Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Plus & Internet Connection Not Working


  • This topic is locked This topic is locked
15 replies to this topic

#1 IAmMonkeyManDan

IAmMonkeyManDan

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 17 February 2010 - 02:13 PM

Hi,

I'm trying to get my brother's laptop fixed. About 2 months ago his laptop was infected with Windows Antivirus 2009 and a Google redirect. I followed the guide on this site to remove Windows Antivirus 2009 with MalwareBytes Anti-Malware. This appeared to have taken care of the Antivirus 2009 and the Google redirect.

Since then, he claims he didn't download anything suspicious. Now when Windows loads, there are multiple popups from Antivirus Plus. It also appears that MalwareBytes as been removed or blocked by the virus because it no longer shows up as being installed and the Program Files directory only contains a link. I can't test if the google redirect problem came back because the laptop won't connect to the internet. I can get a wireless connection fine but it times out when trying to load any webpage.

Thanks in advance for any help you can provide.
-Dan


DDS (Ver_09-12-01.01) - NTFSx86
Run by Tony at 11:29:27.78 on Wed 02/17/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.117 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Tony\Desktop\antivirus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: {aa41b620-d672-4a0d-925e-cd4e9d0f4566} - vehoyibe.dll
BHO: Antivirus Plus BHO: {c2b5aab8-2183-4be7-81a6-f11493c45872} - c:\documents and settings\tony\application data\antivirus plus\AntiVirus Plus.70367200.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AntiVirus Plus] "c:\windows\system32\rundll32.exe" "c:\documents and settings\tony\application data\antivirus plus\AntiVirus Plus.70367200.dll", start 70367200
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Mfucawubi] rundll32.exe "c:\windows\okaleqay.dll",Startup
mRun: [feyizubij] Rundll32.exe "c:\windows\system32\bupodaze.dll",a
mRun: [AntiVirus Plus] "c:\windows\system32\rundll32.exe" "c:\documents and settings\tony\application data\antivirus plus\AntiVirus Plus.70367200.dll", start 70367200
dRun: [ygua8e7yhuiesfha876yfauy8fe] c:\windows\temp\eo94p.exe
StartupFolder: c:\docume~1\tony\startm~1\programs\startup\antivi~1.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\antivi~1.lnk - c:\windows\system32\rundll32.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {666788D1-83BB-486E-905A-ED9DF4B3D150} = 193.104.110.38,4.2.2.1,68.87.72.134 68.87.77.134
TCP: {FEF7448C-EB2C-4493-B482-B95D49D2C481} = 193.104.110.38,4.2.2.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\kbdsock.dll vofomupo.dll c:\windows\system32\tukuhegu.dll tuhakese.dll c:\windows\system32\tutolute.dll c:\windows\system32\jejegefo.dll c:\windows\system32\bupodaze.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yukelekut - {488740b0-3e13-4180-a20d-0f8ade7cb5c8} - c:\windows\system32\tukuhegu.dll
SSODL: nuwaberab - {0ad0ad48-074a-4e8e-b364-3f202bbc9049} - c:\windows\system32\tutolute.dll
SSODL: wedegupiy - {85b3d194-7535-4034-b18c-57effb6f9783} - c:\windows\system32\jejegefo.dll
SSODL: nalevugiy - {56475628-a528-4081-a868-af8b25b13531} - c:\windows\system32\bupodaze.dll
STS: kupuhivus: {488740b0-3e13-4180-a20d-0f8ade7cb5c8} - c:\windows\system32\tukuhegu.dll
STS: kupuhivus: {0ad0ad48-074a-4e8e-b364-3f202bbc9049} - c:\windows\system32\tutolute.dll
STS: mujuzedij: {85b3d194-7535-4034-b18c-57effb6f9783} - c:\windows\system32\jejegefo.dll
STS: tokatiluy: {56475628-a528-4081-a868-af8b25b13531} - c:\windows\system32\bupodaze.dll
LSA: Notification Packages = scecli nokovuwi.dll watebebo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tony\applic~1\mozilla\firefox\profiles\cpfsu2t2.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - HiddenExtension: XULRunner: {8B7D8001-BA7E-4798-BAFA-308BB636E3C5} - c:\documents and settings\tony\local settings\application data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-27 64288]
S0 hflezxp;hflezxp; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]

=============== Created Last 30 ================

2010-02-17 17:27:45 0 ----a-w- c:\documents and settings\tony\defogger_reenable
2010-02-17 17:23:29 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-17 17:23:29 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-02-11 08:06:31 1057288 ----a-w- c:\program files\wpp.exe
2010-02-11 08:06:31 1 --sh--w- c:\windows\system32\gojimota.dll
2010-01-28 00:41:44 0 d-----w- c:\docume~1\tony\applic~1\MSNInstaller
2010-01-28 00:25:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 21:54:10 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 21:50:35 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 21:50:01 0 d-----w- c:\program files\Lavasoft

==================== Find3M ====================

2010-01-31 04:54:20 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-16 21:39:50 2713 --sh--w- c:\windows\system32\pihimage.exe
2010-01-16 21:39:50 2713 --sh--w- c:\windows\system32\fugafizu.dll
2010-01-15 15:44:51 238080 ----a-w- c:\windows\system32\nevorefa.exe
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\bupodaze.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\fifarovu.dll
1601-01-01 00:03:28 114176 --sha-w- c:\windows\system32\fowopehe.exe
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\layutasa.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\lewowesa.dll
1601-01-01 00:03:28 91136 --sha-w- c:\windows\system32\motatuwo.exe
1601-01-01 00:03:28 45056 --sha-w- c:\windows\system32\rodibuhi.dll
1601-01-01 00:03:28 45056 --sha-w- c:\windows\system32\rogavove.dll
1601-01-01 00:03:28 66560 --sha-w- c:\windows\system32\sisetobu.dll
1601-01-01 00:03:52 51200 --sha-w- c:\windows\system32\tuhakese.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\vekakuje.dll
1601-01-01 00:03:52 51200 --sha-w- c:\windows\system32\watebebo.dll
1601-01-01 00:03:52 51200 --sha-w- c:\windows\system32\yebukobe.dll
1601-01-01 00:03:28 44032 --sha-w- c:\windows\system32\yerofata.dll

============= FINISH: 11:32:28.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:58 AM

Posted 18 February 2010 - 11:08 PM

Hi MonkeyManDan
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do this.

Download ComboFix from Here

Before saving it rename it to Mobofcix.exe then download it to your Desktop.

Please run it this way.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.


You may need to download it on a clean computer and transfer it via a Flash Drive / USB Stick.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 IAmMonkeyManDan

IAmMonkeyManDan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 19 February 2010 - 09:28 AM

I ran ComboFix and installed the Recovery Console when prompted (my internet connection decided to start working again luckily). None of the AntiVirus Plus popups come up anymore!

After rebooting, while ComboFix was preparing the log, 3 separate error messages popped up with the title "RUNDLL". However, I restarted the laptop myself after everything was finished and those errors don't pop up again.

RUNDLL errors:
Error loading c:\windows\system32\bupodaze.dll The specified module could not be found
Error loading c:\WINDOWS\okaleqay.dll The specified module could not be found
Error loading watebebo.dll The specified module could not be found

And here's the ComboFix log:

ComboFix 10-02-18.09 - Tony 02/19/2010 8:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.175 [GMT -6:00]
Running from: c:\documents and settings\Tony\Desktop\antivirus\Mobofcix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\All Users\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
c:\documents and settings\Tony\Application Data\AntiVirus Plus
c:\documents and settings\Tony\Application Data\AntiVirus Plus\AntiVirus Plus.70367200.dll
c:\documents and settings\Tony\Application Data\avp.ico
c:\documents and settings\Tony\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk
c:\documents and settings\Tony\Desktop\AntiVirus Plus.lnk
c:\documents and settings\Tony\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\Tony\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\Tony\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\Tony\Start Menu\Programs\Startup\AntiVirus Plus.lnk
c:\windows\acapetiy.dll
c:\windows\okaleqay.dll
c:\windows\system32\18467.exe
c:\windows\system32\bupodaze.dll
c:\windows\system32\fifarovu.dll
c:\windows\system32\fowopehe.exe
c:\windows\system32\fugafizu.dll
c:\windows\system32\gojimota.dll
c:\windows\system32\layutasa.dll
c:\windows\system32\lewowesa.dll
c:\windows\system32\motatuwo.exe
c:\windows\system32\nevorefa.exe
c:\windows\system32\pihimage.exe
c:\windows\system32\rodibuhi.dll
c:\windows\system32\tuhakese.dll
c:\windows\system32\twain_32.dll
c:\windows\system32\vekakuje.dll
c:\windows\system32\watebebo.dll
c:\windows\system32\yebukobe.dll
c:\windows\system32\yerofata.dll
c:\windows\Tasks\xlkrcehi.job
c:\windows\Temp\tmp3.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
hxxp://85.12.18.120
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS


((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-17 17:23 . 2008-04-14 06:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-17 17:23 . 2008-04-14 06:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-02-17 13:38 . 2010-02-17 13:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-02-11 08:06 . 2010-02-11 08:06 1057288 ----a-w- c:\program files\wpp.exe
2010-01-28 00:41 . 2010-01-28 00:41 -------- d-----w- c:\documents and settings\Tony\Application Data\MSNInstaller
2010-01-28 00:25 . 2010-01-27 21:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 21:54 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 21:53 . 2010-01-27 21:53 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-27 21:53 . 2010-01-27 21:53 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 21:53 . 2010-01-27 21:53 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-27 21:53 . 2010-01-27 21:53 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-27 21:53 . 2010-01-27 21:53 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-27 21:53 . 2010-01-27 21:53 389272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-27 21:53 . 2010-01-27 21:53 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 21:53 . 2010-01-27 21:53 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-27 21:52 . 2010-01-27 21:52 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-27 21:52 . 2010-01-27 21:52 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-27 21:52 . 2010-01-27 21:52 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 21:52 . 2010-01-27 21:52 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-27 21:51 . 2010-01-27 21:52 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-27 21:51 . 2010-01-27 21:51 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-27 21:51 . 2010-01-27 21:51 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-27 21:51 . 2010-01-27 21:51 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-27 21:51 . 2010-01-27 21:51 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-27 21:51 . 2010-01-27 21:51 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-27 21:50 . 2010-01-27 21:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 21:50 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-27 21:50 . 2010-01-27 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-27 21:50 . 2010-01-27 21:50 -------- d-----w- c:\program files\Lavasoft
2010-01-26 00:50 . 2010-01-26 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-01-26 00:49 . 2010-01-26 00:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 13:27 . 2009-12-29 06:59 0 ----a-w- c:\windows\Ffusulu.bin
2010-02-16 16:14 . 2009-12-29 06:59 120 ----a-w- c:\windows\Bpucuyosegefi.dat
2010-02-10 07:47 . 2009-10-20 08:26 -------- d-----w- c:\documents and settings\Tony\Application Data\vlc
2010-01-31 04:54 . 2008-04-13 23:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-28 01:33 . 2010-01-02 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 02:38 . 2009-10-24 00:46 -------- d-----w- c:\documents and settings\Tony\Application Data\dvdcss
2010-01-16 21:59 . 2009-04-29 00:23 -------- d-----w- c:\documents and settings\Tony\Application Data\uTorrent
2010-01-02 22:51 . 2009-12-31 18:00 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-01-02 22:51 . 2009-12-31 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-01-02 13:55 . 2010-01-02 13:55 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2010-01-02 13:55 . 2010-01-02 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 18:38 . 2009-12-31 18:38 -------- d-----w- c:\program files\Alwil Software
2009-12-31 18:00 . 2009-12-31 18:00 -------- d-----w- c:\program files\support.com
2009-12-27 08:53 . 2009-12-27 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-27 08:52 . 2009-04-28 18:31 46336 ----a-w- c:\documents and settings\Tony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-26 23:29 . 2009-05-01 01:00 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-26 23:18 . 2009-12-26 23:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-24 08:21 . 2009-05-01 00:52 -------- d-----w- c:\documents and settings\Tony\Application Data\U3
2009-12-11 08:28 . 2009-12-11 08:28 79488 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
1601-01-01 00:03 . 1601-01-01 00:03 45056 --sha-w- c:\windows\system32\rogavove.dll
1601-01-01 00:03 . 1601-01-01 00:03 66560 --sha-w- c:\windows\system32\sisetobu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-04-12 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 88358]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-28 148888]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/27/2010 3:54 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
S0 hflezxp;hflezxp; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:51]

2010-02-19 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:51]

2010-02-19 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:51]

2010-02-19 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:51]

2010-02-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 21:51]

2010-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {666788D1-83BB-486E-905A-ED9DF4B3D150} = 193.104.110.38,4.2.2.1,68.87.72.134 68.87.77.134
TCP: {FEF7448C-EB2C-4493-B482-B95D49D2C481} = 193.104.110.38,4.2.2.1
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\cpfsu2t2.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - HiddenExtension: XULRunner: {8B7D8001-BA7E-4798-BAFA-308BB636E3C5} - c:\documents and settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}
.
- - - - ORPHANS REMOVED - - - -

BHO-{aa41b620-d672-4a0d-925e-cd4e9d0f4566} - yebukobe.dll
BHO-{C2B5AAB8-2183-4be7-81A6-F11493C45872} - c:\documents and settings\Tony\Application Data\AntiVirus Plus\AntiVirus Plus.70367200.dll
HKLM-Run-Mfucawubi - c:\windows\okaleqay.dll
HKLM-Run-feyizubij - c:\windows\system32\bupodaze.dll
HKLM-Run-gowiluzowa - watebebo.dll
SharedTaskScheduler-{488740b0-3e13-4180-a20d-0f8ade7cb5c8} - c:\windows\system32\tukuhegu.dll
SharedTaskScheduler-{0ad0ad48-074a-4e8e-b364-3f202bbc9049} - c:\windows\system32\tutolute.dll
SharedTaskScheduler-{85b3d194-7535-4034-b18c-57effb6f9783} - c:\windows\system32\jejegefo.dll
SharedTaskScheduler-{56475628-a528-4081-a868-af8b25b13531} - c:\windows\system32\bupodaze.dll
SSODL-yukelekut-{488740b0-3e13-4180-a20d-0f8ade7cb5c8} - c:\windows\system32\tukuhegu.dll
SSODL-nuwaberab-{0ad0ad48-074a-4e8e-b364-3f202bbc9049} - c:\windows\system32\tutolute.dll
SSODL-wedegupiy-{85b3d194-7535-4034-b18c-57effb6f9783} - c:\windows\system32\jejegefo.dll
SSODL-nalevugiy-{56475628-a528-4081-a868-af8b25b13531} - c:\windows\system32\bupodaze.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-19 08:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-02-19 08:18:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-19 14:18

Pre-Run: 74,579,021,824 bytes free
Post-Run: 75,098,222,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6CC327D3CE716E6AAEE3BD46B4F68691


#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:58 AM

Posted 19 February 2010 - 10:57 PM

Hi
OK please do the following in the order given.

I see you don't have a Anti-Virus program installed, this is a must have.
Please download and install, update, and run a full scan of your computer. with one ( 1 ) of these free Anti-Virus programs.

AVGFree
Avast
Avira

Now do this.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page: one at a time
    • c:\program files\wpp.exe
  • Click on the submit button
  • Please post the results in your next reply.
Now this please.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::
File::
c:\windows\Ffusulu.bin
c:\windows\Bpucuyosegefi.dat
c:\windows\system32\rogavove.dll
c:\windows\system32\sisetobu.dll
Driver::
hflezxp


Please post the Jotti results and the Combofix log.

Thanks
maranatha

Also please read this.

I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file sharing as a major conduit to spread their wares and their infections. See here and here

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

Edited by maranatha, 20 February 2010 - 12:28 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 IAmMonkeyManDan

IAmMonkeyManDan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2010 - 12:34 PM

I had installed MalwareBytes Anti-Malware previously and something uninstalled it. Is that not a good one to use?

I installed Avast, updated and ran a full system scan. It found 17 infections, 1 of them being wpp.exe. I moved all of them except wpp.exe to the chest. Then I went to Jotti's malware and ran a scan on wpp.exe. I've posted the results below. After running that, I used Avast to move wpp.exe to the chest. Since running Avast, Windows is now saying "You may be a victim of software counterfeiting. This copy of Windows did not pass genuine Windows validation." When restarting, it pops up that message and asks if I want to resolve now or later. Hitting later loads Windows but the background is black and that message is displayed on the background.

I ran combofix as requested and posted the log below as well.

I'll pass along the message about p2p to my brother. I've told him before the problems with it. Hopefully this will be enough to get him to stop using it.

Jotti Results:

[ArcaVir]
2010-02-10 Found nothing
[F-Secure Anti-Virus]
2010-02-10 Trojan.Win32.FraudPack.akxl
[A-Squared]
2010-02-10 Trojan.Win32.FakeScanti!IK
[G DATA]
2010-02-10 Win32:FakeAlert-GW
[Avast! antivirus]
2010-02-10 Win32:FakeAlert-GW
[Ikarus]
2010-02-10 Trojan.Win32.FakeAV
[Grisoft AVG Anti-Virus]
2010-02-10 Generic16.BEWN
[Kaspersky Anti-Virus]
2010-02-10 Trojan.Win32.FraudPack.akxl
[Avira AntiVir]
2010-02-10 Found nothing
[ESET NOD32]
2010-02-10 Found nothing
[Softwin BitDefender]
2010-02-10 Found nothing
[Panda Antivirus]
2010-02-09 Found nothing
[ClamAV]
2010-02-10 Found nothing
[Quick Heal]
2010-02-10 Found nothing
[CPsecure]
2010-02-10 Found nothing
[Sophos]
2010-02-10 Mal/Generic-A
[Dr.Web]
2010-02-10 Found nothing
[VirusBlokAda VBA32]
2010-02-09 Found nothing
[Frisk F-Prot Antivirus]
2010-02-09 Found nothing
[VirusBuster]
2010-02-10 Found nothing

ComboFix Results

ComboFix 10-02-18.09 - Tony 02/20/2010 10:46:53.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.128 [GMT -6:00]
Running from: c:\documents and settings\Tony\Desktop\antivirus\Mobofcix.exe
Command switches used :: c:\documents and settings\Tony\Desktop\antivirus\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\Bpucuyosegefi.dat"
"c:\windows\Ffusulu.bin"
"c:\windows\system32\rogavove.dll"
"c:\windows\system32\sisetobu.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Bpucuyosegefi.dat
c:\windows\Ffusulu.bin
c:\windows\system32\rogavove.dll
c:\windows\system32\sisetobu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HFLEZXP
-------\Service_hflezxp


((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-02-20 15:14 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-20 15:14 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-20 15:14 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-20 15:14 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-20 15:14 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-20 15:14 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-20 15:14 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-20 15:11 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-20 15:11 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-20 15:10 . 2010-02-20 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-17 17:23 . 2008-04-14 06:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-17 17:23 . 2008-04-14 06:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-02-17 13:38 . 2010-02-17 13:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-01-28 00:41 . 2010-01-28 00:41 -------- d-----w- c:\documents and settings\Tony\Application Data\MSNInstaller
2010-01-28 00:25 . 2010-01-27 21:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 21:54 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 21:53 . 2010-01-27 21:53 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-27 21:53 . 2010-01-27 21:53 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 21:53 . 2010-01-27 21:53 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-27 21:53 . 2010-01-27 21:53 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-27 21:53 . 2010-01-27 21:53 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-27 21:53 . 2010-02-20 15:58 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-27 21:53 . 2010-01-27 21:53 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 21:53 . 2010-01-27 21:53 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-27 21:52 . 2010-01-27 21:52 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-27 21:52 . 2010-01-27 21:52 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-27 21:52 . 2010-01-27 21:52 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 21:52 . 2010-01-27 21:52 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-27 21:51 . 2010-02-20 15:58 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-27 21:51 . 2010-01-27 21:51 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-27 21:51 . 2010-02-20 15:58 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-27 21:51 . 2010-01-27 21:51 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-27 21:51 . 2010-01-27 21:51 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-27 21:51 . 2010-02-20 15:57 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-27 21:50 . 2010-01-27 21:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 21:50 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-27 21:50 . 2010-01-27 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-27 21:50 . 2010-01-27 21:50 -------- d-----w- c:\program files\Lavasoft
2010-01-26 00:50 . 2010-01-26 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-01-26 00:49 . 2010-01-26 00:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 15:10 . 2009-12-31 18:38 -------- d-----w- c:\program files\Alwil Software
2010-02-10 07:47 . 2009-10-20 08:26 -------- d-----w- c:\documents and settings\Tony\Application Data\vlc
2010-01-31 04:54 . 2008-04-13 23:10 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-28 01:33 . 2010-01-02 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 02:38 . 2009-10-24 00:46 -------- d-----w- c:\documents and settings\Tony\Application Data\dvdcss
2010-01-16 21:59 . 2009-04-29 00:23 -------- d-----w- c:\documents and settings\Tony\Application Data\uTorrent
2010-01-02 22:51 . 2009-12-31 18:00 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-01-02 22:51 . 2009-12-31 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-01-02 13:55 . 2010-01-02 13:55 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2010-01-02 13:55 . 2010-01-02 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 18:00 . 2009-12-31 18:00 -------- d-----w- c:\program files\support.com
2009-12-27 08:53 . 2009-12-27 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-27 08:52 . 2009-04-28 18:31 46336 ----a-w- c:\documents and settings\Tony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-26 23:29 . 2009-05-01 01:00 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-26 23:18 . 2009-12-26 23:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-24 08:21 . 2009-05-01 00:52 -------- d-----w- c:\documents and settings\Tony\Application Data\U3
2009-12-11 08:28 . 2009-12-11 08:28 79488 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-19_14.14.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 06:02 . 2009-07-12 06:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-02-20 16:54 . 2010-02-20 16:54 16384 c:\windows\Temp\Perflib_Perfdata_32c.dat
+ 2009-07-12 06:02 . 2009-07-12 06:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2010-02-20 15:12 . 2010-02-20 15:12 219648 c:\windows\Installer\72210.msi
+ 2009-07-12 06:02 . 2009-07-12 06:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-04-12 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 88358]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-28 148888]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/27/2010 3:54 PM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/20/2010 9:14 AM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/20/2010 9:14 AM 19024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
.
Contents of the 'Scheduled Tasks' folder

2010-02-20 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-20 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-20 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-20 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {666788D1-83BB-486E-905A-ED9DF4B3D150} = 193.104.110.38,4.2.2.1,68.87.72.134 68.87.77.134
TCP: {FEF7448C-EB2C-4493-B482-B95D49D2C481} = 193.104.110.38,4.2.2.1
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\cpfsu2t2.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - HiddenExtension: XULRunner: {8B7D8001-BA7E-4798-BAFA-308BB636E3C5} - c:\documents and settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 10:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1908)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WgaTray.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\AGRSMMSG.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-20 11:03:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 17:03
ComboFix2.txt 2010-02-19 14:18

Pre-Run: 74,681,999,360 bytes free
Post-Run: 74,652,975,104 bytes free

- - End Of File - - 0C1945091F9455D0B2E34998FC2D95EF


#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:58 AM

Posted 20 February 2010 - 12:49 PM

Hi
QUOTE
I had installed MalwareBytes Anti-Malware, Is that not a good one to use?

Yes it is a good one to use, BUT it is a Anti-Malware program not a Anti-Virus program, there is a difference and both should be used.

QUOTE
This copy of Windows did not pass genuine Windows validation

Is this a legit copy of windows? If so please do this, you will need the product key.
This should be with the Windows CD or a sticker on the tower somewhere.

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.
After doing the above, lets get a online scan to make sure nothing is lurking.
Please do this.

Please download JavaRa and save the file to your desktop.
  • Right click and Extract All
  • Once extracted, open and run JavaRa.exe
  • Click Search For Updates
  • Select Update Using jucheck.exe
  • Click Search
  • If a newer version is found, allow it to be installed
  • Uncheck the Google Toolbar option. (if you don't want the Google tool bar)
  • When complete, click Remove Older Versions in the JavaRa interface and allow it to proceed
  • When that is complete, click Additional Tasks, then select Remove Useless JRE Files and click Go
  • Exit the tool when complete.
Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.


Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on Accept If your pop up blocker blocks any windows from opening.

Read then Click Accept on the Information page.
Windows Vista users you must open the web browser using the Run as Administrator command.
  • The program will launch and then begin downloading the latest definition files:
  • Under Scan on the left side, Click on My Computer
  • This will start the program and scan your system.
  • Click the “Scan Report” On the left side.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
  • Save the text file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky results.

Thanks
maranatha

Edited by maranatha, 20 February 2010 - 01:00 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 IAmMonkeyManDan

IAmMonkeyManDan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2010 - 01:06 PM

I went to the Windows Validation and it definitely says that this copy is not genuine. It didn't give the option to enter the product key. The laptop has a product key on the bottom but I'm guessing it wasn't the one used to install Windows. Should I see if I can get the recovery disk from my brother and just do a reinstall? Not something I wanted to do but I guess I need to get the correct copy of Windows on here.

Should I continue with the virus scanning and everything before reinstalling?

#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:58 AM

Posted 20 February 2010 - 01:19 PM

Hi
Yes please do the rest of the steps.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 IAmMonkeyManDan

IAmMonkeyManDan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 20 February 2010 - 04:39 PM

Ok, ran the programs you listed and here's the log from the Kaspersky scan. For anybody else you end up helping, the JavaRa link gave a permission error. I was able to grab it from http://prm753.bchea.org/ instead.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, February 20, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, February 20, 2010 18:34:46
Records in database: 3597292
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 59050
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:22:53


File name / Threat / Threats count
C:\Documents and Settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}\chrome\content\overlay.xul Infected: Trojan.JS.Gord.a 1

Selected area has been scanned.


#10 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:58 AM

Posted 20 February 2010 - 08:57 PM

Hi
Thanks for the heads up on that link, I have update my link to it.

Here is something that might help with the Windows valadation.

Failed validation? These scenarios may help to explain why.
http://www.microsoft.com/genuine/downloads...?displaylang=en

Please read the Microsoft can help section at the bottom of the page.

OK please do the following.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

CODE
KillAll::
Folder::
C:\Documents and Settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}


Thanks
maranatha

Edited by maranatha, 20 February 2010 - 09:01 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#11 IAmMonkeyManDan

IAmMonkeyManDan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 21 February 2010 - 10:13 AM

Thanks for the Windows product key links. I'm going to wait until the system is completely clean before I attempt to update the product key. However, the product key that is installed definitely doesn't match the product key on the Windows sticker on the bottom of the laptop.

I ran ComboFix and posted the log below. I'm currently running an Avast scan and I'll run a Kaspersky scan as well when Avast is done. I'll post those results when I have them.

ComboFix log:

ComboFix 10-02-20.04 - Tony 02/21/2010 8:46.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.184 [GMT -6:00]
Running from: c:\documents and settings\Tony\Desktop\antivirus\Mobofcix.exe
Command switches used :: c:\documents and settings\Tony\Desktop\antivirus\CFScript.txt.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}
c:\documents and settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}\chrome.manifest
c:\documents and settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}\chrome\content\_cfg.js
c:\documents and settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}\chrome\content\overlay.xul
c:\documents and settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2010-01-21 to 2010-02-21 )))))))))))))))))))))))))))))))
.

2010-02-20 18:24 . 2010-02-20 18:24 152576 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-20 15:14 . 2010-02-11 18:38 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-02-20 15:14 . 2010-02-11 18:42 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-02-20 15:14 . 2010-02-11 18:39 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-02-20 15:14 . 2010-02-11 18:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-02-20 15:14 . 2010-02-11 18:38 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-02-20 15:14 . 2010-02-11 18:38 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-02-20 15:14 . 2010-02-11 18:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-02-20 15:11 . 2010-02-11 18:53 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-02-20 15:11 . 2010-02-11 18:53 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-02-20 15:10 . 2010-02-20 15:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-17 17:23 . 2008-04-14 06:15 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-02-17 17:23 . 2008-04-14 06:15 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-02-17 13:38 . 2010-02-17 13:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-01-28 00:41 . 2010-01-28 00:41 -------- d-----w- c:\documents and settings\Tony\Application Data\MSNInstaller
2010-01-28 00:25 . 2010-01-27 21:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-27 21:54 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-27 21:53 . 2010-01-27 21:53 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-27 21:53 . 2010-01-27 21:53 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-27 21:53 . 2010-01-27 21:53 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-27 21:53 . 2010-01-27 21:53 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-27 21:53 . 2010-01-27 21:53 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-27 21:53 . 2010-02-20 15:58 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-27 21:53 . 2010-01-27 21:53 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-27 21:53 . 2010-01-27 21:53 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-27 21:52 . 2010-01-27 21:52 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-27 21:52 . 2010-01-27 21:52 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-27 21:52 . 2010-01-27 21:52 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-27 21:52 . 2010-01-27 21:52 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-27 21:51 . 2010-02-20 15:58 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-27 21:51 . 2010-01-27 21:51 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-27 21:51 . 2010-02-20 15:58 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-27 21:51 . 2010-01-27 21:51 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-27 21:51 . 2010-01-27 21:51 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-27 21:51 . 2010-02-20 15:57 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-27 21:50 . 2010-01-27 21:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-27 21:50 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-27 21:50 . 2010-01-27 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-27 21:50 . 2010-01-27 21:50 -------- d-----w- c:\program files\Lavasoft
2010-01-26 00:50 . 2010-01-26 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-01-26 00:49 . 2010-01-26 00:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 18:25 . 2009-07-28 07:27 -------- d-----w- c:\program files\Java
2010-02-20 18:23 . 2009-12-11 08:28 79488 ----a-w- c:\documents and settings\Tony\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 15:10 . 2009-12-31 18:38 -------- d-----w- c:\program files\Alwil Software
2010-02-10 07:47 . 2009-10-20 08:26 -------- d-----w- c:\documents and settings\Tony\Application Data\vlc
2010-01-31 04:54 . 2008-04-13 23:10 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-28 01:33 . 2010-01-02 13:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 02:38 . 2009-10-24 00:46 -------- d-----w- c:\documents and settings\Tony\Application Data\dvdcss
2010-01-16 21:59 . 2009-04-29 00:23 -------- d-----w- c:\documents and settings\Tony\Application Data\uTorrent
2010-01-02 22:51 . 2009-12-31 18:00 -------- d-----w- c:\program files\Common Files\SupportSoft
2010-01-02 22:51 . 2009-12-31 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-01-02 13:55 . 2010-01-02 13:55 -------- d-----w- c:\documents and settings\Tony\Application Data\Malwarebytes
2010-01-02 13:55 . 2010-01-02 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 18:00 . 2009-12-31 18:00 -------- d-----w- c:\program files\support.com
2009-12-31 16:50 . 2008-04-13 23:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-27 08:53 . 2009-12-27 08:53 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-27 08:52 . 2009-04-28 18:31 46336 ----a-w- c:\documents and settings\Tony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-26 23:29 . 2009-05-01 01:00 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-26 23:18 . 2009-12-26 23:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-24 08:21 . 2009-05-01 00:52 -------- d-----w- c:\documents and settings\Tony\Application Data\U3
2009-12-21 19:14 . 2008-04-14 04:42 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-04-28 15:26 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 04:41 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2008-04-13 23:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2008-04-14 04:42 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2001-08-23 11:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2008-04-14 04:42 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 04:41 84992 ----a-w- c:\windows\system32\avifil32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-19_14.14.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 06:02 . 2009-07-12 06:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-02-21 14:54 . 2010-02-21 14:54 16384 c:\windows\temp\Perflib_Perfdata_2e0.dat
+ 2009-03-08 09:31 . 2009-12-21 19:14 55296 c:\windows\system32\msfeedsbs.dll
- 2009-03-08 09:31 . 2009-10-29 07:45 55296 c:\windows\system32\msfeedsbs.dll
+ 2008-04-14 04:41 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll
- 2008-04-14 04:41 . 2009-10-29 07:45 25600 c:\windows\system32\jsproxy.dll
- 2008-04-14 04:41 . 2009-06-16 14:36 81920 c:\windows\system32\fontsub.dll
+ 2008-04-14 04:41 . 2009-10-15 16:28 81920 c:\windows\system32\fontsub.dll
+ 2009-06-09 17:53 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-09 17:53 . 2009-10-29 07:45 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-11-27 17:11 . 2009-11-27 17:11 17920 c:\windows\system32\dllcache\msyuv.dll
+ 2001-08-23 11:00 . 2009-11-27 16:07 28672 c:\windows\system32\dllcache\msvidc32.dll
+ 2008-04-14 04:42 . 2009-11-27 16:07 11264 c:\windows\system32\dllcache\msrle32.dll
- 2008-04-14 04:42 . 2008-04-14 04:42 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2009-07-29 03:23 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-07-29 03:23 . 2009-10-29 07:45 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-04-14 04:41 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2008-04-14 04:41 . 2009-10-29 07:45 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 48128 c:\windows\system32\dllcache\iyuv_32.dll
- 2008-04-14 04:41 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2008-04-14 04:41 . 2009-10-15 16:28 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2008-04-14 04:41 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2008-04-14 04:41 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2008-04-14 04:41 . 2009-11-27 16:07 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 12800 c:\windows\ie8updates\KB978207-IE8\xpshims.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 55296 c:\windows\ie8updates\KB978207-IE8\msfeedsbs.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 25600 c:\windows\ie8updates\KB978207-IE8\jsproxy.dll
+ 2009-11-27 17:11 . 2009-11-27 17:11 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 8704 c:\windows\system32\dllcache\tsbyuv.dll
+ 2009-11-27 16:07 . 2009-11-27 16:07 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2008-04-14 04:42 . 2009-06-16 14:36 119808 c:\windows\system32\t2embed.dll
+ 2008-04-14 04:42 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
- 2008-04-14 04:42 . 2008-04-14 04:42 474112 c:\windows\system32\shlwapi.dll
+ 2008-04-14 04:42 . 2009-12-08 09:23 474112 c:\windows\system32\shlwapi.dll
+ 2008-04-14 04:42 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll
- 2008-04-14 04:42 . 2009-10-29 07:45 206848 c:\windows\system32\occache.dll
+ 2009-03-08 09:32 . 2009-12-21 19:14 594432 c:\windows\system32\msfeeds.dll
- 2009-03-08 09:32 . 2009-10-29 07:45 594432 c:\windows\system32\msfeeds.dll
+ 2010-02-20 18:25 . 2009-10-11 10:17 149280 c:\windows\system32\javaws.exe
+ 2010-02-20 18:25 . 2009-10-11 10:17 145184 c:\windows\system32\javaw.exe
+ 2010-02-20 18:25 . 2009-10-11 10:17 145184 c:\windows\system32\java.exe
+ 2008-04-14 04:41 . 2009-12-21 19:14 184320 c:\windows\system32\iepeers.dll
- 2008-04-14 04:41 . 2009-10-29 07:45 184320 c:\windows\system32\iepeers.dll
+ 2008-04-14 04:41 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll
- 2008-04-14 04:41 . 2009-10-29 07:45 387584 c:\windows\system32\iedkcs32.dll
- 2008-04-14 04:42 . 2009-10-28 14:40 173056 c:\windows\system32\ie4uinit.exe
+ 2008-04-14 04:42 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe
- 2008-04-14 04:42 . 2009-10-29 07:45 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 04:42 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll
- 2008-04-14 04:42 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-04-14 04:42 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-04-13 23:45 . 2009-12-31 16:50 353792 c:\windows\system32\dllcache\srv.sys
+ 2008-04-14 04:42 . 2009-12-08 09:23 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2008-04-14 04:42 . 2008-04-14 04:42 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2008-04-14 04:42 . 2009-10-29 07:45 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-04-14 04:42 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll
+ 2009-04-28 15:26 . 2009-12-16 18:43 343040 c:\windows\system32\dllcache\mspaint.exe
- 2009-04-28 15:26 . 2008-04-14 04:42 343040 c:\windows\system32\dllcache\mspaint.exe
- 2009-07-29 03:23 . 2009-10-29 07:45 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-07-29 03:23 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-04-28 23:45 . 2009-12-04 18:22 455424 c:\windows\system32\dllcache\mrxsmb.sys
+ 2009-06-09 17:53 . 2009-12-21 19:14 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-09 17:53 . 2009-10-29 07:45 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2008-04-14 04:41 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll
- 2008-04-14 04:41 . 2009-10-29 07:45 184320 c:\windows\system32\dllcache\iepeers.dll
- 2008-04-14 04:41 . 2009-10-29 07:45 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 04:41 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2008-04-14 04:42 . 2009-10-28 14:40 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-04-14 04:42 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-04-14 04:41 . 2009-11-21 15:51 471552 c:\windows\system32\dllcache\aclayers.dll
+ 2009-07-28 07:27 . 2009-10-11 10:17 411368 c:\windows\system32\deploytk.dll
+ 2010-02-20 15:12 . 2010-02-20 15:12 219648 c:\windows\Installer\72210.msi
+ 2010-02-20 17:38 . 2009-10-29 07:45 916480 c:\windows\ie8updates\KB978207-IE8\wininet.dll
+ 2010-02-20 17:38 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB978207-IE8\spuninst\updspapi.dll
+ 2010-02-20 17:38 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe
+ 2010-02-20 17:38 . 2009-10-29 07:45 206848 c:\windows\ie8updates\KB978207-IE8\occache.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 594432 c:\windows\ie8updates\KB978207-IE8\msfeeds.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 246272 c:\windows\ie8updates\KB978207-IE8\ieproxy.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 184320 c:\windows\ie8updates\KB978207-IE8\iepeers.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 387584 c:\windows\ie8updates\KB978207-IE8\iedkcs32.dll
+ 2010-02-20 17:38 . 2009-10-28 14:40 173056 c:\windows\ie8updates\KB978207-IE8\ie4uinit.exe
+ 2009-04-28 23:45 . 2009-12-04 18:22 455424 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-04-14 04:41 . 2009-11-21 15:51 471552 c:\windows\AppPatch\aclayers.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2008-04-14 04:42 . 2009-12-21 19:14 1208832 c:\windows\system32\urlmon.dll
- 2008-04-14 04:42 . 2009-10-29 07:45 1208832 c:\windows\system32\urlmon.dll
+ 2008-04-14 04:42 . 2009-12-21 19:14 5942784 c:\windows\system32\mshtml.dll
+ 2008-03-20 23:06 . 2009-06-25 19:20 1485176 c:\windows\system32\LegitCheckControl.DLL
+ 2009-03-08 09:32 . 2009-12-21 19:14 1985536 c:\windows\system32\iertutil.dll
- 2009-03-08 09:32 . 2009-10-29 07:45 1985536 c:\windows\system32\iertutil.dll
- 2008-04-14 04:42 . 2009-10-29 07:45 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-14 04:42 . 2009-12-21 19:14 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-14 04:42 . 2009-11-27 17:11 1291776 c:\windows\system32\dllcache\quartz.dll
+ 2008-04-14 04:42 . 2009-12-21 19:14 5942784 c:\windows\system32\dllcache\mshtml.dll
- 2009-06-09 17:53 . 2009-10-29 07:45 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-06-09 17:53 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 1208832 c:\windows\ie8updates\KB978207-IE8\urlmon.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 5940736 c:\windows\ie8updates\KB978207-IE8\mshtml.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 1985536 c:\windows\ie8updates\KB978207-IE8\iertutil.dll
+ 2010-02-20 17:36 . 2010-02-01 17:26 30364104 c:\windows\system32\MRT.exe
+ 2009-03-08 09:39 . 2009-12-21 19:14 11070464 c:\windows\system32\ieframe.dll
+ 2009-06-09 17:53 . 2009-12-21 19:14 11070464 c:\windows\system32\dllcache\ieframe.dll
+ 2010-02-20 17:38 . 2009-10-29 07:45 11069952 c:\windows\ie8updates\KB978207-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-04-12 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-12 88358]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/27/2010 3:54 PM 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/20/2010 9:14 AM 162512]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/20/2010 9:14 AM 19024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1181328]
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:58]

2010-02-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {666788D1-83BB-486E-905A-ED9DF4B3D150} = 193.104.110.38,4.2.2.1,68.87.72.134 68.87.77.134
TCP: {FEF7448C-EB2C-4493-B482-B95D49D2C481} = 193.104.110.38,4.2.2.1
FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\cpfsu2t2.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 08:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-02-21 09:02:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-21 15:02
ComboFix2.txt 2010-02-20 17:03
ComboFix3.txt 2010-02-19 14:18

Pre-Run: 74,284,679,168 bytes free
Post-Run: 74,353,725,440 bytes free

- - End Of File - - DB6E8C1C6A5A429B9011C24B8186766F


#12 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:58 AM

Posted 21 February 2010 - 11:32 AM

Hi
QUOTE
I'm currently running an Avast scan and I'll run a Kaspersky scan as well when Avast is done. I'll post those results when I have them.

OK let me know.

The Combofix log looks good.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#13 IAmMonkeyManDan

IAmMonkeyManDan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 21 February 2010 - 12:45 PM

Both scans have finished. The Kaspersky log is below. Avast won't let me save a log but it found 4 infections. The infections Avast found were:

C:\Qoobox\Quarantine\C\WINDOWS\system32\rogavove.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\sisetobu.dll.vir
C:\System Volume Information\_restore{5BCA23AB-24FF-4ED7-B753-BE7AC7303DDA}\RP1\A0000024.dll
C:\System Volume Information\_restore{5BCA23AB-24FF-4ED7-B753-BE7AC7303DDA}\RP1\A0000025.dll

I haven't done anything in Avast with those infections. It gives me the option to Move to Chest or Delete but I haven't done it yet.

And the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, February 21, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, February 21, 2010 15:19:01
Records in database: 3606552
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 59584
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:22:50


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Tony\Local Settings\Application Data\{8B7D8001-BA7E-4798-BAFA-308BB636E3C5}\chrome\content\overlay.xul.vir Infected: Trojan.JS.Gord.a 1

Selected area has been scanned.

Edited by IAmMonkeyManDan, 21 February 2010 - 12:46 PM.


#14 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:06:58 AM

Posted 21 February 2010 - 12:58 PM

Hi MonkeyManDan
OK that looks good. Good job. thumbup2.gif

Lets clean up and that will remove the entries that were found.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

This will uninstall ComboFix and remove the files/folders it created.
This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.


Please delete DDS and its log also GMER and its log.

Here are a few Preventive recommendations:

The following is a list of tools and utilities that we recommend to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.
    To do this just Click > Start > All Programs Click on > Windows Update, and follow the online instructions from there.
    (It is recommended that you have Windows Updates set to download and install automatically.)

  2. One of your first defenses against infections and hackers is a Firewall

    Comodo Firewall > During the setup process you will be given a choice, Please choose: Install the Firewall as a standalone
    Zonealarm Firewall

    Also I suggest you read this.
    Understanding Firewalls

  3. Malwarebytes' Anti-Malware (MBAM)
    http://www.malwarebytes.org/mbam.php (Home page)
    Malwarebytes' Anti-Malware is considered to be the next step in the detection and removal of malware.
    Some Key Features:
    Operating Systems: Microsoft ® Windows 2000, XP, Vista and 7 (32-bit and 64-bit).
    Database updates released daily.
    Works together with other anti-malware utilities.
    This is a free program with the option of Activating a full version, unlocking realtime protection, scheduled scanning, and scheduled updating. There is a one time fee for the full version.
    Remember to ALWAYS check for and install available updates prior to scanning!

  4. Spybot Search & Destroy- A well known and reputable, FREE (for personal use) adware, spyware and malware removal program. Spybot has some great features to help protect against future infection too, as well as several other useful utilities built in. Check out the FAQ and Tutuorial pages while you're there!
    Remember to ALWAYS check for and install available updates prior to scanning!

  5. Ad-Aware - Another well known and reputable, FREE (for personal use) adware, spyware and malware removal program, Ad-Aware and Spybot S & D compliment each other very well, each finding and/or removing things the other doesn't. Regular scans with these two applications will help to ensure that many nasties managing to sneek in get caught and removed. The first in anti-spyware packages, Ad-Aware has the experience to provide a powerful cleaning tool. Also available in a feature-rich Professional version, making Ad-Aware an attractive package for everyone from Home user to Enterprise.
    Remember to ALWAYS check for and install available updates prior to scanning!

  6. SpywareBlaster is a Freeware (for personal use) application that will help to prevent the installation of spyware and other potentially unwanted software. It accomplishes this by blocking the installation of many known bad ActiveX controls, spyware and tracking cookies, and restricting the actions of potentially unwanted sites. SpywareBlaster does not require any running or background processes to work once protections are enabled, which means it will not slow down your system in any way.

  7. SpywareGuard - A Spyware "Shield" to protect your computer, acting much like your antivirus real-time protection. It's features include scanning files for spyware before you open them, blocking spyware downloads in Internet Explorer and monitoring/preventing attempted browser hijacking. Small and lightweight, yet powerful! Compatible with Windows 98, ME, 2000 & XP
    FREEWARE (for personal use)

  8. The MVPS Hosts File or similar HOSTS file will actually block a list of known bad sites from even loading in your browser. It can also be used to block ads, banners, 3rd party cookies and more. Operating system compatibility and installation instructions are provided.

  9. Install WinPatrol to monitor some key registry locations, file system changes, and other important areas, and have it alert you of the changes BEFORE allowing them to take place.

  10. Another thing we would suggest is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites. When using a search engine, The Ratings show up as small dots next to the web site. Green for Good, Yellow for Caution, Red for bad. Set your cursor on the dot for a small pop up window that provides more information on that web site.
    Web Browser: Internet Explorer 6 or 7. : Also works with Firefox.
    Operating System: Windows 2000 (Service Pack 4) Windows XP and Windows Vista

  11. If you would prefer something other then McAfee SiteAdvisor, you can go with this.
    WOT Web Of Trust.
    This is also free and is a well respected tool.

Now just because you have security applications installed, they are useless unless updated regularly.
Most of the above recommended applications are updated periodically, and it's up to you to check for updates. Set aside time in a day each month to update all of your protections.


To find out more information about how you got infected in the first place and more great guidelines to follow to prevent future infections you can read
this article by Grinler

Let me know how everything is running and we'll close this thread.

Surf Safely!
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#15 IAmMonkeyManDan

IAmMonkeyManDan
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 21 February 2010 - 01:44 PM

Everything looks to be running perfectly. I went through the Windows product key updating and that was able to get rid of the non-genuine warning messages.

Thank you very much for all of your help and I will definitely install your recommended programs.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users