Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Google Redirects to SearchThisSite


  • This topic is locked This topic is locked
12 replies to this topic

#1 Rook0316

Rook0316

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 09 February 2010 - 05:30 PM

Recently I got an infection from visiting a website. I think it was due to either my Adobe Reader or Java being out of date. I have since updated both programs. When visiting the website now I do not get an infection.

I used a combination of Spybot and MBAM to remove the infections. When visiting Google sometimes my search results will be redirected to search results from SearchThisSite. From what I have been reading this is due to a possible rootkit infection.

GMER 1.0.15 had to be used in safe mode, as it would cause my computer to crash. DDS.scr was ran under regular Windows.

Thank you in advance for any help you may provide.



DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Owner at 17:19:51.62 on Tue 02/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2551.1674 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Zune\ZuneLauncher.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech Touch Mouse Server\iTouch-Server-Win.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.slickdeals.net/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [OpenDNS Updater] "c:\program files\opendns updater\OpenDNSUpdater.exe" /autostart
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [OpenDNS Update] "c:\program files\opendns updater\OpenDNS Updater.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech touch mouse server\iTouch-Server-Win.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: microsoft.com
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {fe6fb53a-5553-4ed1-bc4f-66b634449c14} -
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\avczhyo3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.slickdeals.net
FF - component: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\avczhyo3.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\avczhyo3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {4B5C49C7-A320-487E-86F0-7A6F9957DC72} - c:\documents and settings\megan\local settings\application data\{4B5C49C7-A320-487E-86F0-7A6F9957DC72}
FF - HiddenExtension: XULRunner: {1B620418-8215-4CDD-8F7C-80D9B7928678} - c:\documents and settings\hp_owner\local settings\application data\{1B620418-8215-4CDD-8F7C-80D9B7928678}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-23 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-18 285392]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2010-1-12 3584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-9-7 10384]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-9-4 1589704]
R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-12-13 30152]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2008-1-28 384896]
R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [2009-9-7 2048]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1558000]
S2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\opendns updater\opendns updater.exe --run --> c:\program files\opendns updater\OpenDNS Updater.exe --run [?]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2008-12-24 815104]
S4 21uoVK;21uoVK;c:\docume~1\hp_owner\locals~1\temp\pcwizard\data\pcwizntl.exe -s --> c:\docume~1\hp_owner\locals~1\temp\pcwizard\data\pcwizntl.exe -s [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 ONS;ONS;c:\docume~1\hp_owner\locals~1\temp\ons.exe --> c:\docume~1\hp_owner\locals~1\temp\ONS.exe [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 wIAbIf;wIAbIf;c:\docume~1\hp_owner\locals~1\temp\pcwizard\data\pcwizntl.exe -s --> c:\docume~1\hp_owner\locals~1\temp\pcwizard\data\pcwizntl.exe -s [?]
S4 zemDfz;zemDfz;c:\docume~1\hp_owner\locals~1\temp\pcwizard\data\pcwizntl.exe -s --> c:\docume~1\hp_owner\locals~1\temp\pcwizard\data\pcwizntl.exe -s [?]

=============== Created Last 30 ================

2010-02-06 17:09:35 190 ----a-w- c:\documents and settings\hp_owner\defogger_reenable
2010-02-06 14:20:44 0 d-----w- c:\program files\TrendMicro
2010-02-03 13:41:30 90 ----a-w- c:\windows\wininit.ini
2010-02-03 03:06:54 0 ----a-w- c:\windows\system32\18467.exe
2010-02-03 01:06:16 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-02-03 01:06:16 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-02-03 01:06:15 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-02-03 01:06:15 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-02-03 01:05:06 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2010-02-03 01:05:06 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2010-02-03 01:05:05 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2010-02-03 01:05:04 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-02-03 01:04:55 0 d-----w- c:\windows\Logs
2010-02-03 01:02:13 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-02-03 01:02:13 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-02-03 01:02:11 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-02-03 01:01:02 0 d-----w- c:\windows\system32\xlive
2010-02-03 01:00:48 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-02-03 00:56:53 0 d-----w- c:\program files\Microsoft XNA
2010-02-03 00:48:17 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2010-02-03 00:47:59 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2010-02-03 00:47:04 0 d-----w- c:\windows\system32\RsFx
2010-02-03 00:33:54 0 d-----w- c:\program files\Microsoft SQL Server
2010-02-03 00:33:41 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-02-03 00:33:41 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-02 13:04:32 0 d-----w- c:\program files\Logitech Touch Mouse Server
2010-01-24 01:11:03 0 d-----w- c:\program files\common files\DirectX
2010-01-23 19:08:15 19160 ------w- c:\windows\system32\drivers\mbam.sys
2010-01-16 13:59:27 0 d-----w- c:\docume~1\hp_owner\applic~1\OpenDNS Updater
2010-01-13 07:50:44 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 01:17:59 34816 ----a-w- c:\windows\system32\DLPORTIO.dll
2010-01-13 01:17:58 722192 ----a-w- c:\windows\system32\VB40032.DLL
2010-01-13 01:17:58 3584 ----a-w- c:\windows\system32\drivers\DLPORTIO.sys
2010-01-13 01:17:58 27136 ----a-w- c:\windows\system32\drivers\Ctl3d32.dll
2010-01-13 01:17:58 0 d-----w- c:\program files\DLPortIO
2010-01-13 01:17:43 299520 ----a-w- c:\windows\uninst.exe

==================== Find3M ====================

2010-02-05 14:14:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-07 21:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys.bak
2010-01-07 19:38:18 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 19:38:10 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-01-07 19:22:02 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2010-01-03 17:34:10 55604 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-28 22:28:29 6656 ----a-w- c:\windows\system32\haspvdd.dll
2009-12-28 22:28:29 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 23:29:00 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2005-03-22 17:10:14 0 --sha-w- c:\windows\sminst\HPCD.SYS
2008-12-24 12:30:32 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122420081225\index.dat

============= FINISH: 17:20:31.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:57 AM

Posted 15 February 2010 - 07:53 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Rook0316

Rook0316
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 15 February 2010 - 11:15 PM

m0le,

I am hanging tight. I have not made any changes to my system.

I thank you for your time.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:57 AM

Posted 16 February 2010 - 07:31 AM

No rootkit showing on Gmer but the redirecting tells me different.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 Rook0316

Rook0316
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 16 February 2010 - 12:48 PM

m0le,

Thanks again for taking the time with this. I used to think I knew what I was doing to remove viruses and such from my computer.

You guys are awesome.

I was not sure if you wanted me to paste the log or attach it. So, I attached it.

The redirects only happen every few searches. It only happens on my desktop computer. I have a laptop and an iTouch that never get redirected. But I thought it may be worth mentioning I have a Netgear router with DD-WRT on it. I heard a while back there was some type of infection or security concern with DD-WRT. I do have the latest firmware on it and I do use OpenDNS at the router level.

As I said, not sure if that matters but thought it would be good info because of the redirecting.

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:57 AM

Posted 16 February 2010 - 04:59 PM

The router may need resetting but let's complete the clean-up so that we can see if that's needed.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\Rfecacuqewofehoc.bin
c:\windows\Sciwaken.dat


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 Rook0316

Rook0316
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 17 February 2010 - 08:59 AM

m0le,

Attached are the ComboFix and MBAM logs you requested.

Thanks again.


ComboFix 10-02-16.01 - HP_Owner 02/16/2010 20:07:33.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2551.1809 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Rfecacuqewofehoc.bin"
"c:\windows\Sciwaken.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Owner\Local Settings\Application Data\{1B620418-8215-4CDD-8F7C-80D9B7928678}
c:\documents and settings\HP_Owner\Local Settings\Application Data\{1B620418-8215-4CDD-8F7C-80D9B7928678}\chrome.manifest
c:\documents and settings\HP_Owner\Local Settings\Application Data\{1B620418-8215-4CDD-8F7C-80D9B7928678}\chrome\content\_cfg.js
c:\documents and settings\HP_Owner\Local Settings\Application Data\{1B620418-8215-4CDD-8F7C-80D9B7928678}\chrome\content\overlay.xul
c:\documents and settings\HP_Owner\Local Settings\Application Data\{1B620418-8215-4CDD-8F7C-80D9B7928678}\install.rdf
c:\documents and settings\Megan\Local Settings\Application Data\{4B5C49C7-A320-487E-86F0-7A6F9957DC72}
c:\documents and settings\Megan\Local Settings\Application Data\{4B5C49C7-A320-487E-86F0-7A6F9957DC72}\chrome.manifest
c:\documents and settings\Megan\Local Settings\Application Data\{4B5C49C7-A320-487E-86F0-7A6F9957DC72}\chrome\content\_cfg.js
c:\documents and settings\Megan\Local Settings\Application Data\{4B5C49C7-A320-487E-86F0-7A6F9957DC72}\chrome\content\overlay.xul
c:\documents and settings\Megan\Local Settings\Application Data\{4B5C49C7-A320-487E-86F0-7A6F9957DC72}\install.rdf
c:\windows\Rfecacuqewofehoc.bin
c:\windows\Sciwaken.dat

.
((((((((((((((((((((((((( Files Created from 2010-01-17 to 2010-02-17 )))))))))))))))))))))))))))))))
.

2010-02-16 17:25 . 2010-02-16 17:36 -------- d-----w- C:\Combo-Fix
2010-02-10 17:35 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-02-10 17:35 . 2009-09-04 22:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-02-10 17:35 . 2009-09-04 22:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2010-02-10 17:35 . 2009-09-04 22:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2010-02-10 17:35 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-02-10 17:35 . 2009-09-04 22:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2010-02-10 17:35 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-02-10 17:35 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2010-02-10 17:35 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2010-02-10 17:24 . 2010-02-10 17:25 -------- d-----w- c:\program files\Microsoft Xbox 360 SDK
2010-02-10 17:22 . 2010-02-10 17:22 73728 ----a-w- c:\windows\xuninst.exe
2010-02-10 00:14 . 2010-02-10 00:15 -------- d-----w- c:\program files\LiveUSB Creator
2010-02-06 14:20 . 2010-02-06 14:20 388096 ----a-r- c:\documents and settings\HP_Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-06 14:20 . 2010-02-06 14:20 -------- d-----w- c:\program files\TrendMicro
2010-02-06 01:38 . 2010-02-06 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-06 01:32 . 2008-05-02 15:41 3493888 ---ha-w- c:\documents and settings\HP_Owner\Application Data\U3\temp\Launchpad Removal.exe
2010-02-05 14:14 . 2010-02-05 14:14 503808 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a6e909f-n\msvcp71.dll
2010-02-05 14:14 . 2010-02-05 14:14 499712 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a6e909f-n\jmc.dll
2010-02-05 14:14 . 2010-02-05 14:14 348160 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5a6e909f-n\msvcr71.dll
2010-02-05 14:14 . 2010-02-05 14:14 61440 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-538b0bdd-n\decora-sse.dll
2010-02-05 14:14 . 2010-02-05 14:14 12800 ----a-w- c:\documents and settings\HP_Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-538b0bdd-n\decora-d3d.dll
2010-02-04 22:09 . 2010-02-04 22:09 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\IsolatedStorage
2010-02-03 01:39 . 2010-02-03 01:39 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\assembly
2010-02-03 01:06 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-02-03 01:06 . 2009-03-16 19:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-02-03 01:06 . 2009-03-16 19:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-02-03 01:06 . 2009-03-16 19:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-02-03 01:05 . 2008-05-30 19:19 507400 ----a-w- c:\windows\system32\XAudio2_1.dll
2010-02-03 01:05 . 2008-05-30 19:17 65032 ----a-w- c:\windows\system32\XAPOFX1_0.dll
2010-02-03 01:05 . 2008-05-30 19:17 25608 ----a-w- c:\windows\system32\X3DAudio1_4.dll
2010-02-03 01:05 . 2007-07-20 05:57 267112 ----a-w- c:\windows\system32\xactengine2_9.dll
2010-02-03 01:04 . 2010-02-03 01:04 -------- d-----w- c:\windows\Logs
2010-02-03 01:02 . 2008-03-05 20:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2010-02-03 01:02 . 2008-02-06 04:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2010-02-03 01:02 . 2008-03-05 20:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2010-02-03 01:01 . 2010-02-03 01:01 -------- d-----w- c:\windows\system32\xlive
2010-02-03 01:00 . 2010-02-03 01:00 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-02-03 00:56 . 2010-02-03 00:56 -------- d-----w- c:\program files\Microsoft XNA
2010-02-03 00:48 . 2008-07-11 00:28 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2010-02-03 00:47 . 2008-07-11 00:28 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2010-02-03 00:47 . 2010-02-03 00:47 -------- d-----w- c:\windows\system32\RsFx
2010-02-03 00:33 . 2010-02-03 00:47 -------- d-----w- c:\program files\Microsoft SQL Server
2010-02-03 00:33 . 2010-02-03 00:33 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-02-03 00:33 . 2010-02-03 00:33 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-03 00:32 . 2010-02-03 02:42 187328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\9.0\1033\ResourceCache.dll
2010-02-03 00:32 . 2010-02-03 00:32 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2010-02-03 00:28 . 2010-02-03 00:30 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-02-03 00:28 . 2010-02-03 00:28 -------- d-----w- c:\program files\Microsoft SDKs
2010-02-02 13:04 . 2010-02-02 13:04 -------- d-----w- c:\program files\Logitech Touch Mouse Server
2010-01-31 15:42 . 2010-02-14 21:44 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\FileZilla
2010-01-31 15:41 . 2010-01-31 15:42 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-30 12:32 . 2010-01-30 12:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-27 13:31 . 2010-01-18 14:45 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-27 13:31 . 2010-01-18 14:45 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-24 01:11 . 2010-01-24 01:11 -------- d-----w- c:\program files\Common Files\DirectX
2010-01-23 19:08 . 2010-01-07 21:07 19160 ------w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-16 18:24 . 2009-10-27 13:05 0 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\prvlcl.dat
2010-02-16 01:20 . 2009-04-12 13:53 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-13 22:14 . 2009-09-04 19:10 -------- d-----w- c:\program files\Mozilla Thunderbird 3.0 Beta 3
2010-02-12 22:33 . 2009-09-06 15:33 1732608 ----a-w- c:\documents and settings\HP_Owner\Application Data\Xbins\xbinsftp.exe
2010-02-10 22:15 . 2008-12-24 20:54 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\uTorrent
2010-02-10 08:01 . 2007-08-01 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-06 02:27 . 2007-08-01 15:47 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\U3
2010-02-05 14:19 . 2004-10-22 00:27 -------- d-----w- c:\program files\Common Files\Java
2010-02-05 14:14 . 2008-12-24 11:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-05 14:10 . 2009-09-04 19:05 -------- d-----w- c:\program files\uTorrent
2010-02-05 13:52 . 2006-04-09 15:46 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-03 01:19 . 2006-01-22 18:26 73840 ----a-w- c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-03 00:45 . 2007-08-01 20:43 -------- d-----w- c:\program files\Microsoft.NET
2010-01-31 23:37 . 2009-04-12 15:17 -------- d-----w- c:\documents and settings\Madison\Application Data\Apple Computer
2010-01-31 23:37 . 2009-09-05 16:17 71416 ----a-w- c:\documents and settings\Madison\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-31 15:15 . 2007-11-25 16:38 -------- d-----w- c:\program files\Zune
2010-01-30 12:28 . 2008-12-24 20:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 00:12 . 2008-12-26 20:22 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-21 22:44 . 2009-11-12 12:24 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\abgx360
2010-01-16 14:43 . 2009-04-12 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-16 14:43 . 2008-12-24 19:25 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\ZoomBrowser EX
2010-01-16 14:00 . 2010-01-16 13:59 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\OpenDNS Updater
2010-01-16 13:59 . 2008-12-26 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\OpenDNS Updater
2010-01-16 13:59 . 2008-12-26 19:44 -------- d-----w- c:\program files\OpenDNS Updater
2010-01-13 01:17 . 2010-01-13 01:17 -------- d-----w- c:\program files\DLPortIO
2010-01-11 21:07 . 2008-12-24 20:58 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-09 16:32 . 2010-01-09 16:32 -------- d-----w- c:\program files\Microsoft Games
2010-01-07 21:07 . 2008-12-24 20:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-12-24 20:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys.bak
2010-01-07 19:38 . 2010-01-07 19:38 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2010-01-07 19:38 . 2010-01-07 19:38 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2010-01-07 19:22 . 2009-09-02 04:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2010-01-07 00:49 . 2009-12-28 02:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-04 23:00 . 2009-09-23 23:17 -------- d-----w- c:\program files\TagScanner
2010-01-03 17:34 . 2010-01-03 17:34 55604 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:50 . 2006-01-22 18:55 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 22:28 . 2009-12-28 22:28 6656 ----a-w- c:\windows\system32\haspvdd.dll
2009-12-28 22:28 . 2009-12-28 22:28 47616 ----a-w- c:\windows\system32\drivers\Haspnt.sys
2009-12-28 22:28 . 2009-12-28 22:28 383 ----a-w- c:\windows\system32\haspdos.sys
2009-12-28 22:28 . 2009-12-28 22:28 -------- d-----w- c:\program files\Common Files\ALLDATA Shared
2009-12-28 22:27 . 2004-10-22 01:46 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-26 16:37 . 2006-01-22 20:07 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Apple Computer
2009-12-26 16:35 . 2009-10-25 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-24 19:07 . 2009-12-22 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-23 01:47 . 2009-12-23 01:46 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\SteelBytes
2009-12-22 01:05 . 2009-12-22 01:05 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-12-22 01:02 . 2009-12-22 01:02 -------- d-----w- c:\program files\LightScribe Diagnostic Utility
2009-12-21 21:50 . 2006-01-22 20:03 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-12-21 19:14 . 2006-01-22 18:55 916480 ------w- c:\windows\system32\wininet.dll
2009-12-20 05:39 . 2009-12-20 05:39 1025 ----a-w- c:\windows\system32\sysprs7.dll
2009-12-20 05:39 . 2009-12-20 05:39 1025 ----a-w- c:\windows\system32\clauth2.dll
2009-12-20 05:39 . 2009-12-20 05:39 1025 ----a-w- c:\windows\system32\clauth1.dll
2009-12-20 05:39 . 2009-12-20 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2009-12-19 18:31 . 2009-12-19 12:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-19 13:05 . 2009-12-19 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-16 18:43 . 2006-01-22 18:54 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-01-22 18:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2006-01-22 18:54 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 05:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-01-22 18:54 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 23:39 . 2009-04-12 15:02 1 ----a-w- c:\documents and settings\HP_Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-27 17:11 . 2006-01-22 18:55 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 07:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2006-01-22 18:54 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 05:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2006-01-22 18:54 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2006-01-22 18:42 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 07:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-25 18:45 . 2009-11-25 18:45 593920 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv305hw-0910190-0-main.dll
2009-11-25 18:45 . 2009-11-25 18:45 319488 ----a-w- c:\documents and settings\HP_Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-11-21 15:51 . 2006-01-22 18:42 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-03-22 17:10 . 2006-01-22 19:42 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2009-11-16 839168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-30 88363]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Logitech Touch Mouse Server.lnk - c:\program files\Logitech Touch Mouse Server\iTouch-Server-Win.exe [2009-10-23 228352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-7 813584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:05 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
2008-05-07 22:13 2245984 ----a-w- c:\program files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\Mozilla Thunderbird 3.0 Beta 3\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\HP_Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/23/2008 9:30 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/23/2008 9:30 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/18/2009 12:05 PM 285392]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [1/12/2010 8:17 PM 3584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [9/7/2009 8:32 PM 10384]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [9/4/2009 6:26 AM 1589704]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/13/2009 11:27 AM 30152]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [1/28/2008 10:44 PM 384896]
R3 portio32;portio32;c:\windows\system32\drivers\portio32.sys [9/7/2009 11:49 AM 2048]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1558000]
S2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\OpenDNS Updater\OpenDNS Updater.exe --run --> c:\program files\OpenDNS Updater\OpenDNS Updater.exe --run [?]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [12/24/2008 2:52 PM 815104]
S4 21uoVK;21uoVK;c:\docume~1\HP_Owner\LOCALS~1\Temp\PCWizard\Data\pcwizntl.exe -s --> c:\docume~1\HP_Owner\LOCALS~1\Temp\PCWizard\Data\pcwizntl.exe -s [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 ONS;ONS;c:\docume~1\HP_Owner\LOCALS~1\Temp\ONS.exe --> c:\docume~1\HP_Owner\LOCALS~1\Temp\ONS.exe [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/1/2007 2:40 PM 685816]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
S4 wIAbIf;wIAbIf;c:\docume~1\HP_Owner\LOCALS~1\Temp\PCWizard\Data\pcwizntl.exe -s --> c:\docume~1\HP_Owner\LOCALS~1\Temp\PCWizard\Data\pcwizntl.exe -s [?]
S4 zemDfz;zemDfz;c:\docume~1\HP_Owner\LOCALS~1\Temp\PCWizard\Data\pcwizntl.exe -s --> c:\docume~1\HP_Owner\LOCALS~1\Temp\PCWizard\Data\pcwizntl.exe -s [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SR

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 19:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-02-14 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2009-12-02 17:37]

2010-02-17 c:\windows\Tasks\User_Feed_Synchronization-{3F11B035-9E4D-4A35-BE51-B6168E0F8192}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.slickdeals.net/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: is-soft-download.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: microsoft.com
Trusted Zone: buy-internet-security10.com
Trusted Zone: buy-internetsecurity10.com
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\avczhyo3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.slickdeals.net
FF - component: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\avczhyo3.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\avczhyo3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:db,b2,02,1e,40,ed,12,60,be,91,7b,c2,0b,31,3f,c1,29,67,f6,d5,74,
fe,1c,f8,d5,d4,d8,28,87,05,11,8b,ce,5c,c5,3c,4e,ce,a4,83,db,76,0d,f8,7d,1a,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:db,b2,02,1e,40,ed,12,60,be,91,7b,c2,0b,31,3f,c1,29,67,f6,d5,74,
fe,1c,f8,d5,d4,d8,28,87,05,11,8b,ce,5c,c5,3c,4e,ce,a4,83,db,76,0d,f8,7d,1a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-02-16 20:13:31
ComboFix-quarantined-files.txt 2010-02-17 01:13
ComboFix2.txt 2010-02-16 17:36

Pre-Run: 62,156,906,496 bytes free
Post-Run: 62,137,675,776 bytes free

- - End Of File - - 2D4338F2AC5DC670074747C528386A6B




Malwarebytes' Anti-Malware 1.44
Database version: 3748
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/17/2010 8:51:09 AM
mbam-log-2010-02-17 (08-51-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 420455
Time elapsed: 1 hour(s), 32 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:57 AM

Posted 17 February 2010 - 02:24 PM

Okay, that's looking very good. Let's just check for remnants with ESET.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Posted Image
m0le is a proud member of UNITE

#9 Rook0316

Rook0316
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 18 February 2010 - 07:25 AM

m0le,

Here are the content of the Eset Online Scan logs. I had to interrupt the first scan. I did however run a scan to completion afterwards. I included both scan logs.

Thanks again.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:57 AM

Posted 18 February 2010 - 07:30 AM

Quite a few entries but most in system restore or the Java cache (in other words in a dormant folder). However, ESET removed them anyway which means...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Rook0316, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#11 Rook0316

Rook0316
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 18 February 2010 - 08:28 AM

m0le,

Thanks once more for your help. This is awesome that you provide your time to do this.

In a couple of weeks I think I will take you guys up on the training program you offer so I can pay it forward.

Thanks again.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:57 AM

Posted 18 February 2010 - 08:38 AM

I would recommend that you try and apply now if you are looking to start in a few weeks. These are busy places at the moment.

Here is a list of "schools", all of which UNITE and I recommend for malware removal training.
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:57 AM

Posted 22 February 2010 - 08:46 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users