Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browsers being hijacked


  • This topic is locked This topic is locked
9 replies to this topic

#1 Devlish

Devlish

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 06 August 2009 - 12:44 PM

Hi,

I have cleaned the computer with spybot, ad aware and am running zone alarm internet security suite.

everytime I try to seach with google it goes to various search engines like clicked.cn and sometimes will not behave when I hit the back button.

Spybot found and reports cleaning a trojan/malware. It has removed win32.zbot more than once.

I think my son was looking for music and installed utorrent. I have removed this and all files downloaded that I can find as well as my sons computer access.

I am posting my hijack this log, then my dds.txt file, and last but not least my Attach.txt file.

Thank you in advance for any help you can give me.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:15 AM, on 8/6/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Internet\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Internet\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Internet\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Internet\ICQ6.5\ICQ.exe
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Internet\xmarks\foxmarksdll.dll (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Internet\xmarks\foxmarksdll.dll (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Graphics\Photoshop\PhotoshopElementsFileAgent.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdpCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdpserv.exe
O23 - Service: lxdp_device - - C:\Windows\system32\lxdpcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Internet\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 5749 bytes




DDS (Ver_09-07-30.01) - NTFSx86
Run by Angel at 10:14:25.29 on Thu 08/06/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2143 [GMT -7:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
SP: ZoneAlarm Security Suite Anti-Spyware *enabled* (Updated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Internet\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxdpcoms.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Internet\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Angel\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/search?q=google&rls=com.microsoft:*&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SpybotSnD] "c:\internet\spybot - search & destroy\SpybotSD.exe" /autocheck
uPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\internet\icq6.5\ICQ.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\angel\appdata\roaming\mozilla\firefox\profiles\75zp333h.default\
FF - plugin: c:\users\angel\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\internet\firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\internet\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\internet\firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\internet\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\internet\firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\internet\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\internet\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\internet\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\internet\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\internet\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\internet\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\internet\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\internet\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\internet\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\internet\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\internet\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\internet\firefox\greprefs\all.js - pref("geo.enabled", true);
c:\internet\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\internet\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\internet\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\internet\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\internet\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\internet\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\internet\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\internet\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\internet\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-2 64160]
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-7-22 151592]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\internet\spybot - search & destroy\SDWinSec.exe [2009-7-2 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
R3 L1E;NDIS Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\L1E60x86.sys [2009-6-28 48128]
S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\graphics\photoshop\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [2008-2-27 98984]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S4 AGCoreService;AG Core Services;c:\program files\agi\core\3.1\AGCoreService.exe [2009-7-4 20480]

=============== Created Last 30 ================

2009-08-06 09:57 <DIR> --d----- c:\program files\Trend Micro
2009-08-05 22:52 <DIR> --d----- c:\program files\LightScribe Diagnostic Utility
2009-08-05 22:24 828,416 a------- c:\windows\system32\wininet.dll
2009-08-05 22:24 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-05 20:02 238,731,435 a------- c:\windows\MEMORY.DMP
2009-08-05 09:59 <DIR> --d----- c:\program files\LightScribe
2009-08-05 09:31 <DIR> --d----- c:\users\angel\appdata\roaming\Pogo Games
2009-08-04 23:11 <DIR> --d----- c:\users\angel\appdata\roaming\DVDFab
2009-08-04 21:25 <DIR> --d----- c:\programdata\vsosdk
2009-08-04 21:25 <DIR> --d----- c:\progra~2\vsosdk
2009-08-04 20:52 87,608 a------- c:\users\angel\appdata\roaming\inst.exe
2009-08-04 20:52 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-08-04 20:52 47,360 a------- c:\users\angel\appdata\roaming\pcouffin.sys
2009-08-04 18:45 <DIR> --d----- c:\users\angel\appdata\roaming\RipIt4Me
2009-08-04 16:15 <DIR> --d----- c:\users\angel\appdata\roaming\RenPy
2009-08-03 14:56 <DIR> --d----- c:\programdata\Bilbo
2009-08-03 14:56 <DIR> --d----- c:\progra~2\Bilbo
2009-08-01 20:14 <DIR> a-d-h--- c:\programdata\GTek
2009-08-01 20:14 <DIR> --d----- c:\program files\Linksys EasyLink Advisor
2009-08-01 11:49 55,296 -------- c:\windows\system32\BrNetSti.dll
2009-08-01 11:49 37,376 -------- c:\windows\system32\Brnsplg.dll
2009-08-01 11:49 34,816 -------- c:\windows\system32\BrWiaNCp.dll
2009-08-01 11:49 <DIR> --d----- C:\Brother
2009-07-31 09:21 <DIR> --d----- c:\programdata\WindowsSearch
2009-07-31 09:07 <DIR> --d----- c:\users\angel\appdata\roaming\SanDisk
2009-07-30 16:49 <DIR> --d----- c:\users\angel\appdata\roaming\BNeReader
2009-07-30 16:35 <DIR> --d----- c:\windows\system32\Temp
2009-07-30 16:35 <DIR> --d----- c:\program files\Barnes & Noble eReader
2009-07-30 11:04 <DIR> --d----- c:\program files\Audacity
2009-07-28 19:01 <DIR> --d----- c:\users\angel\appdata\roaming\uTorrent
2009-07-26 11:41 32,879 a------- c:\programdata\nvModes.dat
2009-07-26 11:41 32,879 a------- c:\progra~2\nvModes.dat
2009-07-26 11:38 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-07-26 11:37 485,920 a------- c:\windows\system32\nvudisp.exe
2009-07-26 11:37 10,854,400 a------- c:\windows\system32\nvoglv32.dll
2009-07-26 11:37 9,557,216 a------- c:\windows\system32\drivers\nvlddmkm.sys
2009-07-26 11:37 3,287,040 a------- c:\windows\system32\nvwgf2um.dll
2009-07-26 11:37 10,161 a------- c:\windows\system32\nvdisp.nvu
2009-07-26 11:37 4,224 a------- c:\windows\system32\drivers\nvBridge.kmd
2009-07-26 11:37 7,565,824 a------- c:\windows\system32\nvd3dum.dll
2009-07-26 11:37 2,169,376 a------- c:\windows\system32\nvcuvid.dll
2009-07-26 11:37 1,983,488 a------- c:\windows\system32\nvcuda.dll
2009-07-26 11:37 1,706,528 a------- c:\windows\system32\nvcuvenc.dll
2009-07-26 11:37 151,552 a------- c:\windows\system32\nvcod157.dll
2009-07-26 11:37 151,552 a------- c:\windows\system32\nvcod.dll
2009-07-26 11:36 <DIR> --d----- C:\NVIDIA
2009-07-26 11:32 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-07-24 08:15 <DIR> --d----- c:\users\angel\appdata\roaming\Auslogics
2009-07-24 08:15 <DIR> --d----- c:\program files\Auslogics
2009-07-23 21:38 <DIR> --d----- c:\programdata\ZULJAFFBXG
2009-07-23 21:38 <DIR> --d----- c:\progra~2\ZULJAFFBXG
2009-07-23 21:37 <DIR> --d----- c:\programdata\SRLJAFFBXG
2009-07-23 21:37 <DIR> --d----- c:\progra~2\SRLJAFFBXG
2009-07-23 21:36 <DIR> --d----- c:\programdata\RQLJAFFBXG
2009-07-23 21:36 <DIR> --d----- c:\progra~2\RQLJAFFBXG
2009-07-23 21:36 <DIR> --d----- c:\programdata\FAOJAFFBXG
2009-07-23 21:36 <DIR> --d----- c:\progra~2\FAOJAFFBXG
2009-07-23 21:34 <DIR> --d----- c:\programdata\JJLJAFFBXG
2009-07-23 21:34 <DIR> --d----- c:\progra~2\JJLJAFFBXG
2009-07-23 21:26 <DIR> --d----- c:\programdata\PILJAFFBXG
2009-07-23 21:26 <DIR> --d----- c:\progra~2\PILJAFFBXG
2009-07-23 21:26 <DIR> --d----- c:\program files\BadgeHelp
2009-07-23 21:21 <DIR> --d----- c:\users\angel\appdata\roaming\AweSEM
2009-07-23 14:13 <DIR> --d----- c:\users\angel\appdata\roaming\deskPDF
2009-07-22 19:44 <DIR> --d----- c:\users\angel\appdata\roaming\PC-FAX TX
2009-07-22 19:32 301 a------- c:\windows\Brpfx04a.ini
2009-07-22 19:32 154 a------- c:\windows\brpcfx.ini
2009-07-22 19:32 50 a------- c:\windows\system32\BRIDF04A.dat
2009-07-22 19:31 53,760 a------- c:\windows\system32\brinsstr.dll
2009-07-22 19:30 258,048 a------- c:\windows\system32\bsplmf01.dll
2009-07-22 19:30 139,264 a------- c:\windows\system32\bsplmf01.exe
2009-07-22 19:30 66 a------- c:\windows\Brfaxrx.ini
2009-07-22 19:30 0 a------- c:\windows\brdfxspd.dat
2009-07-22 19:30 126,976 -------- c:\windows\system32\BrfxD05a.dll
2009-07-22 19:30 6,224 -------- c:\windows\CVRPAGE.BMP
2009-07-22 19:30 <DIR> --d----- c:\program files\Brother
2009-07-22 19:30 163,840 -------- c:\windows\system32\NSSearch.dll
2009-07-22 19:30 147,456 -------- c:\windows\brunin03.dll
2009-07-22 19:30 106,496 -------- c:\windows\system32\BrMuSNMP.dll
2009-07-22 19:30 61,440 -------- c:\windows\system32\BrMfNt.dll
2009-07-22 19:30 <DIR> --d----- c:\programdata\Brother
2009-07-22 19:30 <DIR> --d----- c:\progra~2\Brother
2009-07-22 19:07 <DIR> --d--r-- c:\users\angel\appdata\roaming\Brother
2009-07-22 19:05 464 a------- c:\windows\BRWMARK.INI
2009-07-22 19:05 184 a------- c:\windows\system32\brsvc01a.bsi
2009-07-22 19:05 30 a------- c:\windows\system32\brss01a.ini
2009-07-22 19:05 27 a------- c:\windows\BRPP2KA.INI
2009-07-22 18:58 57,344 a------- c:\windows\system32\brsvc01a.exe
2009-07-22 18:58 45,056 a------- c:\windows\system32\brss01a.exe
2009-07-22 16:36 <DIR> --d----- c:\users\angel\appdata\roaming\Babylonia
2009-07-22 14:36 <DIR> --d----- c:\programdata\CupcakeCafe
2009-07-22 14:36 <DIR> --d----- c:\progra~2\CupcakeCafe
2009-07-21 16:12 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-07-19 13:05 30,976 a------- c:\windows\rascntrl.dll
2009-07-18 10:01 <DIR> --d----- c:\users\angel\appdata\roaming\Reflexive JanesZOO
2009-07-17 16:42 <DIR> --d----- c:\users\angel\appdata\roaming\Aisle 5 Games, Inc
2009-07-17 15:50 <DIR> --d----- c:\users\angel\appdata\roaming\Gamers Digital
2009-07-17 15:50 <DIR> --d----- c:\programdata\Gamers Digital
2009-07-17 15:50 <DIR> --d----- c:\progra~2\Gamers Digital
2009-07-15 18:47 150 a------- c:\windows\wininit.ini
2009-07-15 08:46 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-15 08:46 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-15 08:46 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-15 08:46 23,552 a------- c:\windows\system32\lpk.dll
2009-07-15 08:46 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-14 21:36 23 a------- c:\windows\system32\sysmwwod.dll
2009-07-14 21:33 209,608 a------- c:\windows\system32\Tabctl32.ocx
2009-07-14 21:33 1,703,936 a------- c:\windows\system32\NCTAudioFile.dll
2009-07-14 21:33 1,388,544 a------- c:\windows\system32\temp.001
2009-07-14 21:33 360,448 a------- c:\windows\system32\NCTWMAFile.dll
2009-07-14 21:33 233,472 a------- c:\windows\system32\lame_enc.dll
2009-07-14 21:33 140,288 a------- c:\windows\system32\Comdlg32.ocx
2009-07-14 21:33 73,785 a------- c:\windows\system32\temp.000
2009-07-14 21:33 40,960 a------- c:\windows\system32\DGPNorm.ocx
2009-07-11 17:47 0 a------- c:\windows\ae_mini.INI
2009-07-10 17:57 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-07-08 00:01 <DIR> --d----- c:\programdata\Nero
2009-07-08 00:01 <DIR> --d----- c:\progra~2\Nero
2009-07-07 22:43 15,867 a------- c:\windows\Blank.ico
2009-07-07 12:46 15,688 a------- c:\windows\system32\lsdelete.exe

==================== Find3M ====================

2009-08-06 09:25 395,034 a------- c:\windows\system32\perfh012.dat
2009-08-06 09:25 100,912 a------- c:\windows\system32\perfc012.dat
2009-08-06 09:20 72,454,176 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-08-06 09:19 415,148 a---h--- c:\windows\system32\drivers\vsconfig.xml
2009-08-06 09:18 971,108 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-08-06 00:24 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-06 00:24 51,200 a------- c:\windows\inf\infpub.dat
2009-08-04 20:52 86,016 a------- c:\windows\inf\infstor.dat
2009-08-02 08:58 23,104 a------- c:\windows\system32\svcprmpt.dll
2009-07-14 11:54 1,044,992 a------- c:\windows\system32\nvapi.dll
2009-07-10 07:01 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-07-07 09:49 4,096 a------- c:\windows\d3dx.dat
2009-07-04 19:27 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-07-04 18:38 319,456 a------- c:\windows\DIFxAPI.dll
2009-07-03 09:00 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-02 16:23 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-02 14:57 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-02 11:50 155,890 a------- c:\windows\system32\perfi012.dat
2009-07-02 11:50 155,890 a------- c:\windows\inf\perflib\0412\perfi.dat
2009-07-02 11:50 155,890 a------- c:\windows\inf\perflib\0412\perfh.dat
2009-07-02 11:50 30,674 a------- c:\windows\system32\perfd012.dat
2009-07-02 11:50 30,674 a------- c:\windows\inf\perflib\0412\perfd.dat
2009-07-02 11:50 30,674 a------- c:\windows\inf\perflib\0412\perfc.dat
2009-06-29 15:24 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-06-29 15:24 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-28 09:32 319,488 a------- c:\windows\HideWin.exe
2009-06-03 16:56 675,152 a------- c:\windows\system32\gpprefcl.dll
2009-05-28 20:25 72,584 a------- c:\windows\zllsputility.exe
2009-05-28 20:25 1,221,512 a------- c:\windows\system32\zpeng25.dll
2008-01-20 19:41 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:16:02.22 ===============






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 6/28/2009 8:09:11 AM
System Uptime: 8/6/2009 9:19:28 AM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5Q-PRO
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | LGA 775 | 2400/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 247.767 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_04F9&PID_016E&MI_03\6&11F97EA1&3&0003
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_04F9&PID_016E&MI_03\6&11F97EA1&3&0003
Service: USBSTOR

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 6.0
Adobe Reader 9.1.2
Age of Empires III
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Audacity 1.2.6
Auslogics Disk Defrag
Babylonia
Bilbo The Four Corners of the World
BN eReader
Brother MFL-Pro Suite
Comcast High-Speed Internet Install Wizard
deskPDF 2.5 Professional Edition
deskUNPDF 2
Docudesk GPL Ghostscript 8.15
Drivers Install For Linksys Easylink Advisor
DVD Decrypter (Remove Only)
DVDFab 6.0.4.0 (28/07/2009)
Exact Audio Copy 0.99pb5
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICQ6.5
Java™ 6 Update 14
Lexmark Z2300 Series
LightScribe Applications
LightScribe Diagnostic Utility
LightScribe System Software
Linksys EasyLink Advisor 1.6 (0044)
marvell 61xx
Microangelo Toolset 6
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Move Media Player
Mozilla Firefox (3.5.2)
Mozilla Thunderbird (2.0.0.4)
MSXML 4.0 SP2 (KB954430)
Nero 7 Premium
neroxml
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
Realtek High Definition Audio Driver
Registry Mechanic 8.0
Sansa Updater
SmartFTP Client
Spybot - Search & Destroy
SpywareBlaster 4.2
System Requirements Lab
Three Cards to Midnight
TweakVI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Webshots Desktop
Winamp
WinZip 11.2
Xmarks for IE
Yahoo! Messenger
ZoneAlarm Security Suite

==== Event Viewer Messages From Past Week ========

8/6/2009 9:24:00 AM, Error: Service Control Manager [7034] - The Adobe Active File Monitor V6 service terminated unexpectedly. It has done this 1 time(s).
8/6/2009 9:23:48 AM, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
8/6/2009 9:20:38 AM, Error: Microsoft-Windows-LanguagePackSetup [1001] - Application initialization failed. Last error: 0x80070032
8/6/2009 9:20:12 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the lxdpCATSCustConnectService service to connect.
8/6/2009 9:20:12 AM, Error: Service Control Manager [7000] - The Nero Registry InCD Service service failed to start due to the following error: The system cannot find the file specified.
8/6/2009 9:20:12 AM, Error: Service Control Manager [7000] - The lxdpCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/6/2009 5:19:04 AM, Error: Service Control Manager [7016] - The NVIDIA Display Driver Service service has reported an invalid current state 32.
8/6/2009 5:08:34 AM, Error: Service Control Manager [7023] - The Secure Socket Tunneling Protocol Service service terminated with the following error: The RPC server is unavailable.
8/6/2009 5:08:34 AM, Error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Secure Socket Tunneling Protocol Service service which failed to start because of the following error: The RPC server is unavailable.
8/6/2009 10:14:28 AM, Error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
8/5/2009 11:14:34 PM, Error: Service Control Manager [7031] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/5/2009 11:14:34 PM, Error: Service Control Manager [7031] - The Telephony service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
8/5/2009 11:14:34 PM, Error: Service Control Manager [7031] - The Network Location Awareness service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
8/5/2009 11:14:34 PM, Error: Service Control Manager [7031] - The KtmRm for Distributed Transaction Coordinator service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
8/5/2009 11:14:34 PM, Error: Service Control Manager [7031] - The DNS Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
8/5/2009 11:14:34 PM, Error: Service Control Manager [7031] - The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:53 AM

Posted 06 August 2009 - 04:41 PM

Hello Devlish,

Posted Image

I have removed this and all files downloaded that I can find as well as my sons computer access.

Good on you the parental unit! :thumbup2:

My very first suggestion would be to make the son go through the cleanup process with you, because make no mistake, this is frustrating and it does take time and work.

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Devlish

Devlish
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 August 2009 - 02:25 AM

First of all thank you very much for getting back to me so quick!!!

I had trouble getting onto this site. Standard connection error. Sorry seen it so many times i dont read what it says any more.

I tried to use both download links with firefox, opera, and IE7.
IE7: 403 error The website declined to show this webpage
Opera and Firefox: This object has been blocked.

I need to use the laptop and an uninfected browser. Will do that in morning. Will post then.

Now for my son, I hit him where it hurts. No car until the computer is fixed and he has to put up with my mood.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:53 AM

Posted 07 August 2009 - 02:00 PM

Post when you're ready. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Devlish

Devlish
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 August 2009 - 05:33 PM

I have tried several times to run combofix. Everytime it runs it says the realtime scanners for zone alarm are running. There is no scanningprocess in the process list. vsmon is off and I cant' find anything else. Is it safe to run combofix despite the warning. Tech support at zone alarm suggested safe mode and says the real time scanners use scanningprocess.exe.

Should I boot in safe mode to run combo fix or ignore the message once I check processes? I set zone alarm to not run at start up and still get the warning.

Plus I should note one of the processes I identified while trying to turn off zone alarm all the way is NirCmd.cfexe and one of the people at this forum identified it as virut and suggested a reformat.

Where do I go from here?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:53 AM

Posted 07 August 2009 - 06:11 PM

Ugh....the people at Zone Alarm are not at all familiar with ComboFix. If you would rather get help from them then please do let me know and delete ComboFix from your system. I won't be responsible, nor will sUBs, if you ruin your computer because you got help somewhere else from people that don't know the difference between Virut and an executable that belongs to a security tool. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Devlish

Devlish
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:53 AM

Posted 07 August 2009 - 08:42 PM

I think there is a misunderstanding. I apologize if I am unclear I find that what is clear as a bell to me is confusing to others and comes across wrong. I did not mean the last post as it seems to have been taken.

I am not looking for help with the virus/malware problem from Zone Alarm. I spoke with zone alarm tech support about how to turn of their product in order to run ComboFix. Not to get advice about ComboFix.

I was asking you if I should follow their advice. Or if I should just ignore the warnings on combofix since I had turned everything off. Or so I thought.

I looked up processes on google in an attempt to fully turn off Zone Alarm after the lack of good advice zone alarm tech support and found a thread on bleeping computers that said NirCmd.cfexe is a form of virut or I misunderstood the thread to say that.

If I do indeed have a virus that makes reformatting necessary I thought it might save time and your effort for you to know about it right away. It looks like you must be very busy from the number of posts about the google redirect problem.

I did finally find away to turn off the real time scanners and ComboFix ran after that.

Can my thumb drive get infected? And if it can how do I keep my thumb drive from being infected while transferring files from the PC to the laptop? I am not getting to this forum from my PC. It still says the site declined the connection or site is blocked.

Just in case it means something, after rebooting and running combofix spybot set itself to run on boot. Plus several icons and the wallpaper are changed. The screen saver also seems disabled as it has not run.

Hopefully I got everything in one post and made sense. Here are the logs.

ComboFix 09-08-06.01 - Angel 08/07/2009 15:57.1.4 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2668 [GMT -7:00]
Running from: c:\users\Angel\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Security Suite Anti-Spyware *disabled* (Updated) {F245A209-1085-48B4-B927-35D56015EC60}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-343818398-1214440339-839522115-1003
c:\recycler\S-1-5-21-789336058-492894223-839522115-1003
c:\users\Angel\AppData\Roaming\inst.exe
c:\windows\system32\sysmwwod.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-07 23:06 . 2009-08-07 23:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-06 16:57 . 2009-08-06 16:57 -------- d-----w- c:\program files\Trend Micro
2009-08-06 05:52 . 2009-08-06 05:52 -------- d-----w- c:\program files\LightScribe Diagnostic Utility
2009-08-06 05:24 . 2009-07-18 16:01 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-06 05:24 . 2009-07-18 11:35 828416 ----a-w- c:\windows\system32\wininet.dll
2009-08-05 16:59 . 2009-08-05 16:59 -------- d-----w- c:\program files\LightScribe
2009-08-05 16:31 . 2009-08-05 16:31 -------- d-----w- c:\users\Angel\AppData\Roaming\Pogo Games
2009-08-05 06:11 . 2009-08-05 06:11 -------- d-----w- c:\users\Angel\AppData\Roaming\DVDFab
2009-08-05 04:25 . 2009-08-05 04:25 -------- d-----w- c:\progra~2\vsosdk
2009-08-05 03:52 . 2009-08-06 07:24 -------- d-----w- c:\users\Angel\AppData\Roaming\Vso
2009-08-05 03:52 . 2009-08-06 07:24 47360 ----a-w- c:\users\Angel\AppData\Roaming\pcouffin.sys
2009-08-05 03:52 . 2009-08-05 03:52 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-08-05 01:45 . 2009-08-05 01:45 643072 ----a-w- c:\users\Angel\AppData\Roaming\RipIt4Me\updater\ri4mupdater.exe
2009-08-05 01:45 . 2009-08-05 01:45 -------- d-----w- c:\users\Angel\AppData\Roaming\RipIt4Me
2009-08-04 23:15 . 2009-08-04 23:15 -------- d-----w- c:\users\Angel\AppData\Roaming\RenPy
2009-08-03 21:56 . 2009-08-03 21:56 -------- d-----w- c:\progra~2\Bilbo
2009-08-02 03:15 . 2009-08-02 03:15 -------- d-----w- c:\users\Default\AppData\Roaming\Gtek
2009-08-02 03:15 . 2009-08-02 03:15 -------- d--h--w- c:\users\Angel\AppData\Roaming\GTek
2009-08-02 03:14 . 2009-08-02 03:18 -------- d--ha-w- c:\progra~2\GTek
2009-08-02 03:14 . 2009-08-02 03:15 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2009-08-01 18:49 . 2006-10-10 23:19 37376 ------w- c:\windows\system32\Brnsplg.dll
2009-08-01 18:49 . 2006-08-09 21:08 55296 ------w- c:\windows\system32\BrNetSti.dll
2009-08-01 18:49 . 2006-07-05 21:22 34816 ------w- c:\windows\system32\BrWiaNCp.dll
2009-08-01 18:49 . 2009-08-01 18:49 -------- d-----w- C:\Brother
2009-07-31 16:21 . 2009-07-31 16:21 -------- d-----w- c:\progra~2\WindowsSearch
2009-07-31 16:08 . 2009-07-31 16:08 79872 ----a-w- c:\users\Angel\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
2009-07-31 16:08 . 2009-07-31 16:08 541696 ----a-w- c:\users\Angel\AppData\Roaming\SanDisk\Sansa Updater\SansaUpdater.exe
2009-07-31 16:08 . 2009-07-31 16:08 354744 ----a-w- c:\users\Angel\AppData\Roaming\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2009-07-31 16:07 . 2009-07-31 16:07 -------- d-----w- c:\users\Angel\AppData\Roaming\SanDisk
2009-07-30 23:49 . 2009-07-30 23:49 -------- d-----w- c:\users\Angel\AppData\Roaming\BNeReader
2009-07-30 23:35 . 2009-07-30 23:35 -------- d-----w- c:\windows\system32\Temp
2009-07-30 23:35 . 2009-07-30 23:35 -------- d-----w- c:\program files\Barnes & Noble eReader
2009-07-30 18:04 . 2009-07-30 18:04 -------- d-----w- c:\program files\Audacity
2009-07-29 02:01 . 2009-08-06 01:24 -------- d-----w- c:\users\Angel\AppData\Roaming\uTorrent
2009-07-27 15:01 . 2009-08-01 18:35 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-26 18:38 . 2009-07-26 18:38 -------- d-----w- c:\program files\NVIDIA Corporation
2009-07-26 18:37 . 2009-07-14 18:54 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-07-26 18:37 . 2009-07-14 18:54 9557216 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2009-07-26 18:37 . 2009-07-14 18:54 3287040 ----a-w- c:\windows\system32\nvwgf2um.dll
2009-07-26 18:37 . 2009-07-14 18:54 10854400 ----a-w- c:\windows\system32\nvoglv32.dll
2009-07-26 18:37 . 2009-07-14 18:54 7565824 ----a-w- c:\windows\system32\nvd3dum.dll
2009-07-26 18:37 . 2009-07-14 18:54 2169376 ----a-w- c:\windows\system32\nvcuvid.dll
2009-07-26 18:37 . 2009-07-14 18:54 1983488 ----a-w- c:\windows\system32\nvcuda.dll
2009-07-26 18:37 . 2009-07-14 18:54 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-07-26 18:37 . 2009-07-14 18:54 151552 ----a-w- c:\windows\system32\nvcod157.dll
2009-07-26 18:37 . 2009-07-14 18:54 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-07-26 18:36 . 2009-07-26 18:36 -------- d-----w- C:\NVIDIA
2009-07-26 18:32 . 2009-07-26 18:32 -------- d-----w- c:\program files\SystemRequirementsLab
2009-07-26 18:32 . 2009-07-26 18:32 -------- d-----w- c:\users\Angel\AppData\Roaming\SystemRequirementsLab
2009-07-26 18:32 . 2009-07-26 18:32 290816 ----a-w- c:\users\Angel\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-07-26 18:32 . 2009-07-26 18:32 290816 ----a-w- c:\users\Angel\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-07-26 18:32 . 2009-07-26 18:32 290816 ----a-w- c:\users\Angel\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-07-26 18:32 . 2009-07-26 18:32 290816 ----a-w- c:\users\Angel\AppData\Roaming\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-07-24 15:15 . 2009-07-24 15:15 -------- d-----w- c:\users\Angel\AppData\Roaming\Auslogics
2009-07-24 15:15 . 2009-07-24 15:15 -------- d-----w- c:\program files\Auslogics
2009-07-24 04:38 . 2009-07-27 17:05 -------- d-----w- c:\progra~2\ZULJAFFBXG
2009-07-24 04:37 . 2009-08-03 03:49 -------- d-----w- c:\progra~2\SRLJAFFBXG
2009-07-24 04:36 . 2009-07-24 04:36 -------- d-----w- c:\progra~2\RQLJAFFBXG
2009-07-24 04:36 . 2009-07-27 14:33 -------- d-----w- c:\progra~2\FAOJAFFBXG
2009-07-24 04:34 . 2009-07-24 04:34 -------- d-----w- c:\progra~2\JJLJAFFBXG
2009-07-24 04:26 . 2009-08-03 03:49 -------- d-----w- c:\progra~2\PILJAFFBXG
2009-07-24 04:26 . 2009-08-05 17:19 -------- d-----w- c:\program files\BadgeHelp
2009-07-24 04:21 . 2009-07-24 04:23 -------- d-----w- c:\users\Angel\AppData\Roaming\AweSEM
2009-07-23 21:13 . 2009-07-23 21:13 -------- d-----w- c:\users\Angel\AppData\Roaming\deskPDF
2009-07-23 02:44 . 2009-07-23 02:44 -------- d-----w- c:\users\Angel\AppData\Roaming\PC-FAX TX
2009-07-23 02:32 . 2009-08-01 18:50 50 ----a-w- c:\windows\system32\BRIDF04A.dat
2009-07-23 02:31 . 2006-12-15 20:47 53760 ----a-w- c:\windows\system32\brinsstr.dll
2009-07-23 02:30 . 2006-10-31 07:00 139264 ----a-w- c:\windows\system32\bsplmf01.exe
2009-07-23 02:30 . 2001-02-05 18:16 258048 ----a-w- c:\windows\system32\bsplmf01.dll
2009-07-23 02:30 . 2006-01-17 08:03 126976 ------w- c:\windows\system32\BrfxD05a.dll
2009-07-23 02:30 . 2003-11-29 01:57 0 ----a-w- c:\windows\brdfxspd.dat
2009-07-23 02:30 . 2009-07-23 02:31 -------- d-----w- c:\program files\Brother
2009-07-23 02:30 . 2006-08-21 13:19 61440 ------w- c:\windows\system32\BrMfNt.dll
2009-07-23 02:30 . 2006-04-14 00:12 163840 ------w- c:\windows\system32\NSSearch.dll
2009-07-23 02:30 . 2004-12-10 23:35 147456 ------w- c:\windows\brunin03.dll
2009-07-23 02:30 . 2002-11-26 20:43 106496 ------w- c:\windows\system32\BrMuSNMP.dll
2009-07-23 02:30 . 2009-07-23 02:30 -------- d-----w- c:\progra~2\Brother
2009-07-23 02:30 . 2009-07-23 02:30 -------- d-----w- c:\users\Angel\AppData\Roaming\InstallShield
2009-07-23 02:07 . 2009-07-23 02:07 -------- d-----r- c:\users\Angel\AppData\Roaming\Brother
2009-07-23 01:58 . 2006-09-12 15:00 45056 ----a-w- c:\windows\system32\brss01a.exe
2009-07-23 01:58 . 2002-04-11 15:00 57344 ----a-w- c:\windows\system32\brsvc01a.exe
2009-07-22 23:36 . 2009-08-03 19:27 -------- d-----w- c:\users\Angel\AppData\Roaming\Babylonia
2009-07-22 21:36 . 2009-07-22 21:36 -------- d-----w- c:\progra~2\CupcakeCafe
2009-07-21 23:12 . 2009-07-21 23:12 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-07-21 23:12 . 2009-08-06 06:54 -------- d-----w- c:\program files\Winamp
2009-07-21 23:12 . 2009-07-21 23:16 -------- d-----w- c:\users\Angel\AppData\Roaming\Winamp
2009-07-20 22:33 . 2009-07-20 22:33 -------- d-----w- c:\users\Angel\AppData\Local\Artist Colony
2009-07-19 20:05 . 2009-08-02 15:58 30976 ----a-w- c:\windows\rascntrl.dll
2009-07-19 07:49 . 2009-07-19 07:49 127872 ----a-w- c:\users\Angel\AppData\Roaming\Move Networks\uninstall.exe
2009-07-19 07:49 . 2009-07-20 14:41 -------- d-----w- c:\users\Angel\AppData\Roaming\Move Networks
2009-07-18 17:01 . 2009-07-18 17:01 -------- d-----w- c:\users\Angel\AppData\Roaming\Reflexive JanesZOO
2009-07-17 23:42 . 2009-07-17 23:42 -------- d-----w- c:\users\Angel\AppData\Roaming\Aisle 5 Games, Inc
2009-07-17 22:50 . 2009-07-17 22:50 -------- d-----w- c:\users\Angel\AppData\Roaming\Gamers Digital
2009-07-17 22:50 . 2009-07-17 22:50 -------- d-----w- c:\progra~2\Gamers Digital
2009-07-15 15:46 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 15:46 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 15:46 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-15 15:46 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-15 15:46 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 04:33 . 2002-11-13 18:14 1703936 ----a-w- c:\windows\system32\NCTAudioFile.dll
2009-07-15 04:33 . 2002-11-06 22:12 360448 ----a-w- c:\windows\system32\NCTWMAFile.dll
2009-07-15 04:33 . 2002-09-06 18:36 233472 ----a-w- c:\windows\system32\lame_enc.dll
2009-07-14 21:21 . 2009-07-14 21:21 -------- d-----w- c:\users\Angel\AppData\Local\Thunderbird
2009-07-14 21:21 . 2009-07-14 21:21 -------- d-----w- c:\users\Angel\AppData\Roaming\Thunderbird
2009-07-12 00:21 . 2009-07-12 03:37 26200 ----atw- c:\users\Angel\AppData\Roaming\Microsoft\qwadjb.dll
2009-07-12 00:21 . 2009-07-12 03:37 18724 ----atw- c:\users\Angel\AppData\Roaming\Microsoft\bass.dll
2009-07-12 00:21 . 2009-07-12 03:37 16952 ----atw- c:\users\Angel\AppData\Roaming\Microsoft\1eaadjc.dll
2009-07-12 00:21 . 2009-07-12 03:37 15416 ----atw- c:\users\Angel\AppData\Roaming\Microsoft\rsaadjd.dll
2009-07-12 00:21 . 2009-07-12 03:37 14392 ----atw- c:\users\Angel\AppData\Roaming\Microsoft\kfgresk.dll
2009-07-12 00:21 . 2009-07-12 03:37 13984 ----atw- c:\users\Angel\AppData\Roaming\Microsoft\mjcriu.dll
2009-07-12 00:21 . 2009-07-12 03:37 10808 ----atw- c:\users\Angel\AppData\Roaming\Microsoft\peaadje.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 23:05 . 2009-07-02 22:07 74875168 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-07 22:48 . 2009-07-02 19:39 395034 ----a-w- c:\windows\system32\perfh012.dat
2009-08-07 22:48 . 2009-07-02 19:39 100912 ----a-w- c:\windows\system32\perfc012.dat
2009-08-07 22:43 . 2009-06-28 17:03 -------- d-----w- c:\progra~2\NVIDIA
2009-08-07 22:42 . 2009-07-02 22:07 999212 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-07 22:38 . 2009-07-02 22:03 415148 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-08-07 22:06 . 2009-07-26 18:41 32879 ----a-w- c:\progra~2\nvModes.dat
2009-08-05 16:39 . 2009-07-04 00:06 -------- d-----w- c:\program files\Common Files\LightScribe
2009-08-03 20:17 . 2009-08-03 20:17 2883678 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-02 15:58 . 2009-07-05 23:08 23104 ----a-w- c:\windows\system32\svcprmpt.dll
2009-08-01 23:59 . 2009-06-28 15:46 108376 ----a-w- c:\users\Angel\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-30 06:38 . 2009-07-04 03:48 -------- d-----w- c:\users\Angel\AppData\Roaming\AccurateRip
2009-07-30 01:37 . 2009-07-30 01:39 3305984 ----a-w- c:\windows\Internet Logs\xDBAEF5.tmp
2009-07-29 20:19 . 2009-06-29 10:15 -------- d-----w- c:\users\Angel\AppData\Roaming\Ahead
2009-07-26 18:38 . 2009-06-28 16:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-23 21:55 . 2009-06-29 11:10 -------- d-----w- c:\progra~2\Lx_cats
2009-07-23 02:30 . 2009-06-28 16:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 05:50 . 2009-06-02 22:45 -------- d-----w- c:\program files\Oberon Media
2009-07-19 07:49 . 2009-06-16 06:35 4183416 ----a-w- c:\users\Angel\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-07-15 23:06 . 2009-06-29 22:52 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-14 18:54 . 2009-07-26 18:37 4224 ----a-w- c:\windows\system32\drivers\nvBridge.kmd
2009-07-14 18:54 . 2008-11-12 06:54 1044992 ----a-w- c:\windows\system32\nvapi.dll
2009-07-11 00:57 . 2009-07-11 00:57 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-07-10 14:01 . 2009-06-28 16:52 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-08 07:03 . 2009-07-08 07:01 -------- d-----w- c:\program files\Common Files\Ahead
2009-07-08 07:01 . 2009-07-08 07:01 -------- d-----w- c:\progra~2\Nero
2009-07-08 03:50 . 2009-06-28 17:24 -------- d-----w- c:\progra~2\WinZip
2009-07-08 03:44 . 2009-06-29 10:14 -------- d-----w- c:\progra~2\Ahead
2009-07-07 17:04 . 2009-07-07 17:04 -------- d-----w- c:\users\Angel\AppData\Roaming\URSE Games
2009-07-07 16:49 . 2009-07-07 16:49 4096 ----a-w- c:\windows\d3dx.dat
2009-07-06 23:45 . 2009-07-06 23:45 -------- d-----w- c:\progra~2\IronCode
2009-07-06 23:45 . 2009-07-06 23:45 -------- d-----w- c:\users\Angel\AppData\Roaming\IronCode
2009-07-06 21:12 . 2009-07-03 20:26 -------- d-----w- c:\users\Angel\AppData\Roaming\deskUNPDF
2009-07-06 21:05 . 2009-06-29 10:48 -------- d-----w- c:\program files\Docudesk
2009-07-06 18:56 . 2009-07-06 18:49 -------- d-----w- c:\program files\Microangelo Toolset 6
2009-07-06 16:27 . 2009-07-06 01:30 -------- d-----w- c:\progra~2\NOS
2009-07-06 06:05 . 2009-07-06 05:52 -------- d-----w- c:\users\Angel\AppData\Roaming\ICQ
2009-07-06 01:32 . 2009-07-06 01:32 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-06 01:31 . 2009-06-29 09:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-05 05:03 . 2009-06-02 22:44 -------- d-----w- c:\program files\Webshots
2009-07-05 05:03 . 2009-07-05 05:03 -------- d-----w- c:\users\Angel\AppData\Roaming\AGI
2009-07-05 05:03 . 2009-07-05 05:03 -------- d-----w- c:\program files\AGI
2009-07-05 05:03 . 2009-07-05 04:59 -------- d-----w- c:\progra~2\agi
2009-07-05 02:27 . 2009-07-05 02:27 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-07-05 01:38 . 2009-06-28 16:32 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-07-05 01:38 . 2009-07-05 01:38 -------- d-----w- c:\program files\Realtek
2009-07-05 01:38 . 2009-06-28 16:32 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-04 21:43 . 2009-07-04 21:43 -------- d-----w- c:\program files\Exact Audio Copy
2009-07-04 20:52 . 2009-07-04 20:52 -------- d-----w- c:\program files\Nero
2009-07-03 22:50 . 2009-07-03 22:50 -------- d-----w- c:\users\Angel\AppData\Roaming\SmartFTP
2009-07-03 22:39 . 2009-07-03 20:10 -------- d-----w- c:\progra~2\Yahoo!
2009-07-03 16:01 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-07-03 16:01 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-07-03 16:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-03 16:01 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-03 16:01 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-07-03 16:01 . 2006-11-02 12:35 -------- d-----w- c:\program files\Microsoft Games
2009-07-03 16:00 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-07-03 15:56 . 2006-11-02 12:35 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-07-03 05:15 . 2009-07-03 05:15 -------- d-----w- c:\users\Angel\AppData\Roaming\UClick
2009-07-03 05:15 . 2009-07-03 05:15 -------- d-----w- c:\progra~2\UClick
2009-07-03 05:07 . 2009-07-03 05:07 -------- d-----w- c:\program files\ReflexiveArcade
2009-07-03 04:56 . 2009-07-02 22:41 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-02 23:23 . 2009-07-02 23:16 -------- d-----w- c:\progra~2\Lavasoft
2009-07-02 23:23 . 2009-07-07 19:46 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-02 23:23 . 2009-07-02 23:23 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-02 23:16 . 2009-07-02 23:16 -------- dc-h--w- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-02 23:16 . 2009-07-02 23:16 -------- d-----w- c:\program files\Lavasoft
2009-07-02 22:35 . 2009-07-02 22:35 -------- d-----w- c:\users\Angel\AppData\Roaming\MailFrontier
2009-07-02 22:08 . 2009-07-02 22:08 -------- d-----w- c:\progra~2\Kaspersky SDK
2009-07-02 22:04 . 2009-07-02 22:02 -------- d-----w- c:\program files\Zone Labs
2009-07-02 22:01 . 2009-07-02 22:01 -------- d-----w- c:\progra~2\CheckPoint
2009-07-02 21:57 . 2009-07-02 21:57 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-02 21:57 . 2009-07-02 21:57 -------- d-----w- c:\program files\Java
2009-07-02 20:34 . 2009-07-02 20:34 -------- d-----w- c:\program files\TweakVI
2009-07-02 19:46 . 2009-07-02 19:46 0 ----a-w- c:\windows\nsreg.dat
2009-07-02 18:50 . 2009-07-02 19:39 30674 ----a-w- c:\windows\system32\perfd012.dat
2009-07-02 18:50 . 2009-07-02 19:39 155890 ----a-w- c:\windows\system32\perfi012.dat
2009-07-02 18:50 . 2009-07-02 19:36 30674 ----a-w- c:\windows\inf\PERFLIB\0412\perfd.dat
2009-07-02 18:50 . 2009-07-02 19:36 30674 ----a-w- c:\windows\inf\PERFLIB\0412\perfc.dat
2009-07-02 18:50 . 2009-07-02 19:36 155890 ----a-w- c:\windows\inf\PERFLIB\0412\perfi.dat
2009-07-02 18:50 . 2009-07-02 19:36 155890 ----a-w- c:\windows\inf\PERFLIB\0412\perfh.dat
2009-07-02 18:29 . 2009-06-29 22:53 -------- d-----w- c:\program files\Microsoft Works
2009-07-02 17:58 . 2009-07-02 17:58 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-02 17:47 . 2009-07-02 17:47 -------- d-----w- c:\program files\MSXML 4.0
2009-07-02 16:53 . 2009-07-02 16:53 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-06-29 22:53 . 2009-06-29 22:53 -------- d-----w- c:\program files\Microsoft.NET
2009-06-29 22:34 . 2009-06-29 22:34 -------- d-----w- c:\progra~2\FLEXnet
2009-06-29 22:27 . 2009-06-29 22:27 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-29 22:24 . 2009-06-29 22:24 116472 ------w- c:\windows\system32\pxcpyi64.exe
2009-06-29 22:24 . 2009-06-29 22:24 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-06-29 11:08 . 2009-06-29 11:08 -------- d-----w- c:\progra~2\Ezprint
2009-06-29 11:08 . 2009-06-29 11:08 -------- d-----w- c:\program files\Lexmark Z2300 Series
2009-06-29 10:50 . 2009-06-29 10:50 -------- d-----w- c:\users\Angel\AppData\Roaming\Webshots
2009-06-29 10:33 . 2009-06-29 10:33 -------- d-----w- c:\progra~2\LightScribe
2009-06-28 17:30 . 2009-06-28 17:20 -------- d-----w- c:\program files\Support.com
2009-06-28 17:25 . 2009-06-28 17:25 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-28 17:05 . 2009-06-28 16:38 -------- d-----w- c:\program files\ASUS
2009-06-28 16:53 . 2009-06-28 16:53 -------- d-----w- c:\program files\AGEIA Technologies
2009-06-28 16:40 . 2009-06-28 15:46 680 ----a-w- c:\users\Angel\AppData\Local\d3d9caps.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSnD"="c:\internet\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-08-30 6281760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuSubFolders"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"Xmarks"=c:\internet\xmarks\xmarkssync.exe -q
"SpybotSD TeaTimer"=c:\internet\Spybot - Search & Destroy\TeaTimer.exe
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
"SansaDispatch"=c:\users\Angel\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\graphics\Photoshop\apdproxy.exe"
"EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe"
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"ControlCenter3"=c:\program files\Brother\ControlCenter3\brctrcen.exe /autorun
"BrMfcWnd"=c:\program files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::ff,48,17,12,f8,fb,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3865282674-2063231267-3724878655-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{51BE2422-1CC9-44C6-AF76-85823B949C76}"= UDP:c:\windows\System32\lxdpcoms.exe:Lexmark Communications System
"{5623597C-C361-40E7-8627-BC9F82E4862C}"= TCP:c:\windows\System32\lxdpcoms.exe:Lexmark Communications System
"{E1D1F1CC-9585-48BB-82D1-2111AACCE77F}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdppswx.exe:Printer Status Window Interface
"{7A92500C-9CD7-4891-8C04-07B627A104BA}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdppswx.exe:Printer Status Window Interface
"{38679E6B-6D9E-49CA-B10D-491139ABA892}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdptime.exe:Lexmark Connect Time Executable
"{22B51F3C-8FF0-4561-A280-0CCEF05D089A}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdptime.exe:Lexmark Connect Time Executable
"{1AAC8927-479A-41D8-BD9C-F2E04AF17DC0}"= UDP:c:\program files\Lexmark Z2300 Series\lxdpmon.exe:Printer Device Monitor
"{F1C7317D-2543-479C-94A7-DCC95656101D}"= TCP:c:\program files\Lexmark Z2300 Series\lxdpmon.exe:Printer Device Monitor
"{C6771E4D-5191-4F55-BFA4-9E251198CA2D}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdpjswx.exe:Job Status Window Interface
"{204619D0-73E7-485C-8ECD-D6CAAE598BBD}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdpjswx.exe:Job Status Window Interface
"{12186306-E2ED-4DC8-8D97-A4A78F05CEBD}"= Disabled:UDP:c:\graphics\Photoshop\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{3A55770A-685A-4E6E-BB89-519407431269}"= Disabled:TCP:c:\graphics\Photoshop\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{E919A841-0002-40DD-B9BF-978369E22521}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{054A4B60-6A49-4749-80E2-774B5CE0A133}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [7/2/2009 4:23 PM 64160]
R0 mv61xx;mv61xx;c:\windows\System32\drivers\mv61xx.sys [7/22/2008 1:01 AM 151592]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\graphics\Photoshop\PhotoshopElementsFileAgent.exe [9/11/2007 12:45 AM 124832]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\internet\Spybot - Search & Destroy\SDWinSec.exe [7/2/2009 3:41 PM 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [7/14/2009 12:28 PM 239648]
R3 L1E;NDIS Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\System32\drivers\L1E60x86.sys [6/28/2009 9:36 AM 48128]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdpserv.exe [2/27/2008 4:06 PM 98984]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 12:06 PM 1029456]
S4 AGCoreService;AG Core Services;c:\program files\AGI\core\3.1\AGCoreService.exe [7/4/2009 10:03 PM 20480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\users\Angel\AppData\Roaming\Mozilla\Firefox\Profiles\75zp333h.default\
FF - plugin: c:\users\Angel\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\internet\Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\internet\Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\internet\Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\internet\Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\internet\Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\internet\Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\internet\Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\internet\Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\internet\Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\internet\Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\internet\Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\internet\Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\internet\Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\internet\Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\internet\Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\internet\Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\internet\Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\internet\Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\internet\Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\internet\Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\internet\Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\internet\Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\internet\Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\internet\Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\internet\Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 16:06
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-08-07 16:09
ComboFix-quarantined-files.txt 2009-08-07 23:09

Pre-Run: 266,104,242,176 bytes free
Post-Run: 266,551,758,848 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5,11
388 --- E O F --- 2009-08-06 05:25







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:19 PM, on 8/7/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Internet\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Internet\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Internet\ICQ6.5\ICQ.exe
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Internet\xmarks\foxmarksdll.dll (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Internet\xmarks\foxmarksdll.dll (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Graphics\Photoshop\PhotoshopElementsFileAgent.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdpCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdpserv.exe
O23 - Service: lxdp_device - - C:\Windows\system32\lxdpcoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Internet\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 5002 bytes

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 21 August 2009 - 04:24 PM

Hello.

Teacup is currently unavailable so I will continue to help you here.

I need to see an update of the condition of your system so please do the following:

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results soon.
  • Follow the instructions that pop up for posting the results and then click Ok.
  • The black and message box window shall then disappear.
  • Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.
Post those logs back in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 24 August 2009 - 02:56 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 PM

Posted 27 August 2009 - 03:44 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users