Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

system32 trojan google links


  • This topic is locked This topic is locked
16 replies to this topic

#1 leenymary

leenymary

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 11 September 2009 - 06:21 PM

My problem is pretty much only with google and facebook. I use Mozilla Firefox and Windows XP. On those two websites, links don't do anything. Nothing pops up and it doesn't redirect me to another site, it will just show the hourglass and never go anywhere. I'm able to copy link locations and get places on these sites (google search results title links are the one exception), but it is getting very old. I've run ComboFix, Ad-Aware, Malwarebytes, Symantec...Symantec says something like Trojan Win32 Backdoor and leaves it alone, but the rest of them don't find anything. My computer is also running very slow, but not sure if it has anything to do with it. Thank you!


DDS (Ver_09-07-30.01) - NTFSx86
Run by leen at 18:58:07.14 on Fri 09/11/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.75 [GMT -4:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\PSIService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\leen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\leen\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leen\applic~1\mozilla\firefox\profiles\e4vopyxo.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-08 00:33 <DIR> --d----- c:\docume~1\leen\applic~1\Malwarebytes
2009-09-08 00:33 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 00:33 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 00:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-08 00:33 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 23:57 <DIR> --d----- C:\cmdcons
2009-09-07 23:55 230,912 a------- c:\windows\PEV.exe
2009-09-07 23:55 161,792 a------- c:\windows\SWREG.exe
2009-09-07 23:55 98,816 a------- c:\windows\sed.exe
2009-09-07 22:31 <DIR> --d----- c:\windows\Logs
2009-09-07 22:22 <DIR> --d----- c:\program files\Sony
2009-09-03 15:58 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-09-03 03:18 <DIR> --d----- c:\windows\system32\XPSViewer
2009-09-03 03:17 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-03 03:17 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-09-03 03:17 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-03 03:17 117,760 -------- c:\windows\system32\prntvpt.dll
2009-09-03 03:17 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-03 03:17 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-09-03 03:17 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-02 18:35 <DIR> --d----- c:\docume~1\leen\applic~1\MozillaControl
2009-09-02 18:34 <DIR> --d----- c:\program files\Mozilla ActiveX Control v1.7.12
2009-09-02 18:09 <DIR> --d----- c:\program files\Graboid
2009-08-31 23:17 <DIR> --d----- c:\program files\Snood
2009-08-24 19:24 921,624 a------- C:\img2-001.raw
2009-08-24 13:48 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-08-24 13:40 91,136 a------- c:\windows\system32\kswdmcap.ax
2009-08-24 13:40 91,136 a------- c:\windows\system32\dllcache\kswdmcap.ax
2009-08-24 13:40 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-08-24 13:40 53,760 a------- c:\windows\system32\dllcache\vfwwdm32.dll
2009-08-24 13:40 43,008 a------- c:\windows\system32\ksxbar.ax
2009-08-24 13:40 43,008 a------- c:\windows\system32\dllcache\ksxbar.ax
2009-08-24 13:40 61,952 a------- c:\windows\system32\kstvtune.ax
2009-08-24 13:40 61,952 a------- c:\windows\system32\dllcache\kstvtune.ax
2009-08-24 13:38 476,520 a------- c:\windows\vVX3000.dll
2009-08-24 13:38 185,704 a------- c:\windows\system32\cVX3000.dll
2009-08-24 13:38 111,976 a------- c:\windows\VX3000.dll
2009-08-24 13:38 15,498 a------- c:\windows\VX3000.ini
2009-08-24 13:38 13,023 a------- c:\windows\VX3000.src
2009-08-24 13:38 709,992 a------- c:\windows\vVX3000.exe
2009-08-24 13:38 202,088 a------- c:\windows\system32\LCCoin14.dll
2009-08-24 13:38 1,966,696 a------- c:\windows\system32\drivers\VX3000.sys
2009-08-24 13:34 <DIR> --d----- c:\program files\Microsoft LifeCam
2009-08-24 13:29 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-08-24 12:51 <DIR> --d--r-- c:\program files\Skype
2009-08-13 07:23 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-13 07:23 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-13 11:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-18 12:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 07:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-21 17:44 153,088 a------- c:\windows\system32\dllcache\triedit.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-15 10:44 15,688 a------- c:\windows\system32\lsdelete.exe
2008-12-08 06:37 6,504 ac------ c:\docume~1\leen\applic~1\wklnhst.dat
2009-03-27 18:48 168 ---shr-- c:\windows\system32\232A7D1974.sys
2009-03-27 18:48 6,060 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:59:16.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:13 AM

Posted 11 September 2009 - 08:17 PM

Greetings leenymary and Welcome to the Forums,

It appears that you ran combofix just today. Did some experienced user give you instructions to do that? If so, you should follow the instructions from that experienced user in whatever thread you created and refrain from posting multiple requests for help...if not, I need to advise you just how much the combofix developer frowns on such use of the utility.

Running combofix willy-nilly is a very bad idea and should NEVER become a common practice. I'm in no way preaching to you alone, but for the benefit of any other member here (or web wide) who may peruse the forum and land on this thread. In fact, this information is expressed in BOLD face print in the second paragraph of the combofix download page on this forum...that said, I'll be glad to offer my assistance if you will oblige.

At present...with the logs you have posted so far, it appears to me that your slow performance issue is also related to a conflict of antivirus services still running from an old install of TrendMicro. Additionally, you have a couple out of date and exploited versions of Java installed.

Since you have already run combofix just today, let's start by having a look at that log produced. Please navigate to:
C:\combofix.txt
...copy the entire contents of that log and paste it back here on your next reply. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 leenymary

leenymary
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 12 September 2009 - 01:31 AM

I definitely didn't mean to produce any frowns. I didn't get the instructions to do so from any experienced user. It was just my unexperienced self not knowing how specific ComboFix is to each user. I just went off something that sounded similar to my problem. Thanks for letting me know. Won't do it again. I hope I didn't make my problem worse.



ComboFix 09-09-07.03 - leen 09/11/2009 3:28.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.213 [GMT -4:00]
Running from: c:\documents and settings\leen\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\leen\Desktop\cfscript.txt
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
* Created a new restore point

FILE ::
"c:\program files\AdvancedVirusRemover\PAVRM.exe"
"c:\windows\system32\AVR09.exe"
"c:\windows\system32\winhelper.dll"
"c:\windows\system32\winupdate.exe"
.

((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-08 04:33 . 2009-09-08 04:33 -------- d-----w- c:\documents and settings\leen\Application Data\Malwarebytes
2009-09-08 04:33 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 04:33 . 2009-09-08 04:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 04:33 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 04:33 . 2009-09-08 04:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 02:44 . 2009-09-08 02:51 -------- d-----w- c:\documents and settings\leen\Application Data\Sony Corporation
2009-09-08 02:31 . 2009-09-08 02:31 -------- d-----w- c:\windows\Logs
2009-09-08 02:22 . 2009-09-08 02:28 -------- d-----w- c:\program files\Sony
2009-09-03 07:18 . 2009-09-03 07:18 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-03 07:18 . 2009-09-03 07:18 -------- d-----w- c:\program files\MSBuild
2009-09-03 07:18 . 2009-09-03 07:18 -------- d-----w- c:\program files\Reference Assemblies
2009-09-03 07:17 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-03 07:17 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-03 07:17 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-03 07:17 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-03 07:17 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-03 07:17 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-03 07:17 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-02 22:47 . 2009-09-11 07:24 -------- d-----w- c:\documents and settings\leen\Application Data\vlc
2009-09-02 22:35 . 2009-09-02 22:35 -------- d-----w- c:\documents and settings\leen\Local Settings\Application Data\Graboid_Inc
2009-09-02 22:35 . 2009-09-02 22:41 -------- d-----w- c:\documents and settings\leen\Application Data\MozillaControl
2009-09-02 22:35 . 2009-09-02 22:48 -------- d-----w- c:\documents and settings\leen\Local Settings\Application Data\Graboid
2009-09-02 22:34 . 2009-09-02 22:34 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-09-02 22:09 . 2009-09-03 17:44 -------- d-----w- c:\program files\Graboid
2009-09-01 03:17 . 2009-09-01 03:26 -------- d-----w- c:\program files\Snood
2009-08-24 17:48 . 2009-08-24 17:48 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-24 17:48 . 2009-09-10 04:26 -------- d-----w- c:\documents and settings\leen\Application Data\skypePM
2009-08-24 17:45 . 2009-09-10 04:27 -------- d-----w- c:\documents and settings\leen\Application Data\Skype
2009-08-24 17:40 . 2008-04-13 23:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-08-24 17:40 . 2008-04-13 23:12 53760 ----a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-08-24 17:38 . 2007-04-10 21:46 111976 ----a-w- c:\windows\VX3000.dll
2009-08-24 17:38 . 2007-04-10 21:46 476520 ----a-w- c:\windows\vVX3000.dll
2009-08-24 17:38 . 2007-04-10 21:46 185704 ----a-w- c:\windows\system32\cVX3000.dll
2009-08-24 17:38 . 2007-04-10 21:46 709992 ----a-w- c:\windows\vVX3000.exe
2009-08-24 17:38 . 2007-04-10 21:46 202088 ----a-w- c:\windows\system32\LCCoin14.dll
2009-08-24 17:38 . 2007-04-10 21:46 1966696 ----a-w- c:\windows\system32\drivers\VX3000.sys
2009-08-24 17:34 . 2009-08-24 17:37 -------- d-----w- c:\program files\Microsoft LifeCam
2009-08-24 17:29 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-24 16:51 . 2009-08-24 16:51 -------- d-----w- c:\program files\Common Files\Skype
2009-08-24 16:51 . 2009-08-24 16:52 -------- d-----r- c:\program files\Skype
2009-08-24 16:50 . 2009-08-24 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-13 11:23 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 06:39 . 2006-10-11 00:34 -------- d-----w- c:\documents and settings\leen\Application Data\uTorrent
2009-09-09 15:18 . 2006-09-11 22:58 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-08 02:32 . 2006-09-05 06:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 15:02 . 2006-09-11 21:47 71112 -c--a-w- c:\documents and settings\leen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-03 06:50 . 2009-04-17 14:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-31 03:29 . 2007-01-30 20:58 -------- d-----w- c:\program files\WinAce
2009-08-31 03:29 . 2006-09-05 06:51 -------- d-----w- c:\program files\Dell
2009-08-31 03:24 . 2006-12-11 15:24 -------- d-----w- c:\program files\Cisco Systems
2009-08-31 03:22 . 2006-09-05 06:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-31 03:19 . 2006-09-05 06:58 -------- d-----w- c:\program files\Sonic
2009-08-31 03:05 . 2006-09-05 07:10 -------- d-----w- c:\program files\Microsoft Works
2009-08-31 00:08 . 2007-11-13 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-30 23:59 . 2006-09-11 22:15 -------- d-----w- c:\program files\iPod
2009-08-30 23:53 . 2006-09-05 07:07 -------- d-----w- c:\program files\Google
2009-08-30 23:47 . 2006-09-25 21:18 -------- d-----w- c:\program files\Apple Software Update
2009-08-30 23:44 . 2007-11-12 03:12 -------- d-----w- c:\program files\Common Files\Apple
2009-08-30 23:00 . 2007-01-25 04:50 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-30 22:14 . 2006-09-11 22:44 -------- d-----w- c:\program files\AIM
2009-08-30 22:13 . 2006-09-11 22:44 -------- d-----w- c:\documents and settings\leen\Application Data\Aim
2009-08-23 22:03 . 2006-09-05 06:47 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 09:23 . 2009-03-07 20:25 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:50 . 2005-08-16 09:18 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2005-08-16 09:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 09:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 09:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 09:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 09:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-08-16 09:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:44 . 2009-02-09 17:05 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-03-27 22:48 . 2006-10-07 19:17 168 --sh--r- c:\windows\system32\232A7D1974.sys
2009-03-27 22:48 . 2006-10-07 19:17 6060 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-08_04.13.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-17 02:06 . 2008-05-06 20:16 26488 c:\windows\system32\spupdsvc.exe
- 2005-08-17 02:06 . 2007-11-30 11:18 26488 c:\windows\system32\spupdsvc.exe
+ 2009-08-27 16:31 . 2007-07-27 14:41 16760 c:\windows\system32\spmsg.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 77824 c:\windows\assembly\GAC\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0\SonicMCEBurnEngine.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 77824 c:\windows\assembly\GAC\SonicMCEBurnEngine\0.9.0.0__17c52700e9a64fd0\SonicMCEBurnEngine.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 45056 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 45056 c:\windows\assembly\GAC\Microsoft.MediaCenter\6.0.3100.0__31bf3856ad364e35\Microsoft.MediaCenter.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 53248 c:\windows\assembly\GAC\ehiWUapi\6.0.3000.0__31bf3856ad364e35\ehiWUapi.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 18944 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 18944 c:\windows\assembly\GAC\ehiUserXp\6.0.3000.0__31bf3856ad364e35\ehiuserxp.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 73728 c:\windows\assembly\GAC\ehiExtens\6.0.3000.0__31bf3856ad364e35\ehiExtens.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 8192 c:\windows\assembly\GAC\ehiExtCOM\6.0.3000.0__31bf3856ad364e35\ehiExtCOM.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 8192 c:\windows\assembly\GAC\ehiExtCOM\6.0.3000.0__31bf3856ad364e35\ehiExtCOM.dll
+ 2005-08-16 09:18 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll
- 2005-08-16 09:18 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll
+ 2005-08-16 09:40 . 2009-06-21 21:44 153088 c:\windows\system32\dllcache\triedit.dll
- 2005-08-16 09:40 . 2008-04-14 00:12 153088 c:\windows\system32\dllcache\triedit.dll
+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll
+ 2005-08-16 09:37 . 2009-08-18 14:55 179712 c:\windows\ehome\ehkeyctl.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 389120 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 389120 c:\windows\assembly\GAC\ehRecObj\6.0.3000.0__31bf3856ad364e35\ehRecObj.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 122880 c:\windows\assembly\GAC\ehiwmp\6.0.3000.0__31bf3856ad364e35\ehiwmp.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 278528 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 278528 c:\windows\assembly\GAC\ehiVidCtl\6.0.3000.0__31bf3856ad364e35\ehiVidCtl.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 389120 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 389120 c:\windows\assembly\GAC\ehiProxy\6.0.3000.0__31bf3856ad364e35\ehiProxy.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 204800 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 204800 c:\windows\assembly\GAC\ehiPlay\6.0.3000.0__31bf3856ad364e35\ehiPlay.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 167936 c:\windows\assembly\GAC\ehiMsgr\6.0.3000.0__31bf3856ad364e35\ehiMsgr.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 110592 c:\windows\assembly\GAC\ehExtCOM\6.0.3000.0__31bf3856ad364e35\ehExtCOM.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 110592 c:\windows\assembly\GAC\ehExtCOM\6.0.3000.0__31bf3856ad364e35\ehExtCOM.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 126976 c:\windows\assembly\GAC\ehepgdat\6.0.3000.0__31bf3856ad364e35\ehepgdat.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 868352 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 868352 c:\windows\assembly\GAC\ehepg\6.0.3000.0__31bf3856ad364e35\ehepg.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 192512 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 192512 c:\windows\assembly\GAC\ehcommon\6.0.3000.0__31bf3856ad364e35\ehcommon.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 102400 c:\windows\assembly\GAC\ehCIR\6.0.3000.0__31bf3856ad364e35\ehCIR.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 117248 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 117248 c:\windows\assembly\GAC\BDATunePIA\6.0.3000.0__31bf3856ad364e35\bdatunepia.dll
+ 2005-08-16 09:19 . 2009-05-20 08:56 2458112 c:\windows\system32\WMVCore.dll
- 2005-08-16 09:19 . 2008-06-18 10:03 2458112 c:\windows\system32\WMVCore.dll
- 2005-08-16 09:19 . 2008-06-18 10:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2005-08-16 09:19 . 2009-05-20 08:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 2009-03-06 04:52 . 2009-03-06 04:52 1863680 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
+ 2009-09-09 15:12 . 2009-09-09 15:12 1863680 c:\windows\assembly\GAC\EhCM\6.0.3000.0__31bf3856ad364e35\EhCM.dll
+ 2006-09-12 18:32 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-14 180269]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\leen\Start Menu\Programs\Startup\
PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-9-7 333088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-9-5 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\leen\\Desktop\\Unused Desktop Shortcuts\\utorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/9/2009 11:44 AM 64160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 8:14 PM 102448]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EHRECVR
*NewlyCreated* - EHSCHED
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 15:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\leen\Application Data\Mozilla\Firefox\Profiles\e4vopyxo.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 03:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(656)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-11 3:43
ComboFix-quarantined-files.txt 2009-09-11 07:43
ComboFix2.txt 2009-09-08 04:27

Pre-Run: 7,197,761,536 bytes free
Post-Run: 7,165,251,584 bytes free

254 --- E O F --- 2009-09-09 14:53

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:13 AM

Posted 12 September 2009 - 04:07 AM

That log indicates that it was produced from the second time you ran combofix...may I see the first log? It would be located here:
C:\Qoobox

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 leenymary

leenymary
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 12 September 2009 - 12:48 PM

The website I looked at said to delete Qoobox afterwards, so I no longer have it. Sorry. When I saw nothing had changed, I ran it again.

#6 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:13 AM

Posted 12 September 2009 - 05:07 PM

The website I looked at said to delete Qoobox afterwards, so I no longer have it. Sorry. When I saw nothing had changed, I ran it again.

Hmmm...well, when you ran it a second time, Qoobox would have been recreated. Do you mean to say that you still have no Qoobox? I would have thought that your response would have been put differently. Such as:
"I checked Qoobox but there is no combofix.txt located there."
...So, now that running combofix on your own not only was a very bad idea, you can see how it becomes very confusing for your help. Please confirm for me that you do indeed have a Qoobox folder now. It is very important before we continue. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#7 leenymary

leenymary
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 13 September 2009 - 08:08 PM

I don't have a Qoobox folder anymore. I guess I deleted it after the second time. I have run like 1,000 things in the last week trying to get rid of this, so forgive me for not remembering correctly. I now know it was bad to run ComboFix. I get it. I didn't even hear about it from this website and there wasn't any warning of any kind. Obviously, I am no computer whiz or I wouldn't need your help. I appreciate it, so please just let me know what I can do. Thanks.

#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:13 AM

Posted 13 September 2009 - 08:35 PM

I have run like 1,000 things in the last week trying to get rid of this, so forgive me for not remembering correctly. I now know it was bad to run ComboFix. I get it... I am no computer whiz or I wouldn't need your help. I appreciate it, so please just let me know what I can do.

It's not as if I was trying to hammer on you about the same thing over and over. I merely mentioned again about the Qoobox folder because it is important so I needed you to clarify your remarks and try to determine what happened to it. If we find later on that we need it, you will learn how important it is...if you insist on continuing without it, then please read on:

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::


File::
c:\windows\system32\232A7D1974.sys


Folder::
c:\documents and settings\leen\Application Data\uTorrent
c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\Viewpoint


Driver::
232A7D1974

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 leenymary

leenymary
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 14 September 2009 - 12:46 AM

I attached it. Wouldn't post when I pasted it.

Attached Files

  • Attached File  log.txt   85.9KB   8 downloads


#10 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:13 AM

Posted 14 September 2009 - 09:12 AM

That should have made a difference...you might have noticed some improvement. How's it running now?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#11 leenymary

leenymary
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 15 September 2009 - 11:54 AM

Seems a little faster, but links on google and facebook still aren't working. Thank you though.

#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:13 AM

Posted 15 September 2009 - 04:04 PM

Seems a little faster, but links on google and facebook still aren't working. Thank you though.

Google is your start page. Does the browser open up ok to google.com? When you say the links on google and facebook aren't working, to me that indicates that nothing whatsoever results when you click on one of those link. Is that what happens?

I'm thinking, another thing you could mean is that when you click on one of those links, instead of taking you where you think it should, it takes you somewhere completely unrelated. Is this what happens?

You see that this is just guesswork for me. Can you be more specific please. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:13 AM

Posted 15 September 2009 - 04:50 PM

While waiting for your answer I'm taking another look at your combofix log just to make certain I haven't missed anything, and I really don't find anything else there that would indicate a reason for your continued problems with web links on google or facebook.

The file below:
c:\windows\system32\ezsidmv.dat
...is the only other item that could possibly go but it's not malicious. It's just a data file that seems out of place and probably does nothing to either leave it or remove it.

This file however:
c:\windows\system32\d3dx9_26.dll
...could cause you problems with "games" functioning but would depend on where you downloaded it. You could upload the file Here for a free scan just to see if it turns up anything.

One other possible cause could be a windows update that is missing.

Otherwise, I will have to suggest that the usage of file sharing software is most assuredly behind most user's malicious software infections and likely the culprit here.

The other problem with troubleshooting with you is the fact that you have done some tinkering on your own and have run combofix previously. The reason the "Qoobox" question was emphasized is because that is where combofix would store any backup copies it made of items it removed. On your solo run of combofix, and subsequent removal of it, it's rare...but combofix might have removed something that should not have been removed...but, since you already deleted it, we will never know that.

You might also need to run your normal disk cleanmgr and defrag utilities after a chkdsk /f scan in order to correct any file issues there may be on the disk.

Post back the results from your free scan from the above and let us know when you ran your normal maintenance proceedures as suggested above. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#14 leenymary

leenymary
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted 15 September 2009 - 08:55 PM

It's still doing the same thing I described in my first post. It doesn't redirect me to another site or anything. It either acts like it's going to a new page and never does or sometimes on facebook it will go to a new page, but never load. Google is usually my homepage, so I've removed it and it hasn't changed anything. I ran disk clean-up and defrag about a week or two ago.

I scanned that file and it said no malware was found.

http://virscan.org/report/0ff1952665391b83...0a667ca251.html

#15 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:07:13 AM

Posted 15 September 2009 - 09:37 PM

Can you give me the link(s) that you are talking about? Also, have you uninstalled/removed any and all files and programs that you know you downloaded using the file sharing software? I don't just mean the file sharing software itself, I mean the "stuff" you downloaded using that software.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users