Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser being redirected


  • This topic is locked This topic is locked
11 replies to this topic

#1 wizardatschool1

wizardatschool1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 24 January 2010 - 05:17 AM

Hello. I've been browsing the internet for the past few weeks, and every so often I have a new window or tab coming up. This happens in both Firefox 3.6 and Internet Explorer 8. They all seem to have the same domain address, which then goes on to an advert, shopping, or pornography. This domain is directdr.com!

I have BullGuard and Avast Anti Virus installed on my computer, and I always run a scan every week or so. Nothing has come up saying I've been infected by anything on either of the two programs, so I'm wondering if there is any way of getting rid of the directdr popups ?!

Please could you reply, if you have any idea of what to do ...


Thanks in advance

Edited by wizardatschool1, 24 January 2010 - 05:24 AM.


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:02 AM

Posted 24 January 2010 - 07:28 AM

Greetings wizardatschool1 and Welcome to the Forums,

Please do the following:

Step 1
Please download the free utility DDS.

Disable any script blocker you may have running, then double click dds.scr to run the tool.
  • When it completes, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Step 2
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to your desktop
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please agree to do so
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that, by default, have already been checked. Please uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All <--don't miss this one
  • Then click the Scan button & wait for it to finish
  • Once the scan completes, click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save it where you can easily find it, such as your desktop
**Caution**

Rootkit scans often produce false positives.

Do NOT take any action on any of these "<--- ROOKIT" entries without proper guidance from an expert user.

Please include the following logs in your next reply, Thanks!:
  • Contents of the DDS.txt log report
  • Attach.txt
  • GMER log (ark.txt)

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 wizardatschool1

wizardatschool1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 24 January 2010 - 11:56 AM

I have saved all 3 of these logs as an attachment to this post, if needed.


Anyway here is the DDS.txt log report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by adam at 16:20:47.18 on 24/01/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.44.1033.18.2037.918 [GMT 0:00]

AV: BullGuard Antivirus *On-access scanning enabled* (Updated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: BullGuard Antispyware *enabled* (Updated) {72CDBC85-9052-4B41-961E-B919FFE571AA}
FW: BullGuard Firewall *enabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\WLANExt.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Users\adam\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Windows\System32\svchost.exe -k BullGuard
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\adam\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSEARCH PAGE =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar =
uWindow Title = Internet Explorer 8
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\BullGuard.exe"
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Desktop Coral] "c:\program files\desktopcoral\DesktopCoral.exe" /autorun
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [BullGuard] "c:\program files\bullguard ltd\bullguard\bullguard.exe" -boot
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoUserFolderInStartMenu = 0 (0x0)
uPolicies-explorer: NoStartMenuMyGames = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\bglsp.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\adam\appdata\roaming\mozilla\firefox\profiles\macwe75n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.ssl - true
FF - user.js: network.http.pipelining.maxrequests - 8
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 afw;Agnitum Firewall Driver;c:\windows\system32\drivers\Afw.sys [2008-11-10 29208]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-4 114768]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2009-8-25 13560]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-4 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-4 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-4 138680]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\system32\drivers\BdFileSpy.sys [2009-8-25 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\system32\svchost.exe -k BullGuard [2009-8-29 21504]
R2 BsFire;BullGuard Firewall Service;c:\windows\system32\svchost.exe -k BullGuard [2009-8-29 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\system32\svchost.exe -k BullGuard [2009-8-29 21504]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-12-17 1044808]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\system32\drivers\AfwCore.sys [2009-8-25 305688]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-4 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-4 352920]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-8 179712]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2007-8-8 32256]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-8-29 21504]

=============== Created Last 30 ================

2010-01-23 18:39:28 0 d-----w- c:\users\adam\appdata\roaming\MPEG Streamclip
2010-01-23 14:33:17 0 d-----w- c:\windows\system32\QuickTime
2010-01-23 14:32:14 0 d-----w- c:\programdata\TechSmith
2010-01-23 14:29:45 0 d-----w- c:\program files\common files\TechSmith Shared
2010-01-21 07:50:49 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-21 07:50:48 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 11:40:40 0 d-----w- c:\program files\AviSynth 2.5
2010-01-16 11:35:15 73728 ----a-w- c:\windows\system\vdremote.dll
2010-01-16 11:35:15 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2010-01-10 19:52:23 0 d-----w- c:\users\adam\appdata\roaming\VoipCheapCom
2010-01-04 10:31:24 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-30 23:38:52 0 d-----w- c:\programdata\Adobe
2009-12-28 12:01:31 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2009-12-28 12:01:31 21320 ----a-w- c:\windows\system32\authuitu.dll

==================== Find3M ====================

2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 19:47:25 86016 ----a-w- c:\windows\inf\infpub.dat
2009-12-18 19:47:25 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-18 19:47:25 143360 ----a-w- c:\windows\inf\infstor.dat
2009-12-17 23:14:46 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-06 17:17:57 676224 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-11-01 10:06:06 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-30 16:23:27 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-08-27 10:17:55 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 16:23:48.95 ===============




Here is the attach.txt file:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vistaâ„¢ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 25/08/2009 17:33:55
System Uptime: 24/01/2010 10:45:46 (6 hours ago)

Motherboard: Acer | | Poyang
Processor: Intel® Core™2 Duo CPU T5450 @ 1.66GHz | uPGA-478 | 1667/166mhz

==== Disk Partitions =========================

A: is FIXED (NTFS) - 41 GiB total, 40.427 GiB free.
C: is FIXED (NTFS) - 51 GiB total, 15.247 GiB free.
E: is CDROM ()
R: is FIXED (NTFS) - 10 GiB total, 5.654 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Photosmart C7200 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Photosmart C7200 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C7200 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C7200 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================

RP408: 12/12/2009 17:49:22 - Scheduled Checkpoint
RP409: 14/12/2009 18:12:50 - Installed Windows 7 Upgrade Advisor
RP410: 14/12/2009 18:31:52 - Removed Windows 7 Upgrade Advisor
RP411: 15/12/2009 07:49:29 - Windows Update

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
32 Bit HP CIO Components Installer
Acer Arcade Deluxe
Acer Crystal Eye Webcam
Acer Crystal Eye Webcam Video Class Camera
Acer eAudio Management
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer ScreenSaver
Acer Tour
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Download Manager
Adobe Dreamweaver CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 9.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe XMP Panels CS4
AIO_Scan
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Bonjour
BufferChm
BullGuard 8.5
C7200
C7200_Help
Camtasia Studio 6
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner
Connect
Copy
Desktop Coral 1.07.01
Destination Component
DeviceDiscovery
DeviceManagementQFolder
eSupportQFolder
Fax
GoToAssist Corporate
GPBaseService
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 2.5
HP Solution Center 13.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
Intel PROSet Wireless
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Intel® PROSet/Wireless WiFi Software
iTunes
Java™ 6 Update 17
Junk Mail filter update
kuler
Launch Manager
LightScribe 1.4.142.1
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetDeviceManager
OGA Notifier 2.0.0048.0
PanoStandAlone
Photoshop Camera Raw
PowerProducer 3.72
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
QuickTime
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
RocketDock 1.3.5
Scan
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Skypeâ„¢ 4.1
Status
Suite Shared Configuration CS4
Toolbox
TrayApp
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb977839)
VideoToolkit01
WebReg
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver

==== Event Viewer Messages From Past Week ========

24/01/2010 10:48:25, Error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
24/01/2010 10:43:46, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.
24/01/2010 10:43:45, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
24/01/2010 10:43:45, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
24/01/2010 10:01:01, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error: A system shutdown has already been scheduled.
23/01/2010 21:13:16, Error: Service Control Manager [7034] - The TuneUp Utilities Service service terminated unexpectedly. It has done this 3 time(s).
23/01/2010 21:13:10, Error: Service Control Manager [7034] - The TuneUp Utilities Service service terminated unexpectedly. It has done this 2 time(s).
23/01/2010 14:35:58, Error: Service Control Manager [7034] - The BullGuard Main Service service terminated unexpectedly. It has done this 1 time(s).
23/01/2010 14:35:58, Error: Service Control Manager [7034] - The BullGuard Firewall Service service terminated unexpectedly. It has done this 1 time(s).
23/01/2010 14:35:58, Error: Service Control Manager [7034] - The BullGuard File Scan Service service terminated unexpectedly. It has done this 1 time(s).
23/01/2010 14:35:58, Error: Service Control Manager [7034] - The BullGuard Email Monitoring Service service terminated unexpectedly. It has done this 1 time(s).
23/01/2010 14:35:10, Error: Service Control Manager [7034] - The BullGuard LiveUpdate service terminated unexpectedly. It has done this 1 time(s).
23/01/2010 14:32:57, Error: Service Control Manager [7034] - The TuneUp Utilities Service service terminated unexpectedly. It has done this 1 time(s).
23/01/2010 10:15:55, Error: EventLog [6008] - The previous system shutdown at 23:39:40 on 22/01/2010 was unexpected.
22/01/2010 18:55:14, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
22/01/2010 14:58:18, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
22/01/2010 07:49:36, Error: EventLog [6008] - The previous system shutdown at 22:14:32 on 21/01/2010 was unexpected.
21/01/2010 21:11:31, Error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
21/01/2010 21:11:31, Error: Service Control Manager [7034] - The PC Tools Auxiliary Service service terminated unexpectedly. It has done this 1 time(s).
21/01/2010 16:04:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TuneUp.UtilitiesSvc with arguments "" in order to run the server: {FCA02D56-BF9D-4591-AD41-E59AF763C64A}
21/01/2010 16:02:27, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
21/01/2010 15:26:42, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
21/01/2010 15:26:36, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSP spldr Wanarpv6
21/01/2010 15:26:36, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
21/01/2010 15:26:30, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
21/01/2010 15:26:25, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
21/01/2010 15:26:17, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
21/01/2010 15:26:03, Error: EventLog [6008] - The previous system shutdown at 15:23:23 on 21/01/2010 was unexpected.
21/01/2010 14:53:56, Error: EventLog [6008] - The previous system shutdown at 08:25:24 on 21/01/2010 was unexpected.
20/01/2010 21:18:17, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD afw aswRdr aswSP aswTdi DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6 ws2ifsl
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The Security Center service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The eSettings Service service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
20/01/2010 21:18:17, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
20/01/2010 21:16:14, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
20/01/2010 21:16:14, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
20/01/2010 19:43:13, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
20/01/2010 17:52:55, Error: EventLog [6008] - The previous system shutdown at 17:24:56 on 20/01/2010 was unexpected.
20/01/2010 15:15:14, Error: EventLog [6008] - The previous system shutdown at 15:05:04 on 20/01/2010 was unexpected.
20/01/2010 07:46:04, Error: EventLog [6008] - The previous system shutdown at 22:13:28 on 19/01/2010 was unexpected.
19/01/2010 07:59:41, Error: Microsoft-Windows-PrintSpooler [6161] - The document Microsoft Word - Salem Witch Trials, owned by adam, failed to print on printer HP Photosmart C7200 series. Try to print the document again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool file in bytes: 27968. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\ADAMPELLING-PC. Win32 error code returned by the print processor: 6. The handle is invalid.
19/01/2010 07:40:52, Error: EventLog [6008] - The previous system shutdown at 22:15:18 on 18/01/2010 was unexpected.
18/01/2010 07:48:57, Error: EventLog [6008] - The previous system shutdown at 22:14:44 on 17/01/2010 was unexpected.
17/01/2010 20:22:44, Error: EventLog [6008] - The previous system shutdown at 20:20:48 on 17/01/2010 was unexpected.
17/01/2010 10:35:42, Error: EventLog [6008] - The previous system shutdown at 23:46:39 on 16/01/2010 was unexpected.

==== End Of File ===========================



Here is the ark.txt GMER file:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-24 16:52:32
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\adam\AppData\Local\Temp\kwryipod.sys


---- System - GMER 1.0.15 ----

INT 0x51 ? 9E851550
INT 0x61 ? 9E8517D0
INT 0x93 ? 9E83F550
INT 0xA1 ? 9E8512D0

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\nsiproxy \Device\Nsi AfwCore.sys

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 85609618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BsFileScan\Statistics@UiTotalScans 82214

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by wizardatschool1, 24 January 2010 - 12:00 PM.


#4 wizardatschool1

wizardatschool1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 24 January 2010 - 12:00 PM

Don't know why it posted twice tongue.gif

The same log files in the before post are attached in this post, thanks smile.gif

Attached Files


Edited by wizardatschool1, 24 January 2010 - 12:03 PM.


#5 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:02 AM

Posted 24 January 2010 - 12:24 PM

You have both Avast and Bullguard installed. You should decide which of those to keep and uninstall the other.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#6 wizardatschool1

wizardatschool1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 24 January 2010 - 01:35 PM

Here is the ComboFix log for you.


ComboFix 10-01-23.06 - adam 24/01/2010 18:13:52.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1120 [GMT 0:00]
Running from: c:\users\adam\Desktop\ComboFix.exe
AV: BullGuard Antivirus *On-access scanning enabled* (Updated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *enabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
SP: BullGuard Antispyware *enabled* (Updated) {72CDBC85-9052-4B41-961E-B919FFE571AA}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\drv\Tuner\Yuan\Resources\_desktop.ini
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera \Uninstall.lnk
c:\users\adam\AppData\Roaming\EurekaLog
c:\users\adam\AppData\Roaming\inst.exe
c:\windows\struct~.ini
c:\windows\system32\twain_32.dll
c:\windows\system32\winio.vxd

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msdvdDrv


((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-23 18:39 . 2010-01-23 18:39 -------- d-----w- c:\users\adam\AppData\Roaming\MPEG Streamclip
2010-01-23 14:36 . 2010-01-23 14:36 -------- d-----w- c:\users\adam\AppData\Local\TechSmith
2010-01-23 14:33 . 2010-01-23 14:33 -------- d-----w- c:\windows\system32\QuickTime
2010-01-23 14:32 . 2010-01-23 14:32 -------- d-----w- c:\programdata\TechSmith
2010-01-23 14:29 . 2010-01-23 14:29 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2010-01-23 14:29 . 2010-01-23 14:29 -------- d-----w- c:\program files\TechSmith
2010-01-21 07:50 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-21 07:50 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 11:40 . 2010-01-24 10:13 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-16 11:35 . 2009-12-24 19:57 73728 ----a-w- c:\windows\system\vdremote.dll
2010-01-16 11:35 . 2009-12-24 19:56 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2010-01-10 19:52 . 2010-01-10 19:53 -------- d-----w- c:\users\adam\AppData\Roaming\VoipCheapCom
2010-01-04 10:31 . 2010-01-04 10:31 -------- d-----w- c:\program files\Alwil Software
2009-12-30 23:38 . 2010-01-02 16:55 -------- d-----w- c:\users\adam\AppData\Local\Adobe
2009-12-28 12:01 . 2009-12-17 23:09 21320 ----a-w- c:\windows\system32\authuitu.dll
2009-12-28 12:01 . 2009-12-17 23:08 30024 ----a-w- c:\windows\system32\uxtuneup.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 18:07 . 2009-08-25 09:33 -------- d-----w- c:\programdata\BullGuard
2010-01-22 07:57 . 2009-12-22 18:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 16:50 . 2009-08-26 08:58 6648 ----a-w- c:\users\adam\AppData\Local\d3d9caps.dat
2010-01-21 08:03 . 2009-08-26 13:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 07:56 . 2007-08-08 23:23 -------- d-----w- c:\programdata\Microsoft Help
2010-01-21 07:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-20 07:46 . 2009-08-25 08:45 111592 ----a-w- c:\users\adam\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-18 16:26 . 2009-08-26 21:05 -------- d-----w- c:\users\adam\AppData\Roaming\Skype
2010-01-18 16:07 . 2009-08-26 21:05 -------- d-----w- c:\users\adam\AppData\Roaming\skypePM
2010-01-14 11:12 . 2009-10-03 09:23 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-04 10:05 . 2009-11-07 13:42 -------- d-----w- c:\users\adam\AppData\Roaming\HpUpdate
2010-01-02 06:38 . 2010-01-22 15:10 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 15:10 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 15:10 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 15:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-31 11:41 . 2009-09-26 09:15 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-28 12:01 . 2009-11-03 21:51 -------- d-----w- c:\program files\TuneUp Utilities 2010
2009-12-23 13:06 . 2009-09-16 14:27 -------- d-----w- c:\users\adam\AppData\Roaming\CyberLink
2009-12-22 18:40 . 2009-12-22 18:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-22 18:12 . 2009-08-25 09:33 -------- d-----w- c:\users\adam\AppData\Roaming\BullGuard
2009-12-21 10:29 . 2009-09-07 11:45 -------- d-----w- c:\programdata\HP
2009-12-18 19:47 . 2009-12-18 19:47 -------- d-----w- c:\program files\Common Files\snp2uvc
2009-12-18 19:47 . 2007-08-08 22:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-18 19:43 . 2009-12-18 19:43 -------- d-----w- c:\users\adam\AppData\Roaming\InstallShield
2009-12-18 19:12 . 2009-12-18 19:12 -------- d-----w- c:\programdata\InstallShield
2009-12-18 19:12 . 2007-08-08 22:06 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-18 18:50 . 2010-01-11 18:38 237568 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Aurora.tla.dll
2009-12-18 18:50 . 2009-12-18 18:30 237568 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Aurora.tla.dll
2009-12-18 18:49 . 2010-01-11 18:38 3465216 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Borabora.tls.dll
2009-12-18 18:49 . 2009-12-18 18:32 3465216 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Borabora.tls.dll
2009-12-18 18:48 . 2010-01-11 18:38 3465216 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Borabora-1.tls.dll
2009-12-18 18:48 . 2009-12-18 18:48 3465216 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Borabora-1.tls.dll
2009-12-17 23:14 . 2009-11-03 21:53 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2009-12-10 20:05 . 2009-12-10 20:05 72704 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\RemoteControl.dll
2009-12-10 20:05 . 2009-12-10 20:05 613888 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\WMASoundPlugin.dll
2009-12-10 20:05 . 2009-12-10 20:05 53760 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\zlib.dll
2009-12-10 20:05 . 2009-12-10 20:05 444928 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\SystemMP3SoundPlugin.dll
2009-12-10 20:05 . 2009-12-10 20:05 1603072 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\VorbisOGGSoundPlugin.dll
2009-12-10 20:05 . 2009-12-03 21:10 5439488 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\PamelaPCR.exe
2009-12-10 20:05 . 2009-12-10 20:05 630272 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\CrashRpt.dll
2009-12-10 20:05 . 2009-12-10 20:05 489984 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\dbghelp.dll
2009-12-10 20:05 . 2009-12-10 20:05 1495040 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\lng.dll
2009-12-10 20:05 . 2009-12-10 20:05 1138688 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\libeay32.dll
2009-12-08 20:49 . 2009-12-08 20:49 -------- d-----w- c:\program files\QuickTime
2009-12-05 12:23 . 2009-12-05 12:21 -------- d-----w- c:\programdata\PrettyMay
2009-11-29 15:16 . 2009-11-29 15:16 -------- d-----w- c:\users\adam\AppData\Roaming\Publish Providers
2009-11-29 15:16 . 2009-11-29 15:05 -------- d-----w- c:\users\adam\AppData\Roaming\Sony
2009-11-29 15:01 . 2009-11-29 15:01 -------- d-----w- c:\programdata\Sony
2009-11-26 19:01 . 2009-11-26 19:01 252416 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\mcr_lib.dll
2009-11-26 19:01 . 2009-11-26 19:01 1907056 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\setup.exe
2009-11-26 19:01 . 2009-11-26 19:01 110080 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\supertintin_skype_extra_wrapper.exe
2009-11-25 15:03 . 2009-12-18 18:19 3805184 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Acacia.tls.dll
2009-11-25 15:03 . 2009-11-24 15:47 3805184 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Acacia.tls.dll
2009-11-25 15:03 . 2009-10-13 15:13 2052096 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Blue_streak.tls.dll
2009-11-24 15:45 . 2009-12-18 18:19 77824 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Digits.tla.dll
2009-11-24 15:45 . 2009-11-24 15:45 77824 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Digits.tla.dll
2009-11-22 21:33 . 2009-09-26 09:12 38784 ----a-w- c:\users\adam\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-22 21:33 . 2009-09-26 09:12 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-09 12:31 . 2009-12-10 15:55 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-10 15:55 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-10 15:55 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-06 17:17 . 2009-08-03 14:07 676224 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-11-06 16:57 . 2009-09-10 18:59 1990656 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\StarryNight[1].tls.dll
2009-11-03 20:08 . 2009-11-03 22:02 2342912 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\DNA Digital.tls.dll
2009-11-03 20:08 . 2009-11-03 20:07 2342912 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\DNA Digital.tls.dll
2009-11-03 20:06 . 2009-11-03 22:02 65536 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Circle.tla.dll
2009-11-03 20:06 . 2009-10-13 15:14 65536 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Circle.tla.dll
2009-11-01 10:06 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 11:16 . 2009-10-31 11:16 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-25 15:27 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2009-09-14 304464]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Desktop Coral"="c:\program files\DesktopCoral\DesktopCoral.exe" [2009-09-06 2123776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-09-14 304464]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 0 (0x0)
"NoUserFolderInStartMenu"= 0 (0x0)
"NoStartMenuMyGames"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
2009-12-21 21:27 1803064 ----a-w- c:\program files\CCleaner\CCleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eAudio]
2007-06-11 21:54 1286144 ----a-w- c:\acer\Empowering Technology\eAudio\eAudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 15:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-06-27 09:15 752136 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"Desktop Coral"="c:\program files\DesktopCoral\DesktopCoral.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Acer Tour Reminder"=c:\acer\AcerTour\Reminder.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"WarReg_PopUp"=c:\acer\WR_PopUp\WarReg_PopUp.exe
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:12,2d,ef,1e,77,2d,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1672788790-2932324031-3460723521-1000]
"EnableNotificationsRef"=dword:00000001

R1 afw;Agnitum Firewall Driver;c:\windows\System32\drivers\Afw.sys [10/11/2008 13:51 29208]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [25/08/2009 08:48 13560]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\System32\drivers\BdFileSpy.sys [25/08/2009 09:42 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [29/08/2009 16:13 21504]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [29/08/2009 16:13 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [29/08/2009 16:13 21504]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [17/12/2009 23:12 1044808]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\System32\drivers\AfwCore.sys [25/08/2009 09:32 305688]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [08/08/2007 21:23 179712]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [08/08/2007 21:23 32256]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 06:40 3668480]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14/10/2009 07:24 10064]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [29/08/2009 16:13 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-01-24 c:\windows\Tasks\User_Feed_Synchronization-{F0B8AB99-3380-4FF7-949A-120AB71AA95A}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\bglsp.dll
FF - ProfilePath - c:\users\adam\AppData\Roaming\Mozilla\Firefox\Profiles\macwe75n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.ssl - true
FF - user.js: network.http.pipelining.maxrequests - 8
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2984)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\windows\RtHDVCpl.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\users\adam\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-01-24 18:30:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 18:30

Pre-Run: 16,158,642,176 bytes free
Post-Run: 16,112,861,184 bytes free

- - End Of File - - 61E145BFC0E0E481EC12645DA4F11043

Attached Files



#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:02 AM

Posted 24 January 2010 - 04:57 PM

If the program TuneUp WinStyler compiles backups for you then I would restore everything that you removed using that program, then uninstall it.

Please open a blank Notepad by clicking start-->run
Then, in the run box type Notepad.exe and click "OK".
Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated and let us know how it's running for you. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]









Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#8 wizardatschool1

wizardatschool1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 25 January 2010 - 10:41 AM

Before I even run the CFScript.txt file in ComboFix, I have had no issues with the directdr.com popups. It all seemed well. Anyway I run the CFScript, but I didn't understand what you meant about restoring the removed files from WinStyler, so I haven't uninstalled it either ?! I hope this isn't a problem!


Here's the log created from the CFScript for you:


ComboFix 10-01-24.03 - adam 25/01/2010 8:02.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1167 [GMT 0:00]
Running from: c:\users\adam\Desktop\ComboFix.exe
Command switches used :: c:\users\adam\Desktop\CFScript.txt
AV: BullGuard Antivirus *On-access scanning enabled* (Updated) {7A9BB333-8EDF-4FDC-A2A5-1A30FA021913}
FW: BullGuard Firewall *enabled* {2AEF4CB6-61B5-4E60-AF22-D95E75B63FA1}
SP: BullGuard Antispyware *enabled* (Updated) {72CDBC85-9052-4B41-961E-B919FFE571AA}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-25 08:08 . 2010-01-25 08:10 -------- d-----w- c:\users\adam\AppData\Local\temp
2010-01-25 08:08 . 2010-01-25 08:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-25 08:08 . 2010-01-25 08:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-24 22:15 . 2010-01-24 22:15 -------- d-----w- c:\users\adam\AppData\Roaming\Subversion
2010-01-24 22:15 . 2010-01-24 22:15 -------- d-----w- c:\program files\SEPY ActionScript Editor
2010-01-24 21:58 . 2010-01-24 21:58 -------- d-----w- c:\program files\Eltima Software
2010-01-24 21:24 . 2010-01-24 21:24 -------- d-----w- c:\users\adam\Library
2010-01-24 21:24 . 2010-01-24 21:24 -------- d-----w- c:\users\adam\AppData\Roaming\com.adobe.ExMan
2010-01-23 18:39 . 2010-01-23 18:39 -------- d-----w- c:\users\adam\AppData\Roaming\MPEG Streamclip
2010-01-23 14:36 . 2010-01-23 14:36 -------- d-----w- c:\users\adam\AppData\Local\TechSmith
2010-01-23 14:33 . 2010-01-23 14:33 -------- d-----w- c:\windows\system32\QuickTime
2010-01-23 14:32 . 2010-01-23 14:32 -------- d-----w- c:\programdata\TechSmith
2010-01-23 14:29 . 2010-01-23 14:29 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2010-01-23 14:29 . 2010-01-23 14:29 -------- d-----w- c:\program files\TechSmith
2010-01-21 07:50 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-21 07:50 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-16 11:40 . 2010-01-24 10:13 -------- d-----w- c:\program files\AviSynth 2.5
2010-01-16 11:35 . 2009-12-24 19:57 73728 ----a-w- c:\windows\system\vdremote.dll
2010-01-16 11:35 . 2009-12-24 19:56 65536 ----a-w- c:\windows\system\vdsvrlnk.dll
2010-01-10 19:52 . 2010-01-10 19:53 -------- d-----w- c:\users\adam\AppData\Roaming\VoipCheapCom
2010-01-04 10:31 . 2010-01-04 10:31 -------- d-----w- c:\program files\Alwil Software
2009-12-30 23:38 . 2010-01-02 16:55 -------- d-----w- c:\users\adam\AppData\Local\Adobe
2009-12-28 12:01 . 2009-12-17 23:09 21320 ----a-w- c:\windows\system32\authuitu.dll
2009-12-28 12:01 . 2009-12-17 23:08 30024 ----a-w- c:\windows\system32\uxtuneup.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 07:54 . 2009-08-25 09:33 -------- d-----w- c:\programdata\BullGuard
2010-01-24 21:21 . 2009-09-26 09:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 07:57 . 2009-12-22 18:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-21 16:50 . 2009-08-26 08:58 6648 ----a-w- c:\users\adam\AppData\Local\d3d9caps.dat
2010-01-21 08:03 . 2009-08-26 13:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 07:56 . 2007-08-08 23:23 -------- d-----w- c:\programdata\Microsoft Help
2010-01-21 07:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-20 07:46 . 2009-08-25 08:45 111592 ----a-w- c:\users\adam\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-18 16:26 . 2009-08-26 21:05 -------- d-----w- c:\users\adam\AppData\Roaming\Skype
2010-01-18 16:07 . 2009-08-26 21:05 -------- d-----w- c:\users\adam\AppData\Roaming\skypePM
2010-01-14 11:12 . 2009-10-03 09:23 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-04 10:05 . 2009-11-07 13:42 -------- d-----w- c:\users\adam\AppData\Roaming\HpUpdate
2010-01-02 06:38 . 2010-01-22 15:10 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 15:10 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 15:10 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 15:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-28 12:01 . 2009-11-03 21:51 -------- d-----w- c:\program files\TuneUp Utilities 2010
2009-12-23 13:06 . 2009-09-16 14:27 -------- d-----w- c:\users\adam\AppData\Roaming\CyberLink
2009-12-22 18:40 . 2009-12-22 18:40 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-22 18:12 . 2009-08-25 09:33 -------- d-----w- c:\users\adam\AppData\Roaming\BullGuard
2009-12-21 10:29 . 2009-09-07 11:45 -------- d-----w- c:\programdata\HP
2009-12-18 19:47 . 2009-12-18 19:47 -------- d-----w- c:\program files\Common Files\snp2uvc
2009-12-18 19:47 . 2007-08-08 22:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-18 19:43 . 2009-12-18 19:43 -------- d-----w- c:\users\adam\AppData\Roaming\InstallShield
2009-12-18 19:12 . 2009-12-18 19:12 -------- d-----w- c:\programdata\InstallShield
2009-12-18 19:12 . 2007-08-08 22:06 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-18 18:50 . 2010-01-11 18:38 237568 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Aurora.tla.dll
2009-12-18 18:50 . 2009-12-18 18:30 237568 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Aurora.tla.dll
2009-12-18 18:49 . 2010-01-11 18:38 3465216 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Borabora.tls.dll
2009-12-18 18:49 . 2009-12-18 18:32 3465216 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Borabora.tls.dll
2009-12-18 18:48 . 2010-01-11 18:38 3465216 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Borabora-1.tls.dll
2009-12-18 18:48 . 2009-12-18 18:48 3465216 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Borabora-1.tls.dll
2009-12-17 23:14 . 2009-11-03 21:53 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2009-12-10 20:05 . 2009-12-10 20:05 72704 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\RemoteControl.dll
2009-12-10 20:05 . 2009-12-10 20:05 613888 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\WMASoundPlugin.dll
2009-12-10 20:05 . 2009-12-10 20:05 53760 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\zlib.dll
2009-12-10 20:05 . 2009-12-10 20:05 444928 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\SystemMP3SoundPlugin.dll
2009-12-10 20:05 . 2009-12-10 20:05 1603072 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\sound\VorbisOGGSoundPlugin.dll
2009-12-10 20:05 . 2009-12-03 21:10 5439488 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\PamelaPCR.exe
2009-12-10 20:05 . 2009-12-10 20:05 630272 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\CrashRpt.dll
2009-12-10 20:05 . 2009-12-10 20:05 489984 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\dbghelp.dll
2009-12-10 20:05 . 2009-12-10 20:05 1495040 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\lng.dll
2009-12-10 20:05 . 2009-12-10 20:05 1138688 ----a-w- c:\programdata\Skype\Plugins\Plugins\903CB56BA52F42478957BE8314837A86\libeay32.dll
2009-12-08 20:49 . 2009-12-08 20:49 -------- d-----w- c:\program files\QuickTime
2009-12-05 12:23 . 2009-12-05 12:21 -------- d-----w- c:\programdata\PrettyMay
2009-11-29 15:16 . 2009-11-29 15:16 -------- d-----w- c:\users\adam\AppData\Roaming\Publish Providers
2009-11-29 15:16 . 2009-11-29 15:05 -------- d-----w- c:\users\adam\AppData\Roaming\Sony
2009-11-29 15:01 . 2009-11-29 15:01 -------- d-----w- c:\programdata\Sony
2009-11-26 19:01 . 2009-11-26 19:01 252416 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\mcr_lib.dll
2009-11-26 19:01 . 2009-11-26 19:01 1907056 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\setup.exe
2009-11-26 19:01 . 2009-11-26 19:01 110080 ----a-w- c:\programdata\Skype\Plugins\Plugins\D3987B641C134048B815DB578D607F42\supertintin_skype_extra_wrapper.exe
2009-11-25 15:03 . 2009-12-18 18:19 3805184 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Acacia.tls.dll
2009-11-25 15:03 . 2009-11-24 15:47 3805184 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Acacia.tls.dll
2009-11-25 15:03 . 2009-10-13 15:13 2052096 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\Blue_streak.tls.dll
2009-11-24 15:45 . 2009-12-18 18:19 77824 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Digits.tla.dll
2009-11-24 15:45 . 2009-11-24 15:45 77824 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Digits.tla.dll
2009-11-22 21:33 . 2009-09-26 09:12 38784 ----a-w- c:\users\adam\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-22 21:33 . 2009-09-26 09:12 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-09 12:31 . 2009-12-10 15:55 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-10 15:55 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-10 15:55 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-06 17:17 . 2009-08-03 14:07 676224 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-11-06 16:57 . 2009-09-10 18:59 1990656 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\StarryNight[1].tls.dll
2009-11-03 20:08 . 2009-11-03 22:02 2342912 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\DNA Digital.tls.dll
2009-11-03 20:08 . 2009-11-03 20:07 2342912 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogonScreens\DNA Digital.tls.dll
2009-11-03 20:06 . 2009-11-03 22:02 65536 ----a-w- c:\users\adam\AppData\Roaming\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Circle.tla.dll
2009-11-03 20:06 . 2009-10-13 15:14 65536 ----a-w- c:\programdata\TuneUp Software\TuneUp Utilities\WinStyler\LogoAnimations\Circle.tla.dll
2009-11-01 10:06 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 11:16 . 2009-10-31 11:16 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-25 15:27 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\BullGuard.exe" [2009-09-14 304464]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"Desktop Coral"="c:\program files\DesktopCoral\DesktopCoral.exe" [2009-09-06 2123776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2009-09-14 304464]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMyMusic"= 0 (0x0)
"NoUserFolderInStartMenu"= 0 (0x0)
"NoStartMenuMyGames"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
2009-12-21 21:27 1803064 ----a-w- c:\program files\CCleaner\CCleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eAudio]
2007-06-11 21:54 1286144 ----a-w- c:\acer\Empowering Technology\eAudio\eAudio.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 15:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-06-27 09:15 752136 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"Desktop Coral"="c:\program files\DesktopCoral\DesktopCoral.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"Acer Tour Reminder"=c:\acer\AcerTour\Reminder.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"WarReg_PopUp"=c:\acer\WR_PopUp\WarReg_PopUp.exe
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:12,2d,ef,1e,77,2d,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1672788790-2932324031-3460723521-1000]
"EnableNotificationsRef"=dword:00000001

R1 afw;Agnitum Firewall Driver;c:\windows\System32\drivers\Afw.sys [10/11/2008 13:51 29208]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [25/08/2009 08:48 13560]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\System32\drivers\BdFileSpy.sys [25/08/2009 09:42 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [29/08/2009 16:13 21504]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [29/08/2009 16:13 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [29/08/2009 16:13 21504]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [17/12/2009 23:12 1044808]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\System32\drivers\AfwCore.sys [25/08/2009 09:32 305688]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [08/08/2007 21:23 179712]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [08/08/2007 21:23 32256]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 06:40 3668480]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14/10/2009 07:24 10064]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [29/08/2009 16:13 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\User_Feed_Synchronization-{F0B8AB99-3380-4FF7-949A-120AB71AA95A}.job
- c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\bglsp.dll
FF - ProfilePath - c:\users\adam\AppData\Roaming\Mozilla\Firefox\Profiles\macwe75n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.ssl - true
FF - user.js: network.http.pipelining.maxrequests - 8
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-25 08:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4892)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\users\adam\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-01-25 08:17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-25 08:17

Pre-Run: 15,990,104,064 bytes free
Post-Run: 15,889,719,296 bytes free

- - End Of File - - B6FE0289D4128C47B105EAC1BCBB8E84

#9 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:02 AM

Posted 25 January 2010 - 11:38 AM

OK, the log looks fine.

QUOTE
I didn't understand what you meant about restoring the removed files from WinStyler, so I haven't uninstalled it either ?! I hope this isn't a problem!

What I may have done was to confuse the two programs from GmbH, TuneUpSoftware, and WinStyler since both are called "TuneUp Software". Your log shows that you have some tuneup program running and what I was referring to is the fact that you should restore anything you may have removed using that tuneup program.

Being unfamiliar with it myself, you would know better than I if it makes backup copies of things that it may present to you during a scan that it tells you are "safe to remove".

I have grown accustomed to seeing this type of software being the culprit behind issues that users eventually have from using them.

The reason for that is because a novice user will just blindly follow such a programs recommendations, and happily click away until their system has been turned into an expensive brick.

If either of those programs are used to scan and delete things that it says are not necessary, then you should navigate the program's software and look for a backup feature where those removed items would be stored. Using that feature, you should be able to restore those items. Once you have finished that, you should uninstall that program...unless you consider yourself something above the level of a novice. If that is the case, then you are fully aware that any such program's findings should be thoroughly investigated before you consider removing anything that it tells you "should be safe to remove".

Other than that, your log looks fine now. How's things on your end?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#10 wizardatschool1

wizardatschool1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:02 PM

Posted 25 January 2010 - 02:23 PM

"My end" seems great thanks smile.gif

Very kind of you to help out 1972vet, and thanks for your time.

If I ever have any sort of problems with my laptop again, I know where to turn.

Thank you to both bleepingcomputer and 1972vet


What do I do with the log files, the Combo fix and the quarantined items on my PC ?!

#11 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:02 AM

Posted 25 January 2010 - 03:34 PM

You did excellent work wizardatschool1...glad we could help!

Now you can delete these:
DDS
GMER
Ark.txt
Attach.txt

Next, please click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /Uninstall

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Sunbelt Personal Firewall
Zone Alarm
Outpost Free
Comodo This download includes the HopSurf toolbar.
Beware

By installing this toolbar, you grant Comodo permission to collect information about your Internet usage. Read the HopSurf EULA. If you DONT WANT IT be sure to remove the check from the box when presented during the installation. Don't be too alarmed by this caveat...I highly recommend this firewall, but it may just be best suited for advanced users.

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup:
("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:08:02 AM

Posted 25 January 2010 - 03:37 PM

This issue appears resolved and the thread is closed to prevent others from posting here.
Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users