Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirected Search Results (Malwarebytes' didn't fix)


  • This topic is locked This topic is locked
5 replies to this topic

#1 mdgoblue

mdgoblue

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 05 October 2009 - 01:15 PM

He guys, hoping I might get a litttle help. I know this is a common problem and I have attempted to do a lot of things on my own, but I finally have to give up. Nothing seems to be working. If you can look at this HJT log, I would appreciate it.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:06 PM, on 10/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [amsg] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1249527335273
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1250219302651
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 10808 bytes

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:43 AM

Posted 05 October 2009 - 02:09 PM

Hi, mdgoblue :(

Welcome.

Please read and follow all these instructions very carefully.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 mdgoblue

mdgoblue
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 05 October 2009 - 07:57 PM

First of all...thanks a ton for taking a look at this for me. I am attaching the first log here. I will reply with the Combofix log in a few minutes.

GooredFix by jpshortstuff (24.09.09.1)
Log created at 20:54 on 05/10/2009 (Chris)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:11 06/08/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [23:26 12/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [01:57 08/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [23:26 12/08/2009]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [02:31 17/08/2009]

-=E.O.F=-

#4 mdgoblue

mdgoblue
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 05 October 2009 - 08:27 PM

Here is the Combofix log...also attached it.

ComboFix 09-10-04.01 - Chris 10/05/2009 21:14.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.211 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Installer\eb4a287.msp

----- BITS: Possible infected sites -----

hxxp://knowledgeadventure.cachefly.net
Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-05 17:50 . 2009-10-05 17:56 -------- d-----w- C:\fixwareout
2009-10-05 16:24 . 2009-10-05 16:24 -------- d-----w- c:\program files\CCleaner
2009-10-05 13:01 . 2009-10-05 13:01 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-05 02:52 . 2009-10-05 02:52 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2009-10-05 02:52 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 02:52 . 2009-10-05 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-05 02:52 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-05 02:52 . 2009-10-05 02:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 01:56 . 2009-10-05 01:56 -------- d-----w- c:\program files\Trend Micro
2009-10-05 01:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-05 01:47 . 2009-10-05 01:47 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-05 01:34 . 2009-10-05 01:34 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-05 01:33 . 2009-10-05 01:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-10-05 01:33 . 2009-10-05 01:33 -------- d-----w- c:\program files\Lavasoft
2009-10-04 03:46 . 2009-10-04 03:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-27 17:50 . 2000-06-20 18:42 6736 ----a-w- c:\windows\system32\WINGDIB.DRV
2009-09-27 17:50 . 2000-06-20 18:42 188960 ----a-w- c:\windows\system32\WINGDE.DLL
2009-09-27 17:50 . 2000-06-20 18:42 92208 ----a-w- c:\windows\system32\WING.DLL
2009-09-27 17:50 . 2000-06-20 18:42 12800 ----a-w- c:\windows\system32\WING32.DLL
2009-09-24 03:05 . 2009-09-24 03:06 -------- d-----w- c:\documents and settings\Chris\Application Data\Trillian
2009-09-24 02:58 . 2009-09-24 03:05 -------- d-----w- c:\program files\Trillian
2009-09-16 00:45 . 2009-09-16 00:45 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Apple Computer
2009-09-12 17:51 . 2009-09-12 17:51 -------- d-----w- c:\documents and settings\Blake\Local Settings\Application Data\Mozilla
2009-09-12 16:05 . 2009-09-12 16:05 -------- d-sh--w- c:\documents and settings\Blake\PrivacIE
2009-09-12 16:05 . 2009-09-27 17:47 -------- d-----w- c:\program files\LEGO Media
2009-09-12 16:05 . 1996-11-05 20:13 299008 ----a-w- c:\windows\uninst.exe
2009-09-12 16:04 . 2009-09-12 16:04 -------- d-----w- c:\documents and settings\Blake\WINDOWS
2009-09-12 15:48 . 2009-09-12 15:48 -------- d-----w- c:\documents and settings\Blake\Local Settings\Application Data\HP
2009-09-12 15:48 . 2009-09-12 15:48 88800 ----a-w- c:\documents and settings\Blake\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-12 15:47 . 2009-09-12 15:47 -------- d-----w- c:\documents and settings\Blake\Application Data\InstallShield
2009-09-12 15:47 . 2009-09-12 15:47 -------- d-sh--w- c:\documents and settings\Blake\IETldCache
2009-09-11 23:38 . 2009-09-11 23:38 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-09-11 23:38 . 2009-09-11 23:39 -------- d-----w- c:\program files\Roxio
2009-09-11 03:02 . 2009-09-11 03:02 -------- d-sh--w- c:\documents and settings\Chris\IECompatCache
2009-09-11 02:58 . 2009-09-11 03:06 -------- d-----w- c:\documents and settings\Chris\Application Data\CamfrogWEB
2009-09-11 02:57 . 2009-09-11 02:57 -------- d-----w- c:\program files\CFWebAdvancedU
2009-09-09 03:16 . 2009-09-09 03:16 -------- d-----w- c:\program files\DVD Decrypter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 04:28 . 2009-08-06 05:17 -------- d-----w- c:\program files\ThinkVantage
2009-10-04 04:28 . 2009-08-06 05:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-01 11:26 . 2009-08-14 03:42 89184 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 21:22 . 2009-08-16 21:52 89184 ----a-w- c:\documents and settings\Cheryl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 02:46 . 2009-08-14 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-12 15:48 . 2009-08-08 23:08 128 ----a-w- c:\documents and settings\Blake\Local Settings\Application Data\fusioncache.dat
2009-09-12 11:54 . 2009-08-30 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-09-12 05:50 . 2009-08-15 01:05 256 ----a-w- c:\windows\system32\pool.bin
2009-09-11 23:41 . 2009-08-14 23:23 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-11 23:38 . 2009-08-14 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-11 23:20 . 2009-08-14 23:15 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-08-30 12:06 . 2009-08-30 12:05 -------- d-----w- c:\program files\QuickTime
2009-08-30 12:04 . 2009-08-30 12:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-30 11:56 . 2009-08-30 11:53 -------- d-----w- c:\program files\JumpStart World
2009-08-30 11:53 . 2009-08-30 11:53 -------- d-----w- c:\program files\Common Files\Knowledge Adventure
2009-08-25 00:51 . 2009-08-25 00:51 -------- d-----w- c:\documents and settings\Chris\Application Data\InterVideo
2009-08-18 23:22 . 2009-08-15 04:20 68999 ----a-w- c:\windows\hpoins05.dat
2009-08-18 23:21 . 2009-08-18 23:21 -------- d-----w- c:\documents and settings\Chris\Application Data\AdobeUM
2009-08-17 02:32 . 2009-08-17 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-17 02:32 . 2009-08-17 02:32 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-17 02:32 . 2009-08-17 02:32 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 02:32 . 2009-08-17 02:32 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-17 02:31 . 2009-08-17 02:31 -------- d-----w- c:\program files\AVG
2009-08-17 02:31 . 2009-08-17 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-17 01:38 . 2009-08-17 01:38 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG8
2009-08-17 01:36 . 2009-08-06 05:05 -------- d-----w- c:\program files\ThinkPad
2009-08-16 23:44 . 2009-08-06 05:21 -------- d-----w- c:\program files\IBM ThinkVantage
2009-08-16 23:15 . 2009-08-12 23:27 -------- d-----w- c:\program files\OpenOffice.org 3
2009-08-16 23:04 . 2009-08-16 23:04 -------- d-----w- c:\documents and settings\Chris\Application Data\InstallShield
2009-08-16 21:51 . 2009-08-06 23:47 129 ----a-w- c:\documents and settings\Cheryl\Local Settings\Application Data\fusioncache.dat
2009-08-16 21:51 . 2009-08-16 21:51 -------- d-----w- c:\documents and settings\Cheryl\Application Data\InstallShield
2009-08-16 07:02 . 2009-08-16 07:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-15 04:28 . 2009-08-15 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-08-15 04:27 . 2009-08-15 04:26 -------- d-----w- c:\program files\Common Files\HP
2009-08-15 04:25 . 2009-08-15 04:22 -------- d-----w- c:\program files\HP
2009-08-15 04:25 . 2009-08-15 04:25 -------- d-----w- c:\program files\Hewlett-Packard
2009-08-15 04:24 . 2009-08-15 04:24 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-08-15 01:04 . 2009-08-15 01:04 -------- d-----w- c:\documents and settings\Chris\Application Data\Research In Motion
2009-08-15 01:04 . 2009-08-15 01:04 256 ----a-w- c:\documents and settings\Chris\pool.bin
2009-08-14 23:25 . 2009-08-14 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-08-14 23:23 . 2009-08-06 05:05 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-14 23:15 . 2009-08-14 23:15 -------- d-----w- c:\program files\Research In Motion
2009-08-14 02:56 . 2009-08-14 02:56 -------- d-----w- c:\program files\Microsoft Works
2009-08-14 02:53 . 2009-08-14 02:53 -------- d-----w- c:\program files\Microsoft.NET
2009-08-12 23:32 . 2009-08-12 23:32 -------- d-----w- c:\documents and settings\Chris\Application Data\OpenOffice.org
2009-08-12 23:26 . 2009-08-12 23:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-12 23:26 . 2009-08-12 23:26 -------- d-----w- c:\program files\Java
2009-08-12 03:34 . 2009-08-08 01:44 -------- d-----w- c:\program files\Windows Desktop Search
2009-08-12 03:31 . 2009-08-06 05:20 -------- d-----w- c:\program files\PC-Doctor for Windows
2009-08-12 03:29 . 2009-08-06 05:26 -------- d-----w- c:\program files\Multimedia Center for Think Offerings
2009-08-11 00:02 . 2009-08-11 00:02 -------- d-----w- c:\program files\Citrix
2009-08-10 23:53 . 2009-08-10 23:53 -------- d-----w- c:\documents and settings\Cheryl\Application Data\AdobeUM
2009-08-10 23:49 . 2009-08-10 23:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-10 00:58 . 2009-08-08 17:29 -------- d-----w- c:\documents and settings\Cheryl\Application Data\Smart-Shopper
2009-08-08 23:22 . 2009-08-08 23:21 -------- d-----w- c:\documents and settings\Blake\Application Data\Smart-Shopper
2009-08-08 23:09 . 2009-08-08 23:09 -------- d-----w- c:\documents and settings\Blake\Application Data\Windows Desktop Search
2009-08-08 17:30 . 2009-08-08 17:30 -------- d-----w- c:\documents and settings\Cheryl\Application Data\Windows Desktop Search
2009-08-08 14:23 . 2009-08-08 14:21 -------- d-----w- c:\program files\jZip
2009-08-08 02:25 . 2009-08-08 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-08 02:23 . 2009-08-08 02:23 -------- d-----w- c:\program files\Yahoo!
2009-08-08 01:55 . 2009-08-08 01:55 -------- d-----w- c:\program files\MSBuild
2009-08-08 01:55 . 2009-08-08 01:55 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 01:43 . 2009-08-08 01:43 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-08 01:39 . 2009-08-06 05:15 -------- d-----w- c:\program files\Windows Media Connect
2009-08-08 01:39 . 2009-08-06 05:43 128 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\fusioncache.dat
2009-08-07 18:57 . 2009-08-07 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-07 18:56 . 2009-08-07 00:03 -------- d-----w- c:\program files\NOS
2009-08-06 05:15 . 2009-08-06 05:15 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-08-06 05:09 . 2009-08-06 05:09 17119 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-08-06 04:11 . 2009-08-06 04:11 0 ----a-w- c:\windows\nsreg.dat
2009-08-06 02:51 . 2009-08-06 05:29 40 ----a-w- c:\windows\system32\profile.dat
2009-08-05 09:01 . 1980-01-01 07:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 1980-01-01 07:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 1980-01-01 07:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2007-06-21 22:38 . 2007-06-21 22:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 22:38 . 2007-06-21 22:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 22:38 . 2007-06-21 22:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 22:38 . 2007-06-21 22:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 22:39 . 2007-06-21 22:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 22:39 . 2007-06-21 22:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 22:39 . 2007-06-21 22:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 22:39 . 2007-06-21 22:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 22:40 . 2007-06-21 22:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Google Update"="c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-14 133104]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"amsg"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-08-02 475136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2008-07-04 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-04 1323008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-09-09 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-09-09 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-09-09 114688]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-08-10 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-08-02 475136]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-08-10 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-08-10 208896]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-08-12 864256]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-17 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-08-30 282624]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-08-02 40960]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-8-6 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 02:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 05:23 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LEGO Media\\Games\\LEGO Chess\\Lego Chess.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/4/2009 9:47 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2009 10:32 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2009 10:32 PM 108552]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [8/6/2009 1:32 AM 4442]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2009 10:31 PM 297752]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 10:49 AM 1028432]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 01:46]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3613155644-3150293659-1215151773-1005Core.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-14 03:53]

2009-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3613155644-3150293659-1215151773-1005UA.job
- c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-14 03:53]

2009-10-05 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-08-06 08:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\7yimmcp8.default\
FF - prefs.js: browser.startup.homepage - hxxp://michigan.rivals.com/default.asp?SID=883&ReturnTo=michigan%2Erivals%2Ecom&LIN=1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\7yimmcp8.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Chris\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 21:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\windows\system32\tphklock.dll
.
Completion time: 2009-10-06 21:23
ComboFix-quarantined-files.txt 2009-10-06 01:23

Pre-Run: 21,199,233,024 bytes free
Post-Run: 21,791,719,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

285 --- E O F --- 2009-09-02 15:18

Attached Files



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:43 AM

Posted 06 October 2009 - 11:12 PM

Hi, mdgoblue :(

Sorry for the delay. There was a 24 hours blackout in the area.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Lets check for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Make sure the C:\Program Files\JAVA folder is removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:43 AM

Posted 24 October 2009 - 01:40 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users