Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Results redirect to unknown websites - IE & Firefox


  • This topic is locked This topic is locked
31 replies to this topic

#1 LionKingAlways

LionKingAlways

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 20 December 2009 - 06:55 PM

Hello to BleepinComputer.

I think my browser has been hijacked by some spyware/malaware. For last few days, when I do a google search on either IE or Firefox, I see that my search results redirect to an unknown and unwanted websites everything. This is sort of scary.

I have McAfee antivirus but that did not help. I also ran AdAware but that did not help too. I am running a Windows XP SP3 OS.

Can someone help me please? I would greatly apapreciated it.

After reading some other similar topics in this forum, I downloaded HijackThis and ran a scan. Please find below the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:18 PM, on 12/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6060920
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Iomega Home Storage Manager] C:\Program Files\Iomega\Home Storage Manager\Iomega Discovery.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe

http://www.symantec.com/techsupp/servlet/P...0000082.0000002

0.0000004c&b=00000082.00000021.0000004d&c=00000082.00000096.000001d8
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://dimplendhaval.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...b?1202870052000
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://home.am.mercer.com/dana-cached/setu...uniperSetup.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--
End of file - 9967 bytes


Thanks in advance.

BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 AM

Posted 22 December 2009 - 01:54 PM

Hello LionKingAlways :( Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:


Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.




Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries











Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 LionKingAlways

LionKingAlways
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 24 December 2009 - 05:17 PM

Hello thewall,

Thank you for the response. I was able to download and run dds.scr which generated 2 logs. I have attached both the logs to this post. Please let me know if you prefer that I post the entire log here and not as an attachment.

I had problems in running GMER though. When I run GMER, I see all the options. Then when I click Scan, my PC crashes and I see the ugly Windows blue screen which says "The Application failed to initialize.......". I had to switch off my PC and restart it. I tried this 3 times and every time I had the same experience.

Attached Files



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 AM

Posted 24 December 2009 - 05:48 PM

Try disabling your McAfee and try GMER once again. You don't have to keep on trying it if it won't run just let me know.

How to disable your AV
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 LionKingAlways

LionKingAlways
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 24 December 2009 - 10:29 PM

I tried that. And the same result this time. Is there anything else we can do?

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 AM

Posted 25 December 2009 - 06:34 AM

Try this:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 LionKingAlways

LionKingAlways
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 26 December 2009 - 12:10 AM

I ran the command as per the instructions. A command windows opened and there was a message on the top "Start log failed". It did some scans and then asked to reboot. I did that and after reboot, I did not see any "TDSSKiller.txt" log file.

So I ran the command again, but not log file this time too. Here is was I see now on the command window when I run the command.

TDSS rootkit removing tool, Kaspersky Lab 2009
version 2.1.1 Dec 20 2009 02:40:02
Start log failed

Scanning Registry ...

Scanning Kernel memory ...

Completed

Results:
Infected objects in memory: 0
Cured objects in memory: 0
Infected objects on disk: 0
Objects on disk cured on reboot: 0
Objects on disk deleted on reboot: 0
Registry nodes deleted on reboot: 0

Press any key to continue . . .



Please note that, prior to reboot, I saw the message that it had fixed 2 problems and another 1 will be fixed after reboot.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 AM

Posted 26 December 2009 - 09:43 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 LionKingAlways

LionKingAlways
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 27 December 2009 - 09:56 PM

I have not run ComboFix yet but noticed that the FireFox and IE google search results are working fine now. Is is possible that the TDSKiller fixed this? Do you think I still need to run ComboFix?

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 AM

Posted 27 December 2009 - 10:24 PM

Highly possible that it did. TDL3 is a rootkit. I would still like for you to run CF though, we want to make sure you are clean, some of this stuff can regenerate if you don't get it all cleaned off.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 LionKingAlways

LionKingAlways
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 30 December 2009 - 11:42 PM

Here is the ComboFix.txt log

ComboFix 09-12-30.01 - Dhaval 12/30/2009 23:18:58.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1555 [GMT -5:00]
Running from: c:\documents and settings\Dhaval\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\documents and settings\Dhaval\Application Data\inst.exe
c:\recycler\NPROTECT
c:\windows\BM93459cc5.txt
c:\windows\cookies.ini
c:\windows\EventSystem.log
c:\windows\pskt.ini
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\apgebwnv.ini
c:\windows\system32\bhyaftej.ini
c:\windows\system32\cwdqieoq.ini
c:\windows\system32\dpaxetdm.ini
c:\windows\system32\dsclswit.ini
c:\windows\system32\emhgwdrs.ini
c:\windows\system32\faidpgot.ini
c:\windows\system32\gehcwfis.ini
c:\windows\system32\ghkmp.ini
c:\windows\system32\ghkmp.ini2
c:\windows\system32\jpceunij.ini
c:\windows\system32\kifhwlwq.ini
c:\windows\system32\kteygfff.ini
c:\windows\system32\mxonwrjr.ini
c:\windows\system32\nevhawwa.ini
c:\windows\system32\oixsrgim.ini
c:\windows\system32\qbymjwof.ini
c:\windows\system32\rmuhlkfs.ini
c:\windows\system32\rtqikrtw.ini
c:\windows\system32\rxmdawbu.ini
c:\windows\system32\tmp55.tmp
c:\windows\system32\tpenikda.ini
c:\windows\system32\vvxkepfy.ini
c:\windows\system32\xcudrhvk.ini
c:\windows\system32\xeyuexxj.ini
c:\windows\system32\xxtccwlx.ini
c:\windows\system32\yabrptwb.ini
c:\windows\system32\ybxbppfd.ini
c:\windows\system32\yderggqk.ini
c:\windows\system32\ytjvofbw.ini
c:\windows\system32\yvcrymoc.ini
c:\windows\system32\yvtqwmjv.ini

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-27 22:15 . 2009-12-27 22:17 -------- d-----w- C:\To-Backup-And-Move
2009-12-27 21:53 . 2009-12-27 21:53 -------- d-----w- C:\To-Be-Deleted
2009-12-26 17:15 . 2009-12-26 17:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-26 17:15 . 2009-12-26 17:15 -------- d-----w- c:\documents and settings\Dhaval\Application Data\skypePM
2009-12-26 17:04 . 2009-12-26 17:04 -------- d-----w- c:\program files\Common Files\Skype
2009-12-20 22:26 . 2009-12-20 22:26 -------- d-----w- c:\program files\Trend Micro
2009-12-07 22:22 . 2009-12-07 22:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-12-06 00:19 . 2009-12-05 16:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-05 16:14 . 2009-12-05 16:14 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-05 16:14 . 2009-12-05 16:14 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-05 16:14 . 2009-12-05 16:14 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-05 16:14 . 2009-12-05 16:14 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-05 16:14 . 2009-12-05 16:14 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-05 16:14 . 2009-12-05 16:14 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-05 16:14 . 2009-12-05 16:14 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-05 16:14 . 2009-12-05 16:14 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-05 16:13 . 2009-12-05 16:13 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-05 16:13 . 2009-12-05 16:13 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-05 16:13 . 2009-12-05 16:13 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-05 16:13 . 2009-12-05 16:13 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-05 16:13 . 2009-12-05 16:13 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-05 16:13 . 2009-12-05 16:13 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-05 16:13 . 2009-12-05 16:13 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-05 16:13 . 2009-12-05 16:13 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-05 16:13 . 2009-12-05 16:13 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-05 16:13 . 2009-12-05 16:13 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-05 15:28 . 2009-12-05 15:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-05 15:28 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-05 15:26 . 2009-12-05 16:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-05 15:26 . 2009-12-05 15:26 -------- d-----w- c:\program files\Lavasoft
2009-12-05 05:45 . 2009-12-05 05:45 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-12-05 05:39 . 2009-12-05 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-12-05 05:33 . 2009-11-04 21:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-05 05:33 . 2009-11-04 21:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-05 05:33 . 2009-11-04 21:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-05 05:33 . 2009-07-16 17:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-05 05:31 . 2009-12-05 05:33 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-05 05:31 . 2009-12-05 05:31 -------- d-----w- c:\program files\McAfee.com
2009-12-05 05:30 . 2009-12-19 16:39 -------- d-----w- c:\program files\McAfee
2009-12-05 05:25 . 2009-11-04 21:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-05 04:43 . 2009-12-14 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-04 05:03 . 2009-12-04 05:03 -------- d-----w- c:\program files\Radialpoint
2009-12-04 05:01 . 2009-12-04 05:01 -------- d-----w- c:\documents and settings\Dhaval\Application Data\Verizon
2009-12-04 05:01 . 2009-12-04 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon
2009-12-03 02:42 . 2009-09-02 22:41 626688 ----a-w- c:\windows\system32\vp7vfw.dll
2009-12-03 02:42 . 2009-09-02 22:41 1184984 ----a-w- c:\windows\system32\wvc1dmod.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 22:53 . 2008-01-27 21:31 -------- d-----w- c:\documents and settings\Dhaval\Application Data\uTorrent
2009-12-26 19:31 . 2006-09-21 04:51 -------- d-----w- c:\documents and settings\Dhaval\Application Data\Skype
2009-12-26 17:04 . 2006-09-21 04:51 -------- d-----r- c:\program files\Skype
2009-12-26 17:03 . 2007-03-22 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-25 21:32 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-25 21:28 . 2009-12-25 21:28 96512 ----a-w- c:\windows\system32\drivers\atapi.tsk
2009-12-05 04:30 . 2007-03-20 22:58 -------- d-----w- c:\program files\Dl_cats
2009-12-04 23:39 . 2007-10-26 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-04 23:39 . 2006-09-22 04:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-04 23:39 . 2006-09-22 04:28 -------- d-----w- c:\documents and settings\Dhaval\Application Data\Symantec
2009-12-04 05:02 . 2009-01-19 15:45 -------- d-----w- c:\program files\Verizon
2009-12-03 06:22 . 2009-01-31 19:00 -------- d-----w- c:\documents and settings\Dhaval\Application Data\Vso
2009-12-03 02:43 . 2009-01-31 19:00 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-12-03 02:43 . 2009-01-31 19:00 47360 ----a-w- c:\documents and settings\Dhaval\Application Data\pcouffin.sys
2009-12-03 02:43 . 2009-01-31 19:00 47360 ----a-w- c:\documents and settings\Dhaval\Application Data\pcouffin.sys
2009-12-03 02:42 . 2009-01-31 18:59 -------- d-----w- c:\program files\VSO
2009-11-27 21:50 . 2009-11-27 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\OrbNetworks
2009-11-27 21:39 . 2009-11-27 21:38 -------- d-----w- c:\program files\Winamp Remote
2009-11-11 15:09 . 2006-09-21 04:12 -------- d-----w- c:\program files\MSN Messenger
2009-11-08 21:20 . 2006-09-20 23:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 21:14 . 2006-09-21 01:26 -------- d-----w- c:\program files\WildTangent
2009-11-08 21:13 . 2006-09-21 01:25 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek
2009-11-08 21:12 . 2006-09-21 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-11-08 21:09 . 2007-08-27 12:53 -------- d--h--w- c:\documents and settings\Guest\Application Data\Gtek
2009-11-08 21:09 . 2006-10-17 01:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2009-11-08 21:09 . 2006-09-21 04:31 -------- d--h--w- c:\documents and settings\Dhaval\Application Data\Gtek
2009-11-08 19:44 . 2006-09-21 00:03 -------- d-----w- c:\program files\Dell
2009-11-08 19:43 . 2007-06-27 22:53 -------- d-----w- c:\documents and settings\Dhaval\Application Data\Juniper Networks
2009-11-08 19:36 . 2006-09-21 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-08 19:36 . 2006-09-21 04:05 -------- d-----w- c:\program files\Yahoo!
2009-11-08 19:36 . 2006-12-01 23:02 -------- d-----w- c:\documents and settings\Dhaval\Application Data\Yahoo!
2009-11-08 19:34 . 2006-09-21 01:31 -------- d-----w- c:\program files\Roxio
2009-11-08 19:29 . 2006-11-19 03:16 -------- d-----w- c:\documents and settings\Dhaval\Application Data\Lavasoft
2009-11-07 05:15 . 2009-11-07 05:14 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-11-04 21:54 . 2009-11-04 21:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 07:45 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 01:52 . 2006-09-22 04:54 24112 ----a-w- c:\documents and settings\Dhaval\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 05:38 . 2004-08-10 17:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 17:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 20:50 . 2009-11-11 14:39 2520888 ----a-w- c:\documents and settings\Dhaval\Application Data\Mozilla\Firefox\Profiles\r6ds4j4k.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
2009-10-16 01:50 . 2009-10-16 01:50 40960 ----a-r- c:\documents and settings\Dhaval\Application Data\Microsoft\Installer\{90FF23FE-0E1B-40DF-A22E-B4C0372E5936}\ARPPRODUCTICON.exe
2009-10-13 10:30 . 2004-08-10 17:51 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 17:51 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 19:57 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2004-08-10 17:51 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2004-08-10 17:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2008-04-27 18:00 . 2008-04-27 17:36 48 --sh--w- c:\windows\S1A87F430.tmp
.

------- Sigcheck -------

[-] 2009-12-25 21:32 . 9C56643F12539A38A1333B3E665FEC74 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2009-12-23 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Mozilla Firefox\firefox.exe" [2009-12-19 908248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"DLCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 73728]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Iomega Home Storage Manager"="c:\program files\Iomega\Home Storage Manager\Iomega Discovery.exe" [2009-05-18 147456]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-9-25 44384]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 20:25 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-06-29 17:13 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2006-06-26 13:46 497200 ----a-w- c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2006-06-26 14:34 614960 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2006-06-26 14:33 243248 ----a-w- c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
2009-10-29 11:54 1218008 ----a-w- c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2009-10-29 11:54 562928 ----a-w- c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2008-05-06 08:42 202088 ----a-w- c:\program files\TomTom HOME 2\HOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LogMeIn"=3 (0x3)
"gusvc"=3 (0x3)
"EvtEng"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Labs Licensing Service"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LiveUpdate Notice"=2 (0x2)
"LiveUpdate"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"dlcf_device"=3 (0x3)
"comHost"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"YahooAUService"=2 (0x2)
"Radialpoint Security Services"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlcfpswx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/5/2009 12:38 AM 93320]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1184912]
S3 MRVW225;Zonet 802.11g USB Drive for Windows XP;c:\windows\system32\drivers\MRVW225.sys [4/25/2008 11:18 AM 299904]
S4 Radialpoint Security Services;Verizon PC Security Checkup Service;c:\program files\Verizon\PC Security Checkup\RpsSecurityAwareR.exe [12/4/2009 12:02 AM 170736]
.
Contents of the 'Scheduled Tasks' folder

2009-11-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-12-05 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-05 17:22]

2009-12-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-12-05 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Windows Internet Explorer provided by Comcast
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &WordWeb... - c:\windows\system32\wweb32.dll/lookup.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} - hxxp://dimplendhaval.myphotoalbum.com/EasyUploadTool.cab
FF - ProfilePath - c:\documents and settings\Dhaval\Application Data\Mozilla\Firefox\Profiles\r6ds4j4k.default\
FF - plugin: c:\documents and settings\Dhaval\Application Data\Mozilla\Firefox\Profiles\r6ds4j4k.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CheckNetworkConnection - c:\program files\Support.com\providerComcast\desktopdoctor.exe
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-EasyLinkAdvisor - c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe
MSConfigStartUp-IntelWireless - c:\program files\Intel\Wireless\Bin\ifrmewrk.exe
MSConfigStartUp-IntelZeroConfig - c:\program files\Intel\Wireless\bin\ZCfgSvc.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\LogMeInSystray.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
MSConfigStartUp-QuickPhrase - c:\games\TypingMaster\quickphrase\quickphrase.exe
MSConfigStartUp-runner1 - c:\windows\mrofinu572.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-VoiceCenter - c:\program files\Creative\VoiceCenter\AndreaVC.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 23:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"="system32\Drivers\atapi.tsk"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3820645928-1382856650-627463062-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:32,90,31,c3,b1,a7,40,a7,e3,88,8b,74,0b,93,5b,64,e7,74,36,98,5c,1c,4b,
53,37,28,5f,ef,20,ce,68,4d,51,75,bc,de,2c,0b,04,a0,c7,70,8f,39,24,ca,b2,48,\
"??"=hex:f3,4c,74,96,d3,e4,45,92,d0,58,e7,fa,f3,21,36,43
.
Completion time: 2009-12-30 23:36:18
ComboFix-quarantined-files.txt 2009-12-31 04:36

Pre-Run: 77,331,206,144 bytes free
Post-Run: 77,820,055,552 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 5B5E92E6367B195A29C29C1CBF274355

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 AM

Posted 31 December 2009 - 12:02 PM

Need to check a couple of files:



Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:

c:\windows\system32\vp7vfw.dll

Click Send.
Please post the results of this scan to this thread.

Do the same for the following:


c:\windows\system32\wvc1dmod.dll
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 LionKingAlways

LionKingAlways
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 31 December 2009 - 10:42 PM

Here are the results for both the scans.

https://www.virustotal.com/analisis/4623975...0a60-1258831908

https://www.virustotal.com/analisis/ca35eba...98eb-1260804062

#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 AM

Posted 31 December 2009 - 11:13 PM

Sorry, I missed this one. Probably OK but let's make sure:


c:\windows\system32\ezsidmv.dat
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 LionKingAlways

LionKingAlways
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:20 AM

Posted 01 January 2010 - 01:16 AM

https://www.virustotal.com/analisis/86c37ea...e496-1262326457




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users