Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help - searches get redirected


  • This topic is locked This topic is locked
18 replies to this topic

#1 red_baron

red_baron

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 15 March 2010 - 12:42 AM

Hi. My problem is when I do a search and click on a resulting link it gets redirected. Plus other things happen like new tabs open with a redirected site. I have multiple users on the computer, will this fix work on all or will I have to run a removal for each user?

Thank you in advance.

Pasting in additional info. from another post. ~ OB

browser resets connection on each post attempt.

End of added material. ~ OB

I've run "dds.scr", I tried to run "gmer" but it caused my computer to crash/restart.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Brian Baron at 21:24:26.78 on Sun 03/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k HPService
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
D:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\rpcnetp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Upgrd.exe
C:\Documents and Settings\Brian Baron\Desktop\dds.scr
C:\WINDOWS\system32\rpcnet.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: PC Tools Browser

Edited by Orange Blossom, 15 March 2010 - 04:23 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:34 AM

Posted 17 March 2010 - 08:07 PM


Hello red_baron smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


There are a few things we need to do before we can really get started.

You have two Antivirus programs showing on your computer which can cause problems themselves. You should uninstall either Spyware Doctor or Mcafee. After doing this please disable the remaining one in order to try to run GMER once again. Instructions to help you are Here. When you have done this try running GMER again. If it still will not run try unchecking the following and try it once more:
  • Registry
  • Files



The posted DDS.txt does not appear to be complete. It looks like it was cut off. Please check it and repost the complete log. If that is all there was rerun it once more. There should also have been an Attach.txt generated when DDS ran. I will need that logs also.











Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 18 March 2010 - 04:55 PM


DDS (Ver_09-12-01.01) - NTFSx86
Run by Brian Baron at 21:24:26.78 on Sun 03/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k HPService
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
D:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\rpcnetp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Upgrd.exe
C:\Documents and Settings\Brian Baron\Desktop\dds.scr
C:\WINDOWS\system32\rpcnet.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [NvCplDaemon] RUNDLL32.EXE c:\

#4 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 18 March 2010 - 04:56 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by Brian Baron at 21:24:26.78 on Sun 03/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k HPService
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
D:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\rpcnetp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Upgrd.exe
C:\Documents and Settings\Brian Baron\Desktop\dds.scr
C:\WINDOWS\system32\rpcnet.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [NvCplDaemon] RUNDLL32.EXE c:\


DDS (Ver_09-12-01.01) - NTFSx86
Run by Brian Baron at 21:24:26.78 on Sun 03/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k HPService
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
D:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PHUtils\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\rpcnetp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Upgrd.exe
C:\Documents and Settings\Brian Baron\Desktop\dds.scr
C:\WINDOWS\system32\rpcnet.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - d:\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - d:\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [NvCplDaemon] RUNDLL32.EXE c:\

Attached Files



#5 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 18 March 2010 - 05:04 PM

it doesn't look like I can post it in one message.

More of the dds.txt
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [Acrobat Assistant 8.0] "d:\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [QuickTime Task] "c:\program

#6 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 18 March 2010 - 05:08 PM

it doesn't look like I can post it in one message.

More of the dds.txt

mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - d:\phutils\netgear\netgear prosafe vpn client\SafeCfg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - d:\panasonic\photofunstudio\PhAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\micros~1\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:34 AM

Posted 18 March 2010 - 05:23 PM

You should be able to post the logs all at one time. When a log opens try clicking on Edit at the top of your screen then Select All from the drop-down menu. Click on Edit again and then Copy from the drop-down menu. When you get ready to post it right click and choose Paste.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.








If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 18 March 2010 - 06:24 PM

CODE
ComboFix 10-03-18.01 - Brian Baron 03/18/2010  16:02:45.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1564 [GMT -7:00]
Running from: c:\documents and settings\Brian Baron\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll
c:\windows\system32\crt.dat
c:\windows\system32\crt4.dll
c:\windows\system32\drivers\nd.sys
c:\windows\system32\kbdatat4.dll
c:\windows\system32\kbddta.dll
c:\windows\system32\kboem32.dat
c:\windows\system32\kbvdt.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
Infected copy of c:\windows\system32\autochk.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\autochk.exe

.
(((((((((((((((((((((((((   Files Created from 2010-02-18 to 2010-03-18  )))))))))))))))))))))))))))))))
.

2010-03-16 17:44 . 2010-03-16 17:44    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\ServiceTest
2010-03-16 01:42 . 2010-03-16 01:42    --------    d-----w-    c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2010-03-16 01:25 . 2010-03-16 01:25    --------    d-----w-    c:\documents and settings\Brian Baron\Local Settings\Application Data\Western_Digital
2010-03-16 01:22 . 2010-03-16 01:22    --------    d-----w-    c:\documents and settings\Brian Baron\Application Data\Western Digital
2010-03-16 01:22 . 2010-03-16 01:22    --------    d-----w-    c:\documents and settings\All Users\Application Data\Western Digital
2010-03-16 01:22 . 2010-03-16 01:22    --------    d-----w-    c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-03-16 01:21 . 2009-02-13 19:02    11520    ----a-w-    c:\windows\system32\drivers\wdcsam.sys
2010-03-16 01:21 . 2010-03-16 01:21    --------    d-----w-    c:\program files\Western Digital
2010-03-16 01:19 . 2010-03-16 01:19    --------    d-----w-    c:\documents and settings\Brian Baron\Local Settings\Application Data\Western Digital
2010-03-14 19:49 . 2010-03-14 19:49    161296    ----a-w-    c:\windows\system32\drivers\tmcomm.sys
2010-03-14 19:49 . 2010-03-14 19:49    --------    d-----w-    c:\documents and settings\Brian Baron\log
2010-03-14 19:38 . 2008-03-02 10:28    206608    ----a-w-    c:\windows\system32\drivers\TMPassthru.sys
2010-03-14 18:56 . 2010-03-18 23:08    17408    ----a-w-    c:\windows\system32\rpcnetp.exe
2010-03-09 07:10 . 2010-03-09 07:10    --------    d-----w-    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-09 07:09 . 2010-03-09 20:53    --------    d-----w-    c:\documents and settings\Brian Baron\Application Data\SUPERAntiSpyware.com
2010-03-09 07:09 . 2010-03-09 20:53    --------    d-----w-    c:\program files\SUPERAntiSpyware
2010-03-09 05:38 . 2010-03-14 19:59    --------    d-----w-    c:\program files\trend micro
2010-03-09 05:38 . 2010-03-09 05:38    --------    d-----w-    C:\rsit
2010-03-09 04:43 . 2010-03-09 04:43    --------    d-----w-    c:\documents and settings\Brian Baron\Application Data\Malwarebytes
2010-03-09 04:43 . 2010-03-09 04:43    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-09 04:43 . 2010-03-09 18:43    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2010-03-03 21:58 . 2010-03-16 18:01    13160    ----a-w-    c:\windows\system32\Upgrd.exe
2010-03-03 00:05 . 2010-03-03 00:05    --------    d-sh--w-    c:\documents and settings\LocalService\IETldCache
2010-03-02 13:01 . 2010-03-02 13:01    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Application Data\IObit
2010-03-02 06:38 . 2010-03-02 06:38    --------    d-sh--w-    c:\windows\system32\config\systemprofile\IETldCache
2010-03-02 04:16 . 2010-03-02 04:54    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-02 04:16 . 2010-03-02 04:22    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2010-03-02 04:02 . 2010-03-02 04:02    --------    d-----w-    c:\documents and settings\Brian Baron\Local Settings\Application Data\Threat Expert
2010-03-02 03:53 . 2010-03-02 03:53    --------    d-----w-    c:\documents and settings\Brian Baron\Application Data\IObit
2010-03-02 02:06 . 2010-03-18 15:57    --------    d-----w-    c:\documents and settings\All Users\Application Data\PC Tools
2010-03-02 02:03 . 2010-03-18 15:58    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 01:32 . 2010-03-02 01:32    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\Mozilla
2010-03-02 00:32 . 2010-03-02 00:32    104840    ----a-w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-02 00:32 . 2010-03-02 00:32    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\Adobe
2010-03-02 00:32 . 2010-03-02 00:32    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\Apple Computer
2010-03-02 00:32 . 2010-03-02 00:32    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\NTRU Cryptosystems
2010-03-02 00:32 . 2010-03-09 04:25    0    ----a-w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\WavXMapDrive.bat
2010-03-02 00:32 . 2010-03-02 00:32    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Application Data\Wave Systems Corp
2010-03-02 00:32 . 2010-03-02 00:32    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\Wave Systems Corp
2010-03-01 23:39 . 2010-03-01 23:42    --------    d--h--w-    c:\windows\msdownld.tmp
2010-02-27 21:53 . 2010-02-27 21:53    --------    d-----w-    c:\documents and settings\Brian Baron\Application Data\Leadertech
2010-02-27 21:52 . 2010-02-27 21:52    --------    d-----w-    c:\program files\Keyspan
2010-02-27 21:52 . 2003-03-18 01:11    77824    ----a-w-    c:\windows\system32\USA19HPropPage.dll
2010-02-27 21:52 . 2003-06-25 04:30    727908    ----a-w-    c:\windows\system32\drivers\USA19H2k.sys
2010-02-27 21:52 . 2003-06-25 04:21    44928    ----a-w-    c:\windows\system32\drivers\USA19H2kp.sys
2010-02-27 21:52 . 2003-03-17 16:16    49152    ----a-r-    c:\windows\system32\k19hinst.dll
2010-02-24 21:06 . 1997-11-19 23:49    303616    ----a-w-    c:\windows\IsUninst.exe
2010-02-24 21:06 . 2010-02-24 21:06    --------    d-----w-    c:\documents and settings\Brian Baron\WINDOWS
2010-02-24 05:31 . 2009-08-07 03:23    215920    ----a-w-    c:\windows\system32\muweb.dll
2010-02-24 05:31 . 2009-08-07 03:23    274288    ----a-w-    c:\windows\system32\mucltui.dll
2010-02-24 04:04 . 2010-02-24 04:04    --------    d-----w-    c:\windows\system32\wbem\Repository
2010-02-23 19:43 . 2010-02-23 19:43    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION\Local Settings\Application Data\Adobe
2010-02-23 19:43 . 2010-02-23 19:43    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION\Local Settings\Application Data\Apple Computer
2010-02-23 19:42 . 2010-02-23 19:42    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION\Local Settings\Application Data\Wave Systems Corp
2010-02-23 19:41 . 2010-02-23 19:41    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION\IETldCache
2010-02-23 19:40 . 2010-02-24 03:44    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION\Local Settings\Application Data\Microsoft
2010-02-23 19:40 . 2009-11-14 19:55    --------    d-----w-    c:\documents and settings\Administrator.BARON-PRECISION\Application Data\Intel
2010-02-23 19:40 . 2010-02-24 03:44    --------    d-s---w-    c:\documents and settings\Administrator.BARON-PRECISION
2010-02-23 17:25 . 2010-02-23 17:25    552    ----a-w-    c:\windows\system32\d3d8caps.dat
2010-02-23 14:19 . 2010-02-23 14:19    --------    d-sh--w-    c:\documents and settings\Brian Baron\IECompatCache
2010-02-23 14:18 . 2010-02-23 14:18    --------    d-sh--w-    c:\documents and settings\Brian Baron\PrivacIE
2010-02-22 16:48 . 2010-02-22 16:48    --------    d-----w-    c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-22 16:48 . 2010-02-22 16:48    --------    d-----w-    c:\documents and settings\Brian Baron\Application Data\Office Genuine Advantage
2010-02-22 04:52 . 2010-02-22 04:52    --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2010-02-22 04:50 . 2010-02-22 04:50    --------    d-sh--w-    c:\documents and settings\Brian Baron\IETldCache
2010-02-22 04:41 . 2010-02-22 04:41    --------    d-----w-    c:\windows\ie8updates
2010-02-22 04:40 . 2010-03-01 23:41    --------    dc-h--w-    c:\windows\ie8
2010-02-22 04:27 . 2010-02-24 03:46    --------    d-----w-    c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-21 23:29 . 2010-02-21 23:29    --------    d-----w-    c:\documents and settings\Brian Baron\.sv
2010-02-21 23:29 . 2010-02-21 23:29    --------    d-----w-    c:\documents and settings\Brian Baron\.jogl_ext
2010-02-21 23:25 . 2010-02-21 23:25    --------    d-----w-    c:\documents and settings\Brian Baron\Application Data\Octoshape
2010-02-20 02:03 . 2010-02-24 03:46    --------    d-----w-    c:\program files\Common Files\GNU Ghostscript Shared(2)
2010-02-20 02:02 . 2010-02-24 03:46    --------    d-----w-    c:\program files\Common Files\GPL Ghostscript Shared(2)
2010-02-19 23:08 . 2010-03-01 21:40    --------    d-sh--w-    c:\documents and settings\NetworkService\UserData
2010-02-18 14:31 . 2010-02-18 14:31    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-02-18 14:31 . 2010-02-18 14:31    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2010-02-18 14:30 . 2010-02-18 14:30    104840    ----a-w-    c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-18 14:30 . 2010-02-18 14:30    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\Wave Systems Corp
2010-02-18 01:54 . 2010-02-24 04:03    --------    d-----w-    c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-02-18 01:54 . 2009-11-14 19:55    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Intel
2010-02-18 01:54 . 2010-02-24 04:03    --------    d-s---w-    c:\documents and settings\Administrator
2010-02-18 01:35 . 2010-03-18 15:59    --------    d-----w-    c:\program files\Spyware Doctor
2010-02-18 01:35 . 2010-03-18 15:59    --------    d-----w-    c:\program files\Common Files\PC Tools
2010-02-18 01:26 . 2010-02-18 01:26    --------    d-----w-    c:\windows\McAfee.com
2010-02-17 21:20 . 2010-03-09 16:51    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-18 23:10 . 2009-11-14 12:45    0    ----a-w-    c:\documents and settings\Brian Baron\Local Settings\Application Data\WavXMapDrive.bat
2010-03-18 23:09 . 2009-11-14 06:19    17408    ----a-w-    c:\windows\system32\rpcnetp.dll
2010-03-18 23:09 . 2009-11-14 13:04    57752    ----a-w-    c:\windows\system32\rpcnet.dll
2010-03-17 03:46 . 2004-08-04 12:00    96512    ----a-w-    c:\windows\system32\drivers\atapi.sys
2010-03-16 18:01 . 2009-11-14 13:04    57752    ------w-    c:\windows\system32\rpcnet.exe
2010-03-16 06:49 . 2009-12-29 07:53    1164632    ----a-w-    c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-15 23:20 . 2009-12-28 18:53    3021    ----a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-03-15 16:40 . 2009-11-14 12:45    74784    ----a-w-    c:\documents and settings\Brian Baron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 07:33 . 2010-01-12 23:49    664    ----a-w-    c:\windows\system32\d3d9caps.dat
2010-03-15 00:06 . 2009-11-14 12:39    74784    ----a-w-    c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 21:19 . 2010-01-21 22:17    --------    d-----w-    c:\documents and settings\All Users\Application Data\Autodesk
2010-03-14 21:19 . 2010-01-21 22:15    --------    d-----w-    c:\program files\Common Files\Autodesk Shared
2010-03-14 19:38 . 2009-11-14 06:34    --------    d--h--w-    c:\program files\InstallShield Installation Information
2010-03-03 00:01 . 2010-02-13 00:31    --------    d-----w-    c:\program files\Microsoft Silverlight
2010-02-25 18:29 . 2009-11-28 20:07    --------    d-----w-    c:\documents and settings\All Users\Application Data\Intuit
2010-02-24 14:32 . 2009-11-14 20:23    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-24 14:16 . 2009-11-14 17:24    --------    d-----w-    c:\program files\McAfee
2010-02-18 14:29 . 2009-11-14 12:18    162995    ----a-w-    c:\windows\system32\nvModes.dat
2010-02-18 00:59 . 2009-11-14 16:41    --------    d-----w-    c:\documents and settings\All Users\Application Data\McAfee
2010-02-04 11:34 . 2009-12-28 19:44    211720    ----a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-02-04 11:34 . 2009-12-28 19:44    1337608    ----a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-01-22 16:36 . 2010-01-22 16:36    36864    ----a-w-    c:\documents and settings\Brian Baron\Application Data\Autodesk\DWG TrueView 2010\R7\enu\ContextualTabSelectorRules.dll
2010-01-22 04:54 . 2010-01-21 22:15    --------    d-----w-    c:\documents and settings\Brian Baron\Application Data\Autodesk
2009-12-30 19:58 . 2009-12-30 19:58    975136    ----a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2009-12-30 19:58 . 2009-12-28 19:34    44832    ----a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2009-12-28 19:34 . 2009-12-28 19:34    499712    ----a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2009-12-28 19:34 . 2009-12-28 19:34    348160    ----a-w-    c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2009-12-23 18:32 . 2009-12-23 18:27    118874    ----a-w-    c:\windows\hpoins30.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2007-09-12 176128]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-09-14 75064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-05-21 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-05-21 1202448]
"Acrobat Assistant 8.0"="d:\adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2009-11-13 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-12 149280]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR ProSafe VPN Client.lnk - d:\phutils\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe [2009-11-24 57396]
PHOTOfunSTUDIO HD Edition.lnk - d:\panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-12-12 44176]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-16 1153824]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-9-4 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-9-4 8975680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 23:20    73728    ----a-w-    c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages    REG_MULTI_SZ       msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\QuickBooks2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"d:\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [11/24/2009 3:59 PM 467002]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [11/24/2009 3:59 PM 118840]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/14/2009 10:28 AM 93320]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [3/6/2010 11:02 AM 632792]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/4/2004 5:00 AM 5120]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 3:22 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [11/24/2009 3:57 PM 36188]
R3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2/3/2010 12:09 PM 23096]
R3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [2/3/2010 12:09 PM 3768]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [3/14/2010 12:38 PM 206608]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate1ca7df12103cfee;Google Update Service (gupdate1ca7df12103cfee);c:\program files\Google\Update\GoogleUpdate.exe [12/15/2009 6:43 PM 133104]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\RUBotted\TMRUBotted.exe [3/14/2010 12:38 PM 582992]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2/6/2010 2:17 PM 200704]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [3/14/2010 12:38 PM 206608]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2/27/2010 2:52 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2/27/2010 2:52 PM 44928]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/15/2010 6:21 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 01:43]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 01:43]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-14 20:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-14 20:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\micros~1\Office12\EXCEL.EXE/3000
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - d:\intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Brian Baron\Application Data\Mozilla\Firefox\Profiles\i7t6g0yu.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: d:\adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-RegistryMechanic - c:\program files\Registry Mechanic\RegMech.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-18 16:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  


c:\windows\system32\autochk(19).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(39).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(10).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(11).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(12).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(13).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(14).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(15).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(16).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(17).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(18).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(4).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(5).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(6).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(7).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(8).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(20).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(21).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(22).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(23).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(24).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(25).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(26).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(27).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(28).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(29).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(3).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(30).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(31).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(32).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(38).exe:BAK 22528 bytes executable
c:\documents and settings\Brian Baron\Application Data\Western Digital\WD SmartWare\sourceq.db3-journal

scan completed successfully
hidden files: 32

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1828)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(4572)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\WiFi\bin\S24EvMon.exe
d:\phutils\NETGEAR\NETGEAR ProSafe VPN Client\IreIKE.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
d:\phutils\NETGEAR\NETGEAR ProSafe VPN Client\IPSecMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wscntfy.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-18  16:17:00 - machine was rebooted
ComboFix-quarantined-files.txt  2010-03-18 23:16

Pre-Run: 30,722,875,392 bytes free
Post-Run: 30,850,277,376 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 62A97E3DC869BB8828210CE16B09A70D


#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:34 AM

Posted 18 March 2010 - 09:14 PM

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 19 March 2010 - 07:54 PM

CODE
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, March 19, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, March 19, 2010 17:12:43
Records in database: 3815849
--------------------------------------------------------------------------------

Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

Scan area - Folder:
    

Scan statistics:
    Objects scanned: 229503
    Threats found: 8
    Infected objects found: 16
    Suspicious objects found: 0
    Scan duration: 04:02:53


File name / Threat / Threats count
C:\Documents and Settings\Brian Baron\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst    Infected: Trojan-PSW.Win32.Agent.qdy    1
C:\Qoobox\Quarantine\C\WINDOWS\system32\crt4.dll.vir    Infected: Backdoor.Win32.Delf.tpm    1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir    Infected: Rootkit.Win32.Tdss.ai    1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdatat4.dll.vir    Infected: Trojan-Downloader.Win32.Delf.zsq    1
D:\AutoIt3\SciTE\AutoItMacroGenerator\TheHook.dll    Infected: not-a-virus:Monitor.Win32.Hooker.s    1
D:\Brian Baron\Local Settings\Application Data\Microsoft\Outlook\Outlings@baronprod.com-00000006.pst    Infected: Trojan-Spy.Win32.Zbot.idq    1
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\4KB7JI0F\img[1].htm    Infected: Trojan-Clicker.HTML.IFrame.aiw    1
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\68R6EDFU\img[2].htm    Infected: Trojan-Clicker.HTML.IFrame.aiw    1
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\Q8CL4C0U\img[3].htm    Infected: Trojan-Clicker.HTML.IFrame.aiw    1
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\R3N1M6YL\img[1].htm    Infected: Trojan-Clicker.HTML.IFrame.aiw    1
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\V9FUMJT6\img[1].htm    Infected: Trojan-Clicker.HTML.IFrame.aiw    1
D:\Install Software\vnc-4_1_2-x86_win32.exe    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4    4
D:\Utils\RealVNC\VNC4\vncviewer.exe    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4    1

Selected area has been scanned.


#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:34 AM

Posted 19 March 2010 - 09:33 PM

A few things we need to take care of. The ones in Qoobox will be gone when we uninstall ComboFix.


Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".












Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
C:\Documents and Settings\Brian Baron\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
D:\AutoIt3\SciTE\AutoItMacroGenerator\TheHook.dll Infected: not-a-virus:Monitor.Win32.Hooker.s 1
D:\Brian Baron\Local Settings\Application Data\Microsoft\Outlook\Outlings@baronprod.com-00000006.pst
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\4KB7JI0F\img[1].htm
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\68R6EDFU\img[2].htm
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\Q8CL4C0U\img[3].htm
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\R3N1M6YL\img[1].htm
D:\Brian Baron\Local Settings\Temporary Internet Files\Content.IE5\V9FUMJT6\img[1].htm


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


You don't have to post the log within the Code box, just paste it directly into the reply window. Makes it a little easier for my old eyes to read. smile.gif




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 20 March 2010 - 05:06 PM

Sorry about the code box but in the beginning when I was having trouble posting (browser would reset connection msg & fragments of the log), the code box seemed to help.

ComboFix 10-03-18.01 - Brian Baron 03/20/2010 14:38:14.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1321 [GMT -7:00]
Running from: c:\documents and settings\Brian Baron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian Baron\Desktop\cfscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Brian Baron\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst"
"d:\autoit3\SciTE\AutoItMacroGenerator\TheHook.dll Infected: not-a-virus:Monitor.Win32.Hooker.s 1"
"d:\brian baron\Local Settings\Application Data\Microsoft\Outlook\Outlings@baronprod.com-00000006.pst"
"d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\4KB7JI0F\img[1].htm"
"d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\68R6EDFU\img[2].htm"
"d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\Q8CL4C0U\img[3].htm"
"d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\R3N1M6YL\img[1].htm"
"d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\V9FUMJT6\img[1].htm"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brian Baron\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
d:\brian baron\Local Settings\Application Data\Microsoft\Outlook\Outlings@baronprod.com-00000006.pst
d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\4KB7JI0F\img[1].htm
d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\68R6EDFU\img[2].htm
d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\Q8CL4C0U\img[3].htm
d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\R3N1M6YL\img[1].htm
d:\brian baron\Local Settings\Temporary Internet Files\Content.IE5\V9FUMJT6\img[1].htm

.
((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-16 17:44 . 2010-03-16 17:44 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ServiceTest
2010-03-16 01:42 . 2010-03-16 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2010-03-16 01:25 . 2010-03-16 01:25 -------- d-----w- c:\documents and settings\Brian Baron\Local Settings\Application Data\Western_Digital
2010-03-16 01:22 . 2010-03-16 01:22 -------- d-----w- c:\documents and settings\Brian Baron\Application Data\Western Digital
2010-03-16 01:22 . 2010-03-16 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-03-16 01:22 . 2010-03-16 01:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-03-16 01:21 . 2009-02-13 19:02 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-03-16 01:21 . 2010-03-16 01:21 -------- d-----w- c:\program files\Western Digital
2010-03-16 01:19 . 2010-03-16 01:19 -------- d-----w- c:\documents and settings\Brian Baron\Local Settings\Application Data\Western Digital
2010-03-14 19:49 . 2010-03-14 19:49 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-14 19:49 . 2010-03-14 19:49 -------- d-----w- c:\documents and settings\Brian Baron\log
2010-03-14 19:38 . 2008-03-02 10:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-03-14 18:56 . 2010-03-20 16:01 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-03-09 07:10 . 2010-03-09 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-09 07:09 . 2010-03-09 20:53 -------- d-----w- c:\documents and settings\Brian Baron\Application Data\SUPERAntiSpyware.com
2010-03-09 07:09 . 2010-03-09 20:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-09 05:38 . 2010-03-14 19:59 -------- d-----w- c:\program files\trend micro
2010-03-09 05:38 . 2010-03-09 05:38 -------- d-----w- C:\rsit
2010-03-09 04:43 . 2010-03-09 04:43 -------- d-----w- c:\documents and settings\Brian Baron\Application Data\Malwarebytes
2010-03-09 04:43 . 2010-03-09 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-09 04:43 . 2010-03-09 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-03 21:58 . 2010-03-16 18:01 13160 ----a-w- c:\windows\system32\Upgrd.exe
2010-03-03 00:05 . 2010-03-03 00:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-02 13:01 . 2010-03-02 13:01 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION.000\Application Data\IObit
2010-03-02 06:38 . 2010-03-02 06:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-02 04:16 . 2010-03-02 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-02 04:16 . 2010-03-02 04:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-02 04:02 . 2010-03-02 04:02 -------- d-----w- c:\documents and settings\Brian Baron\Local Settings\Application Data\Threat Expert
2010-03-02 03:53 . 2010-03-02 03:53 -------- d-----w- c:\documents and settings\Brian Baron\Application Data\IObit
2010-03-02 02:06 . 2010-03-18 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-02 02:03 . 2010-03-18 15:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 01:32 . 2010-03-02 01:32 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\Mozilla
2010-03-02 00:32 . 2010-03-02 00:32 104840 ----a-w- c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-02 00:32 . 2010-03-02 00:32 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\Adobe
2010-03-02 00:32 . 2010-03-02 00:32 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\Apple Computer
2010-03-02 00:32 . 2010-03-02 00:32 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\NTRU Cryptosystems
2010-03-02 00:32 . 2010-03-09 04:25 0 ----a-w- c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\WavXMapDrive.bat
2010-03-02 00:32 . 2010-03-02 00:32 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION.000\Application Data\Wave Systems Corp
2010-03-02 00:32 . 2010-03-02 00:32 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION.000\Local Settings\Application Data\Wave Systems Corp
2010-03-01 23:39 . 2010-03-01 23:42 -------- d--h--w- c:\windows\msdownld.tmp
2010-02-27 21:53 . 2010-02-27 21:53 -------- d-----w- c:\documents and settings\Brian Baron\Application Data\Leadertech
2010-02-27 21:52 . 2010-02-27 21:52 -------- d-----w- c:\program files\Keyspan
2010-02-27 21:52 . 2003-03-18 01:11 77824 ----a-w- c:\windows\system32\USA19HPropPage.dll
2010-02-27 21:52 . 2003-06-25 04:30 727908 ----a-w- c:\windows\system32\drivers\USA19H2k.sys
2010-02-27 21:52 . 2003-06-25 04:21 44928 ----a-w- c:\windows\system32\drivers\USA19H2kp.sys
2010-02-27 21:52 . 2003-03-17 16:16 49152 ----a-r- c:\windows\system32\k19hinst.dll
2010-02-24 21:06 . 1997-11-19 23:49 303616 ----a-w- c:\windows\IsUninst.exe
2010-02-24 21:06 . 2010-02-24 21:06 -------- d-----w- c:\documents and settings\Brian Baron\WINDOWS
2010-02-24 05:31 . 2009-08-07 03:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-24 05:31 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-24 04:04 . 2010-02-24 04:04 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-23 19:43 . 2010-02-23 19:43 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION\Local Settings\Application Data\Adobe
2010-02-23 19:43 . 2010-02-23 19:43 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION\Local Settings\Application Data\Apple Computer
2010-02-23 19:42 . 2010-02-23 19:42 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION\Local Settings\Application Data\Wave Systems Corp
2010-02-23 19:41 . 2010-02-23 19:41 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION\IETldCache
2010-02-23 19:40 . 2010-02-24 03:44 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION\Local Settings\Application Data\Microsoft
2010-02-23 19:40 . 2009-11-14 19:55 -------- d-----w- c:\documents and settings\Administrator.BARON-PRECISION\Application Data\Intel
2010-02-23 19:40 . 2010-02-24 03:44 -------- d-s---w- c:\documents and settings\Administrator.BARON-PRECISION
2010-02-23 17:25 . 2010-02-23 17:25 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-23 14:19 . 2010-02-23 14:19 -------- d-sh--w- c:\documents and settings\Brian Baron\IECompatCache
2010-02-23 14:18 . 2010-02-23 14:18 -------- d-sh--w- c:\documents and settings\Brian Baron\PrivacIE
2010-02-22 16:48 . 2010-02-22 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-22 16:48 . 2010-02-22 16:48 -------- d-----w- c:\documents and settings\Brian Baron\Application Data\Office Genuine Advantage
2010-02-22 04:52 . 2010-02-22 04:52 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-02-22 04:50 . 2010-02-22 04:50 -------- d-sh--w- c:\documents and settings\Brian Baron\IETldCache
2010-02-22 04:41 . 2010-02-22 04:41 -------- d-----w- c:\windows\ie8updates
2010-02-22 04:40 . 2010-03-01 23:41 -------- dc-h--w- c:\windows\ie8
2010-02-22 04:27 . 2010-02-24 03:46 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-21 23:29 . 2010-02-21 23:29 -------- d-----w- c:\documents and settings\Brian Baron\.sv
2010-02-21 23:29 . 2010-02-21 23:29 -------- d-----w- c:\documents and settings\Brian Baron\.jogl_ext
2010-02-21 23:25 . 2010-02-21 23:25 -------- d-----w- c:\documents and settings\Brian Baron\Application Data\Octoshape
2010-02-20 02:03 . 2010-02-24 03:46 -------- d-----w- c:\program files\Common Files\GNU Ghostscript Shared(2)
2010-02-20 02:02 . 2010-02-24 03:46 -------- d-----w- c:\program files\Common Files\GPL Ghostscript Shared(2)
2010-02-19 23:08 . 2010-03-01 21:40 -------- d-sh--w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 21:21 . 2009-11-14 12:45 0 ----a-w- c:\documents and settings\Brian Baron\Local Settings\Application Data\WavXMapDrive.bat
2010-03-20 16:01 . 2009-11-14 13:04 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-03-20 16:01 . 2009-11-14 06:19 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-03-18 15:59 . 2010-02-18 01:35 -------- d-----w- c:\program files\Spyware Doctor
2010-03-18 15:59 . 2010-02-18 01:35 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-17 03:46 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-16 18:01 . 2009-11-14 13:04 57752 ------w- c:\windows\system32\rpcnet.exe
2010-03-16 06:49 . 2009-12-29 07:53 1164632 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-15 23:20 . 2009-12-28 18:53 3021 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-03-15 16:40 . 2009-11-14 12:45 74784 ----a-w- c:\documents and settings\Brian Baron\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-15 07:33 . 2010-01-12 23:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-15 00:06 . 2009-11-14 12:39 74784 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-14 21:19 . 2010-01-21 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2010-03-14 21:19 . 2010-01-21 22:15 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-03-14 19:38 . 2009-11-14 06:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-03 00:01 . 2010-02-13 00:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-25 18:29 . 2009-11-28 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-02-24 14:32 . 2009-11-14 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-24 14:16 . 2009-11-14 17:24 -------- d-----w- c:\program files\McAfee
2010-02-18 14:30 . 2010-02-18 14:30 104840 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-18 14:29 . 2009-11-14 12:18 162995 ----a-w- c:\windows\system32\nvModes.dat
2010-02-18 00:59 . 2009-11-14 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-04 11:34 . 2009-12-28 19:44 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-02-04 11:34 . 2009-12-28 19:44 1337608 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-01-22 16:36 . 2010-01-22 16:36 36864 ----a-w- c:\documents and settings\Brian Baron\Application Data\Autodesk\DWG TrueView 2010\R7\enu\ContextualTabSelectorRules.dll
2010-01-22 04:54 . 2010-01-21 22:15 -------- d-----w- c:\documents and settings\Brian Baron\Application Data\Autodesk
2009-12-30 19:58 . 2009-12-30 19:58 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2009-12-30 19:58 . 2009-12-28 19:34 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2009-12-28 19:34 . 2009-12-28 19:34 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2009-12-28 19:34 . 2009-12-28 19:34 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2009-12-23 18:32 . 2009-12-23 18:27 118874 ----a-w- c:\windows\hpoins30.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2007-09-12 176128]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2007-09-14 75064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2009-05-21 1372160]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-05-21 1202448]
"Acrobat Assistant 8.0"="d:\adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2009-11-13 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-12 149280]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR ProSafe VPN Client.lnk - d:\phutils\NETGEAR\NETGEAR ProSafe VPN Client\SafeCfg.exe [2009-11-24 57396]
PHOTOfunSTUDIO HD Edition.lnk - d:\panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-12-12 44176]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-16 1153824]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-9-4 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-9-4 8975680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 23:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"d:\\QuickBooks2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"d:\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [11/24/2009 3:59 PM 467002]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [11/24/2009 3:59 PM 118840]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/14/2009 10:28 AM 93320]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [3/6/2010 11:02 AM 632792]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/4/2004 5:00 AM 5120]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/4/2009 3:22 PM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [11/24/2009 3:57 PM 36188]
R3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2/3/2010 12:09 PM 23096]
R3 DrmRVideo;DrmRVideo;c:\windows\system32\drivers\DrmRVideo.sys [2/3/2010 12:09 PM 3768]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [3/14/2010 12:38 PM 206608]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate1ca7df12103cfee;Google Update Service (gupdate1ca7df12103cfee);c:\program files\Google\Update\GoogleUpdate.exe [12/15/2009 6:43 PM 133104]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\RUBotted\TMRUBotted.exe [3/14/2010 12:38 PM 582992]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2/6/2010 2:17 PM 200704]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [3/14/2010 12:38 PM 206608]
S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2/27/2010 2:52 PM 727908]
S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2/27/2010 2:52 PM 44928]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [3/15/2010 6:21 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 01:43]

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-16 01:43]

2010-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-14 20:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-14 20:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\micros~1\Office12\EXCEL.EXE/3000
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - d:\intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Brian Baron\Application Data\Mozilla\Firefox\Profiles\i7t6g0yu.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF - plugin: d:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 14:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\autochk(19).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(39).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(10).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(11).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(12).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(13).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(14).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(15).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(16).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(17).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(18).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(4).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(5).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(6).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(7).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(8).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(20).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(21).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(22).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(23).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(24).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(25).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(26).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(27).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(28).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(29).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(3).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(30).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(31).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(32).exe:BAK 22528 bytes executable
c:\windows\system32\autochk(38).exe:BAK 22528 bytes executable

scan completed successfully
hidden files: 31

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1776)
c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(1832)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-03-20 14:45:08
ComboFix-quarantined-files.txt 2010-03-20 21:45
ComboFix2.txt 2010-03-18 23:17

Pre-Run: 30,855,614,464 bytes free
Post-Run: 30,735,839,232 bytes free

- - End Of File - - 6F3D6A7219BAE2E7C4247688B33A6819


#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:34 AM

Posted 20 March 2010 - 07:10 PM

It was OK about using Code if you needed to. Totally understandable.

I want you to try to upload the following file if you can so I can have it checked:
  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/t/302643/help-searches-get-redirected/?p=1681326
  • Click Browse and select the c:\windows\system32\biolsp.dll
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 21 March 2010 - 11:00 AM

I just upload the file "biolsp.ddl" as requested.

#15 red_baron

red_baron
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 21 March 2010 - 11:07 AM

I just tried to use Outlook and it told me my Outlook.pst file is missing. Was is infected? Will I have to create a new one or can I recover this somehow, like restoring the archive.pst?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users