0002612.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruixlypruml


((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-22 20:07 . 2008-04-14 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-22 20:07 . 2008-04-14 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-13 15:32 . 2009-07-13 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\12612654
2009-07-12 15:39 . 2009-07-12 15:39 -------- d-----w- c:\windows\system32\LogFiles
2009-07-11 01:05 . 2009-07-11 01:05 -------- d-----w- c:\program files\Trend Micro
2009-07-10 21:56 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-10 21:31 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-10 21:24 . 2009-07-10 21:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 21:24 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-10 21:24 . 2009-07-10 21:24 -------- d-----w- c:\program files\Lavasoft
2009-07-10 21:24 . 2009-07-10 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-10 20:02 . 2009-07-10 20:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-10 20:02 . 2009-07-10 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-10 17:48 . 2009-07-10 17:48 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-07-10 17:47 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-07-10 17:47 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-07-10 17:47 . 2009-07-10 17:48 -------- d-----w- c:\windows\system32\ZoneLabs
2009-07-10 17:47 . 2009-07-10 17:47 -------- d-----w- c:\program files\Zone Labs
2009-07-10 17:47 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-07-10 17:46 . 2009-07-22 20:09 -------- d-----w- c:\windows\Internet Logs
2009-07-10 17:32 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-10 17:32 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 17:32 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-10 17:32 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-10 17:32 . 2009-07-10 17:32 -------- d-----w- c:\program files\Avira
2009-07-10 17:32 . 2009-07-10 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-10 08:12 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-10 08:12 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-10 08:12 . 2003-02-21 02:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-10 08:12 . 2009-07-10 08:12 -------- d-----w- c:\program files\Alwil Software
2009-07-09 12:29 . 2009-07-09 12:29 -------- d-----w- c:\documents and settings\Jesse Coleman\Application Data\Malwarebytes
2009-07-09 12:29 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 12:29 . 2009-07-09 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-09 12:29 . 2009-07-09 12:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 12:29 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 19:53 . 2009-07-14 14:55 2138857 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-07-17 04:44 . 2009-04-24 18:09 -------- d-----w- c:\documents and settings\Jesse Coleman\Application Data\OpenOffice.org2
2009-07-14 15:01 . 2009-04-24 18:11 1 ----a-w- c:\documents and settings\Jesse Coleman\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-06-30 19:33 . 2009-05-12 18:12 -------- d-----w- c:\documents and settings\Jesse Coleman\Application Data\Apple Computer
2009-06-22 04:37 . 2009-06-22 04:36 -------- d-----w- c:\program files\iTunes
2009-06-22 04:36 . 2009-06-22 04:36 -------- d-----w- c:\program files\iPod
2009-06-22 04:36 . 2009-05-12 18:09 -------- d-----w- c:\program files\Common Files\Apple
2009-06-22 04:21 . 2009-06-22 04:21 -------- d-----w- c:\documents and settings\Jesse Coleman\Application Data\GlarySoft
2009-06-22 04:13 . 2009-06-22 04:12 -------- d-----w- c:\program files\Glary Utilities
2009-06-19 17:45 . 2009-01-23 00:32 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-16 14:36 . 2009-01-22 22:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2009-01-22 22:36 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 18:17 . 2009-06-04 18:17 -------- d-----w- c:\program files\QuickTime
2009-06-04 18:11 . 2009-06-04 18:11 -------- d-----w- c:\program files\Safari
2009-06-03 19:09 . 2009-01-22 22:36 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2009-01-22 22:36 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2009-01-22 22:36 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2009-01-22 22:36 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-29 00:24 . 2009-01-22 23:51 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-24 22:46 . 2009-04-24 12:45 36592 ----a-w- c:\documents and settings\Jesse Coleman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-24 18:36 . 2009-04-24 18:31 176496 ----a-w- c:\windows\hpwins19.dat
2009-04-24 02:21 . 2009-04-24 02:21 561152 ----a-w- c:\windows\AJScreensaver.scr
2009-04-23 23:59 . 2009-04-23 23:59 0 ----a-w- c:\windows\nsreg.dat
2008-05-07 08:34 . 2009-01-23 00:35 15523560 ----a-w- c:\program files\U1 Setup.exe
2009-07-22 19:46 . 2009-04-23 23:59 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-11-24 329728]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-18 622592]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 132760]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-18 16855040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-1-22 376832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/10/2009 5:31 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/10/2009 1:32 PM 108289]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [1/22/2009 8:27 PM 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [1/22/2009 1:27 AM 25216]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [1/22/2009 1:27 AM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-22 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]

2009-07-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-22 15:39]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-12612654 - c:\documents and settings\All Users\Application Data\12612654\12612654.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Jesse Coleman\Application Data\Mozilla\Firefox\Profiles\vdfh8n79.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 16:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-07-22 16:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 20:14

Pre-Run: 90,437,640,192 bytes free
Post-Run: 90,455,646,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

212 --- E O F --- 2009-07-15 05:25


GMER:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-22 17:07:57
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAA0C7FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAA0C4C80]
SSDT F7B95296 ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xAA0C8580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xAA0DC900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xAA0DCB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xAA0E0B10]
SSDT F7B9528C ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xAA0C8670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xAA0C5210]
SSDT F7B9529B ZwDeleteKey
SSDT F7B952A5 ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xAA0DC280]
SSDT F7B952AA ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xAA0DFF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xAA0C5070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xAA0DE180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xAA0DDF40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xAA0E06F0]
SSDT F7B952B4 ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xAA0C7BE0]
SSDT F7B952AF ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xAA0C8190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xAA0C5440]
SSDT F7B952A0 ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xAA0DD200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xAA0DD080]

Code \??\C:\DOCUME~1\JESSEC~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [80, 85, 0C, AA, 00, C9, 0D, ...]
? Combo-Fix.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
? C:\DOCUME~1\JESSEC~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AA0CCB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AA0CC930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AA0CD260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AA0CAE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AA0CAE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AA0CCB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AA0CC930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AA0CD260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AA0CCB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AA0CAE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AA0CD260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AA0CC930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AA0CD260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AA0CC930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AA0CCB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AA0CAE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AA0CCB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AA0CC930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AA0CD260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AA0CCB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AA0CAE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AA0CD260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AA0CC930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A8DDAD20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#7 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:54 PM

Posted 23 July 2009 - 05:48 AM

Hello again, agoodlysize. Good job! ComboFix did a good job so far. :)



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


! WARNING: registry tool/cleaner !
  • The following is referring to Glary Utilities 2.13.0.689. Please be aware that BleepingComputer.com staff do NOT recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System.
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side. You should only use registry tools if you have a basic knowledge about the registry and know if a certain key/value is safe to be removed or not. However, cleaning the registry won't really improve system performance, even though there a lot of orphaned keys. IMHO, if registry cleaning was required, then Microsoft would have added this option. So you use registry at you own risk. After all, a corrupted registry is a corrupted Windows.
:) Your log shows remnants of Norton/Symantec that appears to have been previously installed. Download and run the Norton Removal Tool in order to completely get rid of Norton/Symantec . Please visit this site and use the Norton Removal Tool, following the instructions on the site.

:) Manual folders deletion
Please set your system to show all hidden files:
  • Close all programs so that you are at your Desktop.
  • Go to Start > My Computer.
  • Select the Tools menu and then click on the Folder Options menu option.
  • After the new window appears select the View tab.
  • Check the "Display the contents of system folders" checkbox.
  • Under the Hidden files and folders heading, select the "Show hidden files and folders" radio button.
  • Uncheck the "Hide extensions for known file types" checkbox.
  • Uncheck the "Hide protected operating system files (Recommended)" checkbox; you will get a message warning you about showing protected operating system files, click Yes.
  • Press the Apply button, then press the OK button and close My Computer.
Using My Computer or Windows Explorer (Windows key+E), navigate to the following folders and delete them if present:c:\documents and settings\All Users\Application Data\12612654 <-- this folder
c:\program files\AskBarDis <-- this folder
As you have uninstalled the avast! antivirus software, navigate to this folder and delete it as well if it is present:c:\program files\Alwil Software <-- this folder
If you experience some problems during this process, please let me know afterwards.

:thumbup2: Clean out some temporary data with ATF Cleaner:
  • Download ATF Cleaner by Atribune and save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program[checkbox name="Windows Vista?"] (XP), or right-click and select Run as administrator (Vista)[/checkbox].
  • Under the Main tab (at the top of the screen) - Select Files to Delete, put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button.

    If you use the Mozilla Firefox browser:
  • Click on the Firefox tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use the Opera browser:
  • Click on the Opera tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click the Exit button on the Main menu to close the program.

    For technical support, double-click the e-mail address located at the bottom of each menu.
:cool: Run a scan with Malwarebytes' Anti-Malware (MbAM):
  • Download Malwarebytes' Anti-Malware (MbAM) from one of the download links below and save it to your Desktop. If you have a previous version of MbAM, remove it via Add or Remove Programs and download a fresh copy.IMPORTANT: MbAM may "make changes to the registry" as part of its disinfection routine. If using other security programs that detect registry changes (i.e., Spybot's TeaTimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    NOTE: If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the "Perform quick scan" option is selected; then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan in progress (Scan type: Quick Scan)" will show at the top. It may take some time to complete, so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found."; click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs tab in MbAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MbAM when done.

    NOTE: If MbAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MbAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into Safe Mode) will prevent MbAM from removing all the malware.
:) We need to determine if some files are malware or not by performing online file scans:
  • Make sure that you can view all hidden files. Instructions on how to do this can be found here: How to see hidden files in Windows.
  • Go to VirSCAN.org: http://virscan.org/.
  • When the VirSCAN.org page has finished loading, click the Browse... button at the top and navigate to each of the following files if they are present and click Submit:
    • c:\program files\U1 Setup.exe
      c:\windows\hpwins19.dat
    NOTE: You will only be able to have one file scanned at a time.
  • Be patient as each file will be scanned.
  • Post back the results of each file scan in your next post.

    NOTE: In case VirSCAN.org is busy, try the same at Jotti's malware scan (http://virusscan.jotti.org/) or VirusTotal.com (http://www.virustotal.com/).
:) Rescan with DDS and post its resultant fresh DDS.txt log file here for further review, please.



So in your next reply, please post the entire contents of:
  • the MbAM report
  • the VirSCAN.org results of the files scanned
  • a new DDS.txt log file
NOTE: Use several posts if necessary to include everything in the requested logs.

Edited by htv8, 23 July 2009 - 05:51 AM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#8 agoodlysize

agoodlysize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 23 July 2009 - 05:53 PM

Malwarebytes' Anti-Malware 1.39
Database version: 2490
Windows 5.1.2600 Service Pack 3

7/23/2009 5:29:31 PM
mbam-log-2009-07-23 (17-29-30).txt

Scan type: Quick Scan
Objects scanned: 81603
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\jesse coleman\desktop\avenger.exe (Trojan.Agnet) -> Quarantined and deleted successfully.

VirScan:

File Name :   hpwins19.dat File Size :   176496 byte File Type :   Non-ISO extended-ASCII English text, with very long lines, w MD5 :   d97fbf114a1bfd295e1dd11a557c004a SHA1 :   7d2e5f71da63191f87298ddd524efa3ec143baa8

a-squared 4.5.0.3 20090723202354 2009-07-23
-
0.589 AhnLab V3 2009.07.24.00 2009.07.24 2009-07-24
-
1.036 AntiVir 8.2.0.228 7.1.5.23 2009-07-23
-
1.153 Antiy 2.0.18 20090722.2632680 2009-07-22
-
0.017 Arcavir 2009 200907231922 2009-07-23
-
0.022 Authentium 5.1.1 200907231902 2009-07-23
-
1.174 AVAST! 4.7.4 090723-0 2009-07-23
-
0.021 AVG 8.5.288 270.13.26/2257 2009-07-24
-
0.354 BitDefender 7.81008.3842316 7.26768 2009-07-24
-
3.322 CA (VET) 9.0.0.143 31.6.6634 2009-07-23
-
7.251 ClamAV 0.95.2 9608 2009-07-23
-
0.033 Comodo 3.10 1747 2009-07-23
-
0.681 CP Secure 1.1.0.715 2009.07.24 2009-07-24
-
11.228 Dr.Web 4.44.0.9170 2009.07.23 2009-07-23
-
5.359 F-Prot 4.4.4.56 20090723 2009-07-23
-
1.158 F-Secure 5.51.6100 2009.07.23.12 2009-07-23
-
0.071 Fortinet 2.81-3.120 10.637 2009-07-23
-
0.181 GData 19.6651/19.409 20090723 2009-07-23
-
4.507 Ikarus T3.1.01.64 2009.07.23.73089 2009-07-23
-
3.687 JiangMin 11.0.800 2009.07.23 2009-07-23
-
3.730 Kaspersky 5.5.10 2009.07.23 2009-07-23
-
0.031 KingSoft 2009.2.5.15 2009.7.23.21 2009-07-23
-
0.452 McAfee 5.3.00 5686 2009-07-23
-
2.936 Microsoft 1.4903 2009.07.23 2009-07-23
-
4.870 mks_vir 2.01 2009.07.15 2009-07-15
-
3.132 Norman 6.01.09 6.01.00 2009-07-22
-
4.007 nProtect 20090721.02 4887961 2009-07-21
-
6.167 Panda 9.05.01 2009.07.23 2009-07-23
-
1.720 Quick Heal 10.00 2009.07.23 2009-07-23
-
1.115 Rising 20.0 21.39.34.00 2009-07-23
-
0.240 Sophos 2.88.0 4.43 2009-07-24
-
2.929 Sunbelt 5277 5277 2009-07-22
-
0.928 Symantec 1.3.0.24 20090723.003 2009-07-23
-
0.048 The Hacker 6.3.4.3 v00372 2009-07-22
-
0.750 Trend Micro 8.700-1004 6.308.03 2009-07-23
-
0.023 VBA32 3.12.10.9 20090722.1357 2009-07-22
-
1.766 ViRobot 20090721 2009.07.21 2009-07-21
-
0.441 VirusBuster 4.5.11.10 10.109.8/1824482 2009-07-23
-
2.197

File information

File Name :
  U1 Setup.exe
File Size :
  15523560 byte
File Type :
  PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 :
  952eb63f4b60635edf7bd3da25d0bf5e
SHA1 :
  e9cd3768dccdefa6bc59641a084b72f1832b8928
Scanner results

Scanner results :
  All Scanners reported not find malware!
Time :
  2009/07/23 17:50:39 (EDT)

Scanner
Engine Ver
Sig Ver
Sig Date
Scan result
Time
a-squared
4.5.0.3
20090723202354
2009-07-23
-
0.591
AhnLab V3
2009.07.24.00
2009.07.24
2009-07-24
-
0.795
AntiVir
8.2.0.228
7.1.5.23
2009-07-23
-
0.063
Antiy
2.0.18
20090722.2632680
2009-07-22
-
0.017
Arcavir
2009
200907231922
2009-07-23
-
0.136
Authentium
5.1.1
200907231902
2009-07-23
-
2.212
AVAST!
4.7.4
090723-0
2009-07-23
-
0.550
AVG
8.5.288
270.13.26/2257
2009-07-24
-
0.833
BitDefender
7.81008.3842316
7.26768
2009-07-24
-
3.333
CA (VET)
9.0.0.143
31.6.6634
2009-07-23
-
5.714
ClamAV
0.95.2
9608
2009-07-23
-
2.056
Comodo
3.10
1747
2009-07-23
-
0.705
CP Secure
1.1.0.715
2009.07.24
2009-07-24
-
11.892
Dr.Web
4.44.0.9170
2009.07.23
2009-07-23
-
5.104
F-Prot
4.4.4.56
20090723
2009-07-23
-
2.145
F-Secure
5.51.6100
2009.07.23.12
2009-07-23
-
0.155
Fortinet
2.81-3.120
10.637
2009-07-23
-
0.644
GData
19.6651/19.409
20090723
2009-07-23
-
4.516
Ikarus
T3.1.01.64
2009.07.23.73089
2009-07-23
-
4.042
JiangMin
11.0.800
2009.07.23
2009-07-23
-
3.735
Kaspersky
5.5.10
2009.07.23
2009-07-23
-
0.090
KingSoft
2009.2.5.15
2009.7.23.21
2009-07-23
-
0.464
McAfee
5.3.00
5686
2009-07-23
-
2.986
Microsoft
1.4903
2009.07.23
2009-07-23
-
4.937
mks_vir
2.01
2009.07.15
2009-07-15
-
3.286
Norman
6.01.09
6.01.00
2009-07-22
-
4.005
nProtect
20090721.02
4887961
2009-07-21
-
6.097
Panda
9.05.01
2009.07.23
2009-07-23
-
1.631
Quick Heal
10.00
2009.07.23
2009-07-23
-
5.146
Rising
20.0
21.39.34.00
2009-07-23
-
0.943
Sophos
2.88.0
4.43
2009-07-24
-
3.008
Sunbelt
5277
5277
2009-07-22
-
2.600
Symantec
1.3.0.24
20090723.003
2009-07-23
-
0.621
The Hacker
6.3.4.3
v00372
2009-07-22
-
0.692
Trend Micro
8.700-1004
6.308.03
2009-07-23
-
0.038
VBA32
3.12.10.9
20090722.1357
2009-07-22
-
1.886
ViRobot
20090721
2009.07.21
2009-07-21
-
0.411
VirusBuster
4.5.11.10
10.109.8/1824482
2009-07-23
-
7.082

DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Jesse Coleman at 18:46:02.85 on Thu 07/23/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.500 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Documents and Settings\Jesse Coleman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240534924484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240534916750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jessec~1\applic~1\mozilla\firefox\profiles\vdfh8n79.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-10 64160]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-10 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-10 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-10 55640]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2009-1-22 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2009-1-22 25216]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-1-22 38400]

=============== Created Last 30 ================

2009-07-23 17:33 268 a---h--- C:\sqmdata06.sqm
2009-07-23 17:33 244 a---h--- C:\sqmnoopt06.sqm
2009-07-23 17:22 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 17:22 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-23 17:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 16:12 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-22 16:10 268 a---h--- C:\sqmdata05.sqm
2009-07-22 16:10 244 a---h--- C:\sqmnoopt05.sqm
2009-07-22 16:07 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-07-22 16:07 50,176 a------- c:\windows\system32\proquota.exe
2009-07-22 16:02 <DIR> a-dshr-- C:\cmdcons
2009-07-22 16:01 219,648 a------- c:\windows\PEV.exe
2009-07-22 16:01 161,792 a------- c:\windows\SWREG.exe
2009-07-22 16:01 98,816 a------- c:\windows\sed.exe
2009-07-22 15:59 268 a---h--- C:\sqmdata04.sqm
2009-07-22 15:59 244 a---h--- C:\sqmnoopt04.sqm
2009-07-18 20:08 268 a---h--- C:\sqmdata03.sqm
2009-07-18 20:08 244 a---h--- C:\sqmnoopt03.sqm
2009-07-18 18:28 268 a---h--- C:\sqmdata02.sqm
2009-07-18 18:28 244 a---h--- C:\sqmnoopt02.sqm
2009-07-15 01:25 118 a------- c:\windows\system32\MRT.INI
2009-07-14 10:56 268 a---h--- C:\sqmdata01.sqm
2009-07-14 10:56 244 a---h--- C:\sqmnoopt01.sqm
2009-07-12 11:39 <DIR> --d----- c:\windows\system32\LogFiles
2009-07-10 21:22 268 a---h--- C:\sqmdata00.sqm
2009-07-10 21:22 244 a---h--- C:\sqmnoopt00.sqm
2009-07-10 21:05 <DIR> --d----- c:\program files\Trend Micro
2009-07-10 17:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-10 17:31 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-10 17:24 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 17:24 <DIR> --d----- c:\program files\Lavasoft
2009-07-10 16:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-10 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-10 13:48 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-07-10 13:47 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-07-10 13:47 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-07-10 13:47 <DIR> --d----- c:\program files\Zone Labs
2009-07-10 13:47 350,192 a------- c:\windows\system32\vsconfig.xml
2009-07-10 13:46 <DIR> --d----- c:\windows\Internet Logs
2009-07-10 13:32 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 13:32 <DIR> --d----- c:\program files\Avira
2009-07-10 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-10 04:12 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-10 04:12 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-10 04:12 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-09 08:29 <DIR> --d----- c:\docume~1\jessec~1\applic~1\Malwarebytes
2009-07-09 08:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-28 20:24 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-05-07 04:34 15,523,560 a------- c:\program files\U1 Setup.exe

============= FINISH: 18:46:56.70 ===============

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:54 PM

Posted 24 July 2009 - 06:38 AM

Hello again, agoodlysize.



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:) Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your Desktop:
    • Go to http://java.sun.com/javase/downloads/index.jsp.
    • Scroll down to where it says "Java SE Runtime Environment (JRE) JRE 6 Update 14".
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Review the License Agreement, and if you agree check the box that says: "I agree to the Java SE Runtime Environment 6u14 with JavaFX1 License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download the Windows Offline Installation and save the file to your Desktop.
  • Close all programs - especially your web browser - so that you have nothing open and are at your Desktop.
  • Go to Start -> Control Panel, double-click Add or Remove Programs and remove all older version Java components by clicking the Remove or Change/Remove button next to each of the following entries and follow the on-screen instructions for the Java uninstaller):Java™ 6 Update 2
  • Reboot your computer once all Java components are removed.
  • From your Desktop, double-click the jre-6u14-windows-i586-p.exe file.
  • Follow the on-screen instructions to install the latest Java version.
:) Re-run ComboFix with some additional directives:
  • Close any open browsers/windows so that you have nothing open and are at your Desktop.
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Go to Start -> Run... and in the "Open:" box that opens type Notepad and press Enter.
  • Copy the entire contents inside the CODE box below into Notepad (do NOT copy the word "CODE"!) - don't use any other text editor than Notepad or the script will fail.
    • DDS::
      mURLSearchHooks: H - No File
      BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
      BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
      BHO: 1 (0x1) - No File
      TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
      
      Registry::
      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
      "DisableMonitoring"=dword:00000000
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Go to File -> Save and save as CFScript.txt in the same location as ComboFix.exe.
  • Referring to the picture below, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.Posted Image
    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you at C:\ComboFix.txt. Please post the entire contents of that report in your next reply for further review.
:thumbup2: Please do an online scan with the Kaspersky Online Scanner:
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files. NOTE: The downloading takes a while, so please be patient and let it finish.
  • After the files have been downloaded, on the left side of the page click the Settings button and make sure all checkboxes are checked.
  • On the left side of the page under the "Scan" section select My Computer.The program will start and scan your system. NOTE: The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View Scan Report.
  • Now, click on the Save Report As... button.
  • Change the "Files of Type" dropdown box to Text Files (.txt) in order to save the scan results as a text file.
  • Enter a memorable filename.
  • Save the file to your Desktop.
  • Copy and paste the entire information within this file in your next post.


So in your next reply, please post the entire contents of:
  • C:\ComboFix.txt
  • the Kaspersky Online Scanner report
NOTE: Use several posts if necessary to include everything in your reply.

Also please let me know how your computer is running now. :cool: Still signs/symptoms of infection? Any redirections?
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 agoodlysize

agoodlysize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 24 July 2009 - 01:28 PM

Everything seems to be running great so far. No more redirects, ZoneAlarm has stopped popping up every time I run a program, and there are no other apparent symptoms. Thanks for all your help so far!

ComboFix 09-07-23.04 - Jesse Coleman 07/24/2009 10:57.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.631 [GMT -4:00]
Running from: c:\documents and settings\Jesse Coleman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jesse Coleman\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2009-07-24 14:48 . 2009-07-24 14:48 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 02:15 . 2009-07-24 02:15 -------- d-----w- c:\program files\iPod
2009-07-24 02:15 . 2009-07-24 02:16 -------- d-----w- c:\program files\iTunes
2009-07-24 02:10 . 2009-07-24 02:10 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-23 21:22 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 21:22 . 2009-07-23 21:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-23 21:22 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-22 20:07 . 2008-04-14 12:00 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-22 20:07 . 2008-04-14 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-12 15:39 . 2009-07-12 15:39 -------- d-----w- c:\windows\system32\LogFiles
2009-07-11 01:05 . 2009-07-11 01:05 -------- d-----w- c:\program files\Trend Micro
2009-07-10 21:56 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-10 21:31 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-10 21:24 . 2009-07-10 21:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 21:24 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-10 21:24 . 2009-07-10 21:24 -------- d-----w- c:\program files\Lavasoft
2009-07-10 21:24 . 2009-07-10 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-10 20:02 . 2009-07-10 20:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-10 20:02 . 2009-07-10 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-10 17:48 . 2009-07-10 17:48 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-07-10 17:47 . 2009-02-16 04:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-07-10 17:47 . 2009-02-16 04:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-07-10 17:47 . 2009-07-10 17:48 -------- d-----w- c:\windows\system32\ZoneLabs
2009-07-10 17:47 . 2009-07-10 17:47 -------- d-----w- c:\program files\Zone Labs
2009-07-10 17:47 . 2009-02-16 04:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-07-10 17:46 . 2009-07-24 14:52 -------- d-----w- c:\windows\Internet Logs
2009-07-10 17:32 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-10 17:32 . 2009-03-24 20:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 17:32 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-10 17:32 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-10 17:32 . 2009-07-10 17:32 -------- d-----w- c:\program files\Avira
2009-07-10 17:32 . 2009-07-10 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-10 08:12 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-10 08:12 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-10 08:12 . 2003-02-21 02:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-09 12:29 . 2009-07-09 12:29 -------- d-----w- c:\documents and settings\Jesse Coleman\Application Data\Malwarebytes
2009-07-09 12:29 . 2009-07-09 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 14:48 . 2009-04-24 16:40 -------- d-----w- c:\program files\Java
2009-07-24 02:15 . 2009-05-12 18:09 -------- d-----w- c:\program files\Common Files\Apple
2009-07-24 02:04 . 2009-04-24 18:11 1 ----a-w- c:\documents and settings\Jesse Coleman\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-07-24 02:04 . 2009-04-24 18:09 -------- d-----w- c:\documents and settings\Jesse Coleman\Application Data\OpenOffice.org2
2009-07-23 21:09 . 2009-01-23 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-22 19:53 . 2009-07-14 14:55 2138857 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-06-30 19:33 . 2009-05-12 18:12 -------- d-----w- c:\documents and settings\Jesse Coleman\Application Data\Apple Computer
2009-06-22 04:21 . 2009-06-22 04:21 -------- d-----w- c:\documents and settings\Jesse Coleman\Application Data\GlarySoft
2009-06-22 04:13 . 2009-06-22 04:12 -------- d-----w- c:\program files\Glary Utilities
2009-06-19 17:45 . 2009-01-23 00:32 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-16 14:36 . 2009-01-22 22:36 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2009-01-22 22:36 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-04 18:17 . 2009-06-04 18:17 -------- d-----w- c:\program files\QuickTime
2009-06-04 18:11 . 2009-06-04 18:11 -------- d-----w- c:\program files\Safari
2009-06-03 19:09 . 2009-01-22 22:36 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-07 15:32 . 2009-01-22 22:36 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2009-01-22 22:36 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2009-01-22 22:36 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-29 00:24 . 2009-01-22 23:51 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2008-05-07 08:34 . 2009-01-23 00:35 15523560 ----a-w- c:\program files\U1 Setup.exe
2009-07-22 19:46 . 2009-04-23 23:59 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-22_20.10.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-24 14:48 . 2009-07-24 14:48 16384 c:\windows\temp\Perflib_Perfdata_578.dat
+ 2009-07-24 14:48 . 2009-07-24 14:48 148888 c:\windows\system32\javaws.exe
+ 2009-07-24 14:48 . 2009-07-24 14:48 144792 c:\windows\system32\javaw.exe
+ 2009-07-24 14:48 . 2009-07-24 14:48 144792 c:\windows\system32\java.exe
+ 2009-07-24 02:17 . 2009-07-24 02:17 102400 c:\windows\Installer\{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}\iTunesIco.exe
+ 2009-07-24 14:48 . 2009-07-24 14:48 1563648 c:\windows\Installer\24203.msi
+ 2009-07-24 02:17 . 2009-07-24 02:17 4945408 c:\windows\Installer\1007a19.msi
+ 2009-07-24 02:12 . 2009-07-24 02:12 3295232 c:\windows\Installer\10076cd.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-11-24 329728]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-12-04 114688]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-12-18 622592]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-18 16855040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-1-22 376832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/10/2009 5:31 PM 64160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/10/2009 1:32 PM 108289]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [1/22/2009 8:27 PM 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [1/22/2009 1:27 AM 25216]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1029456]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [1/22/2009 1:27 AM 38400]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]

2009-07-24 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-22 15:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Jesse Coleman\Application Data\Mozilla\Firefox\Profiles\vdfh8n79.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 11:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-24 11:03
ComboFix-quarantined-files.txt 2009-07-24 15:03
ComboFix2.txt 2009-07-22 20:14

Pre-Run: 89,973,026,816 bytes free
Post-Run: 90,040,209,408 bytes free

175 --- E O F --- 2009-07-15 05:25

Kaspersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 24, 2009 15:59:03
Records in database: 2526216
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Files scanned: 51715
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:47:40


File name / Threat name / Threats count
C:\Documents and Settings\Jesse Coleman\Application Data\Sun\Java\Deployment\cache\6.0\45\473eff2d-198356dc Infected: Trojan-Downloader.Win32.FraudLoad.wkob 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruikcolewmy.dll.vir Infected: Trojan.Win32.Monder.cqbi 1
C:\System Volume Information\_restore{AC907EA6-59BC-4576-8A6B-DAC903AB0DE6}\RP58\A0013452.dll Infected: Trojan.Win32.Monder.cqbi 1

The selected area was scanned.

#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:54 PM

Posted 24 July 2009 - 03:18 PM

Hello again.

Everything seems to be running great so far. No more redirects, ZoneAlarm has stopped popping up every time I run a program, and there are no other apparent symptoms. Thanks for all your help so far!

[..]

Great to hear that! :thumbup2:



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


:) Clear the Java cache:
  • Go to Start -> Control Panel.
  • In the Control Panel, double-click the Java icon.
    • The Java Control Panel appears.
  • Click Settings... under "Temporary Internet Files".The Temporary Files Settings dialog box appears.
  • Click Delete Files...The Delete Temporary Files dialog box appears.
  • Click OK on the Delete Temporary Files window.
    NOTE: This deletes all the Downloaded Applications and Applets from the cache!
  • Click OK on the Temporary Files Settings window.
  • Close the Java Control Panel.

    You can also view these instructions along with screenshots here.
Certain Microsoft Windows applications appear to be out of date. We need to update them now.
  • Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC. Without these patches, you will just be re-infected all over again. That is why updating Windows applications is very imporatant.
  • Please go to the Windows Update site to check for & install updates to Microsoft applications.
    NOTE: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
  • Please reboot and repeat the update process until there are no more updates to install!
Once the installation is all complete, please let me know of any problems you may have encountered.
:) Rescan with DDS and post its resultant DDS.txt log file here for a final review, please.



Everything still running OK?

If the DDS log looks OK, I will give you final instructions to uninstall ComboFix (will also delete its backups and will flush old restore points from System Restore to prevent possible reinfection from an old one (IMPORTANT!)). Then, finally, I will give you some tips to prevent reinfection in the future. :cool:
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 agoodlysize

agoodlysize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 26 July 2009 - 12:37 AM

I've been working quite a bit the last two days, as soon as I have a chunk of time (most likely tomorrow night) I'll take care of the last post.

#13 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:54 PM

Posted 26 July 2009 - 04:24 AM

OK! :thumbup2: I'll keep the thread open. Will get a notification when you reply back. :)
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#14 agoodlysize

agoodlysize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 27 July 2009 - 12:18 AM

Worked late tonight, will do without fail tomorrow. Thanks for your patience!

#15 agoodlysize

agoodlysize
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 29 July 2009 - 01:24 PM

The last DDS (I hope I hope I hope).

DDS (Ver_09-06-26.01) - NTFSx86
Run by Jesse Coleman at 14:13:58.43 on Wed 07/29/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.643 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jesse Coleman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240534924484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240534916750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jessec~1\applic~1\mozilla\firefox\profiles\vdfh8n79.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-10 64160]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-10 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-10 353672]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-10 55640]
R3 AsusACPI;ASUS ACPI Driver;c:\windows\system32\drivers\ASUSACPI.SYS [2009-1-22 10752]
R3 Ktp;Elantech Smart-Pad;c:\windows\system32\drivers\ETD.sys [2009-1-22 25216]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-1-22 38400]

=============== Created Last 30 ================

2009-07-29 09:26 268 a---h--- C:\sqmdata12.sqm
2009-07-29 09:26 244 a---h--- C:\sqmnoopt12.sqm
2009-07-29 01:43 268 a---h--- C:\sqmdata11.sqm
2009-07-29 01:43 244 a---h--- C:\sqmnoopt11.sqm
2009-07-29 01:06 268 a---h--- C:\sqmdata10.sqm
2009-07-29 01:06 244 a---h--- C:\sqmnoopt10.sqm
2009-07-27 17:28 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-27 17:25 268 a---h--- C:\sqmdata09.sqm
2009-07-27 17:25 244 a---h--- C:\sqmnoopt09.sqm
2009-07-27 17:20 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-07-27 17:20 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-27 17:20 117,760 -------- c:\windows\system32\prntvpt.dll
2009-07-27 17:20 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-07-27 17:20 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-27 17:20 <DIR> --d----- C:\3c35d19396c9295618e4770943
2009-07-27 17:20 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-07-27 17:20 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-07-27 17:10 <DIR> --d----- C:\d16796bc5b04ebc81bd0
2009-07-27 17:10 <DIR> --d----- C:\7118c1bdea8f54c85db3
2009-07-27 07:07 268 a---h--- C:\sqmdata08.sqm
2009-07-27 07:07 244 a---h--- C:\sqmnoopt08.sqm
2009-07-24 10:48 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-24 10:48 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-24 10:46 268 a---h--- C:\sqmdata07.sqm
2009-07-24 10:46 244 a---h--- C:\sqmnoopt07.sqm
2009-07-23 22:15 <DIR> --d----- c:\program files\iPod
2009-07-23 22:15 <DIR> --d----- c:\program files\iTunes
2009-07-23 17:33 268 a---h--- C:\sqmdata06.sqm
2009-07-23 17:33 244 a---h--- C:\sqmnoopt06.sqm
2009-07-23 17:22 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-23 17:22 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-23 17:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 16:12 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-22 16:10 268 a---h--- C:\sqmdata05.sqm
2009-07-22 16:10 244 a---h--- C:\sqmnoopt05.sqm
2009-07-22 16:07 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-07-22 16:07 50,176 a------- c:\windows\system32\proquota.exe
2009-07-22 16:02 <DIR> a-dshr-- C:\cmdcons
2009-07-22 16:01 219,648 a------- c:\windows\PEV.exe
2009-07-22 16:01 161,792 a------- c:\windows\SWREG.exe
2009-07-22 16:01 98,816 a------- c:\windows\sed.exe
2009-07-22 15:59 268 a---h--- C:\sqmdata04.sqm
2009-07-22 15:59 244 a---h--- C:\sqmnoopt04.sqm
2009-07-18 20:08 268 a---h--- C:\sqmdata03.sqm
2009-07-18 20:08 244 a---h--- C:\sqmnoopt03.sqm
2009-07-18 18:28 268 a---h--- C:\sqmdata02.sqm
2009-07-18 18:28 244 a---h--- C:\sqmnoopt02.sqm
2009-07-15 01:25 118 a------- c:\windows\system32\MRT.INI
2009-07-14 10:56 268 a---h--- C:\sqmdata01.sqm
2009-07-14 10:56 244 a---h--- C:\sqmnoopt01.sqm
2009-07-12 11:39 <DIR> --d----- c:\windows\system32\LogFiles
2009-07-10 21:22 268 a---h--- C:\sqmdata00.sqm
2009-07-10 21:22 244 a---h--- C:\sqmnoopt00.sqm
2009-07-10 21:05 <DIR> --d----- c:\program files\Trend Micro
2009-07-10 17:56 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-10 17:31 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-10 17:24 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-10 17:24 <DIR> --d----- c:\program files\Lavasoft
2009-07-10 16:02 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-10 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-10 13:48 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-07-10 13:47 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-07-10 13:47 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-07-10 13:47 <DIR> --d----- c:\program files\Zone Labs
2009-07-10 13:47 350,192 a------- c:\windows\system32\vsconfig.xml
2009-07-10 13:46 <DIR> --d----- c:\windows\Internet Logs
2009-07-10 13:32 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-10 13:32 <DIR> --d----- c:\program files\Avira
2009-07-10 13:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-10 04:12 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-10 04:12 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-10 04:12 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-09 08:29 <DIR> --d----- c:\docume~1\jessec~1\applic~1\Malwarebytes
2009-07-09 08:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2008-05-07 04:34 15,523,560 a------- c:\program files\U1 Setup.exe

============= FINISH: 14:15:00.35 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users