Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

annoying malware/spyware pop-up


  • This topic is locked This topic is locked
25 replies to this topic

#1 mike4262

mike4262

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:07:09 PM

Posted 04 April 2010 - 02:19 PM

Hello,

Thanks for helping me out. This seems like a last resort for me. For the past week I keep getting this annoying pop-up. This is what it says.

'Your browser is under the threat of infection. Windows requires your permission to install online protection tool.' Then it goes on saying my browser is in unsafe mode. My browser (IE 8) is in safe mode. If I allow the pop-up to download this so-called tool, it asks me to run this strange filename, and usually each time its a different file. I search for the filename online and there are 0 results for it. I never allow it it to download and just click out of the pop-up.

I know I have some type of spyware/malware/virus because I also cant update my trend micro, windows, or any other anti-virus software that I download, such as malwarebytes, spybot, or Housecall. By the way malwarebytes only finds 2 infected files each time I scan and deletes them. It finds 'trojan.dnschanger' or something like that and its always these 2 files which tells me these files keep coming back.

Everything else works on my computer. Right now the only anti-virus software I have is trend micro 2010.

Below are my Hijackthis logs:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:53 AM, on 4/4/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mike\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [QCDriverInstaller] C:\PROGRA~1\COMMON~1\Logitech\QCDRIV~1\Lqdsw.exe /addrun /l 1033 /LaunchAtStart
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\IronMouse\TeaTimer.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9cc0ffb8b24b4) (gupdate1c9cc0ffb8b24b4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8681 bytes





Thanks,

Mike

Edited by boopme, 04 April 2010 - 02:32 PM.
Moved to Virus,Trojan and Malware Removal Logs~~boopme


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:09 PM

Posted 05 April 2010 - 10:23 AM

Hello mike4262 smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



In order to better assist you I will need the following:




Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt









  • If you have any CD emulation software such as Daemon or Alcohol please run the following before you run GMER. If you do not skip DeFogger and go right on to GMER. If you do use it let me know so we can reenable when we finish up.



    Disable:


    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers.
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.



    Disable your antivirus along with other security programs such as Windows Defender or TeaTimer before running the following. Instructions can be found Here.



    Download GMER Rootkit Scanner from here to your desktop.
    • Double click the exe file.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop, and post it in reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    If GMER does not want to run add the following to those that you unchecked and try it again:

    • Registry
    • Files












    Note: Please make only the Attach.txt from DDS an attachment, post the other logs directly into the reply window.



    Thanks,



    thewall



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #3 mike4262

    mike4262
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:CA
    • Local time:07:09 PM

    Posted 05 April 2010 - 02:20 PM

    hello thewall,

    i have follwed your rules. im only running trend micro and have deleted malwarebytes and spybot. but i see some of these files still exist in these logs. anyways, below is the dds.txt



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Mike at 11:20:28.41 on Mon 04/05/2010
    Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_13
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1119 [GMT -7:00]

    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\hp\support\hpsysdrv.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\msfeedssync.exe
    C:\Users\Mike\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
    uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [SpybotSD TeaTimer] c:\program files\ironmouse\TeaTimer.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
    mRun: [Logitech Utility] Logi_MwX.Exe
    mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver2\LVCOMS.EXE
    mRun: [QCDriverInstaller] c:\progra~1\common~1\logitech\qcdriv~1\Lqdsw.exe /addrun /l 1033 /LaunchAtStart
    mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
    mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    Trusted Zone: apple.com\www
    Trusted Zone: microsoft.com\update
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: torrentz.com\www
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\n8dypcg8.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\users\mike\appdata\roaming\move networks\plugins\npqmp071503000010.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2010-4-3 146448]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-4-3 36368]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2010-4-3 283152]
    R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]
    R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-4-3 50704]
    S2 gupdate1c9cc0ffb8b24b4;Google Update Service (gupdate1c9cc0ffb8b24b4);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-6 21504]

    =============== Created Last 30 ================

    2010-04-04 03:07:26 0 d-----w- c:\programdata\Trend Micro
    2010-04-04 03:05:07 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
    2010-04-04 03:05:07 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
    2010-04-04 03:05:07 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
    2010-04-04 03:05:07 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
    2010-04-04 03:05:07 283152 ----a-w- c:\windows\system32\drivers\tmwfp.sys
    2010-04-04 03:05:07 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
    2010-04-04 03:05:07 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2010-04-04 03:05:07 146448 ----a-w- c:\windows\system32\drivers\tmlwf.sys
    2010-04-04 03:05:07 1220120 ----a-w- c:\windows\system32\drivers\VsapiNT.sys
    2010-04-04 02:55:32 0 d-----w- c:\windows\system32\Interactive
    2010-04-01 22:22:34 0 d-----w- c:\program files\iPod
    2010-04-01 22:22:30 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-04-01 22:22:30 0 d-----w- c:\program files\iTunes
    2010-04-01 22:10:55 0 d-----w- c:\program files\Bonjour
    2010-04-01 03:41:03 0 d-----w- c:\programdata\Spybot - Search & Destroy
    2010-03-30 00:14:22 0 d-----w- c:\windows\system32\Adobe
    2010-03-29 23:02:40 0 d-----w- c:\programdata\Lavasoft
    2010-03-29 00:54:48 0 d-----w- c:\users\mike\appdata\roaming\Malwarebytes
    2010-03-29 00:54:41 0 d-----w- c:\programdata\Malwarebytes
    2010-03-27 02:22:13 0 d-----w- c:\windows\system32\Service
    2010-03-27 02:22:10 287608 ----a-w- c:\windows\system32\drivers\Tmfilter.sys
    2010-03-18 04:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-03-18 04:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-03-08 01:41:20 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-03-08 01:40:50 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-03-08 01:40:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-03-08 01:40:49 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

    ==================== Find3M ====================

    2010-04-05 17:45:27 31776 ----a-w- c:\programdata\nvModes.dat
    2010-04-04 03:09:57 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-04-04 03:09:57 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-04-04 03:09:56 143360 ----a-w- c:\windows\inf\infstor.dat
    2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-01-28 02:05:24 103863 ----a-w- c:\windows\hpqins11.dat
    2009-11-24 03:28:39 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-06-07 06:25:43 174 --sha-w- c:\program files\desktop.ini
    2007-07-16 01:45:01 3655608 ----a-w- c:\program files\FLV PlayerRCATSetup.exe
    2007-07-16 01:44:35 25990432 ----a-w- c:\program files\FLV PlayerRCSetup.exe
    2007-01-23 09:50:10 38119 ----a-w- c:\program files\db_pcc.dat
    2007-01-11 02:33:48 3817984 ----a-w- c:\program files\tmpcc64.msi
    2007-01-11 02:30:00 3927024 ----a-w- c:\program files\pcc.exe
    2007-01-11 02:30:00 3342848 ----a-w- c:\program files\tmpcc.msi
    2006-12-29 22:52:48 64 ----a-w- c:\program files\Tmsrl.dat
    2006-12-29 22:52:48 274 ----a-w- c:\program files\setup.ini
    2006-12-29 22:52:46 3584 ----a-w- c:\program files\1033.mst
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-10-15 20:06:57 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

    ============= FINISH: 11:23:06.57 ===============








    i did not use defogger so i followed your rules to use gmer. below is gmer.



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-04-05 12:03:17
    Windows 6.0.6002 Service Pack 2
    Running: g5rdih6p.exe; Driver: C:\Users\Mike\AppData\Local\Temp\kwldypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 87E290A0 ZwCreateKey
    SSDT 87E2A3E0 ZwCreateMutant
    SSDT 87E282E0 ZwCreateProcess
    SSDT 87E285A0 ZwCreateProcessEx
    SSDT 87E29F00 ZwCreateThread
    SSDT 87E29620 ZwDeleteKey
    SSDT 87E298E0 ZwDeleteValueKey
    SSDT 87E2A240 ZwLoadDriver
    SSDT 87E28B20 ZwOpenProcess
    SSDT 87E2A580 ZwSetSystemInformation
    SSDT 87E29360 ZwSetValueKey
    SSDT 87E28DE0 ZwTerminateProcess
    SSDT 87E29D60 ZwWriteVirtualMemory
    SSDT 87E2A0A0 ZwCreateThreadEx
    SSDT 87E28860 ZwCreateUserProcess

    INT 0x51 ? 86CEDBF8
    INT 0x72 ? 86CEDBF8
    INT 0x82 ? 86CEDBF8
    INT 0xA2 ? 84889BF8
    INT 0xB2 ? 84885BF8

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8521D1F8
    Device \Driver\volmgr \Device\VolMgrControl 848871F8
    Device \Driver\usbuhci \Device\USBPDO-0 86E53500
    Device \Driver\usbuhci \Device\USBPDO-1 86E53500
    Device \Driver\usbuhci \Device\USBPDO-2 86E53500
    Device \Driver\usbuhci \Device\USBPDO-3 86E53500
    Device \Driver\usbehci \Device\USBPDO-4 86E521F8

    AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    Device \Driver\volmgr \Device\HarddiskVolume1 848871F8
    Device \Driver\volmgr \Device\HarddiskVolume2 848871F8
    Device \Driver\cdrom \Device\CdRom0 86E5F1F8
    Device \Driver\USBSTOR \Device\00000065 87395500
    Device \Driver\netbt \Device\NetBT_Tcpip_{FE9D099A-9D9B-4DC7-919F-B62A8F6B1B61} 8724B500
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8521C1F8
    Device \Driver\iaStor \Device\Ide\iaStor0 [826C3F90] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 8521C1F8
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [826C3F90] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\volmgr \Device\HarddiskVolume3 848871F8
    Device \Driver\volmgr \Device\HarddiskVolume4 848871F8
    Device \Driver\volmgr \Device\HarddiskVolume5 848871F8
    Device \Driver\volmgr \Device\HarddiskVolume6 848871F8
    Device \Driver\USBSTOR \Device\00000069 87395500
    Device \Driver\netbt \Device\NetBT_Tcpip_{9B595A4E-966C-4E67-8E84-05E0BF446F85} 8724B500
    Device \Driver\netbt \Device\NetBt_Wins_Export 8724B500
    Device \Driver\Smb \Device\NetbiosSmb 8724C1F8
    Device \Driver\iScsiPrt \Device\RaidPort0 86E721F8

    AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

    Device \Driver\USBSTOR \Device\0000006a 87395500
    Device \Driver\USBSTOR \Device\0000006b 87395500
    Device \Driver\USBSTOR \Device\0000006c 87395500
    Device \Driver\usbuhci \Device\USBFDO-0 86E53500
    Device \Driver\usbuhci \Device\USBFDO-1 86E53500
    Device \Driver\usbuhci \Device\USBFDO-2 86E53500
    Device \Driver\usbuhci \Device\USBFDO-3 86E53500
    Device \Driver\usbehci \Device\USBFDO-4 86E521F8
    Device \FileSystem\cdfs \Cdfs 87F95500

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

    ---- EOF - GMER 1.0.15 ----






    thanks for your help, thumbup.gif

    mike

    Attached Files



    #4 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:10:09 PM

    Posted 05 April 2010 - 04:55 PM

    You're welcome.

    Here is what we will do next:

    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
    • Double click on ComboFix.exe & follow the prompts.


    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.



    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #5 mike4262

    mike4262
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:CA
    • Local time:07:09 PM

    Posted 05 April 2010 - 10:05 PM

    hello thewall,

    per your instructions i ran combofix. heres the log.




    ComboFix 10-04-05.01 - Mike 04/05/2010 18:51:43.1.2 - x86
    Running from: c:\users\Mike\Desktop\ComboFix.exe
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-1831635016-1148291682-131195038-500
    c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
    c:\windows\system32\service
    c:\windows\system32\service\03042010_TIS17_SfFniAU.log
    c:\windows\system32\service\26032010_TIS17_SfFniAU.log
    c:\windows\system32\service\29032010_TIS17_SfFniAU.log
    c:\windows\system32\service\31032010_TIS17_SfFniAU.log

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
    .

    2010-04-06 02:03 . 2010-04-06 02:03 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-06 02:03 . 2010-04-06 02:03 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-04-04 03:07 . 2010-04-04 03:11 -------- d-----w- c:\programdata\Trend Micro
    2010-04-04 03:05 . 2010-04-04 03:05 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
    2010-04-04 03:05 . 2010-04-04 03:05 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
    2010-04-04 03:05 . 2010-04-04 03:05 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
    2010-04-04 03:05 . 2010-04-04 03:05 283152 ----a-w- c:\windows\system32\drivers\tmwfp.sys
    2010-04-04 03:05 . 2010-04-04 03:05 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2010-04-04 03:05 . 2010-04-04 03:05 146448 ----a-w- c:\windows\system32\drivers\tmlwf.sys
    2010-04-04 03:05 . 2009-05-22 08:02 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
    2010-04-04 03:05 . 2009-05-22 08:00 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
    2010-04-04 03:05 . 2009-05-22 07:45 1220120 ----a-w- c:\windows\system32\drivers\VsapiNT.sys
    2010-04-04 02:55 . 2010-04-04 02:55 -------- d-----w- c:\windows\system32\Interactive
    2010-04-01 22:22 . 2010-04-01 22:22 -------- d-----w- c:\program files\iPod
    2010-04-01 22:22 . 2010-04-01 22:23 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-04-01 22:22 . 2010-04-01 22:23 -------- d-----w- c:\program files\iTunes
    2010-04-01 22:17 . 2010-04-01 22:18 -------- d-----w- c:\program files\QuickTime
    2010-04-01 22:10 . 2010-04-01 22:10 -------- d-----w- c:\program files\Bonjour
    2010-04-01 22:08 . 2010-04-01 22:08 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
    2010-04-01 03:41 . 2010-04-01 03:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-03-30 03:17 . 2009-11-20 11:08 38784 ----a-w- c:\users\Mike\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-03-30 00:14 . 2010-03-30 00:14 -------- d-----w- c:\windows\system32\Adobe
    2010-03-29 23:02 . 2010-03-29 23:28 -------- d-----w- c:\programdata\Lavasoft
    2010-03-29 00:54 . 2010-03-29 00:54 -------- d-----w- c:\users\Mike\AppData\Roaming\Malwarebytes
    2010-03-29 00:54 . 2010-03-29 00:54 -------- d-----w- c:\programdata\Malwarebytes
    2010-03-28 00:37 . 2010-03-28 03:12 680 ----a-w- c:\users\Mike\AppData\Local\d3d9caps.dat
    2010-03-27 02:22 . 2009-05-22 07:58 287608 ----a-w- c:\windows\system32\drivers\Tmfilter.sys
    2010-03-25 00:00 . 2010-03-27 01:59 -------- d-----w- c:\users\Mike\AppData\Local\Trend Micro
    2010-03-08 01:41 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-03-08 01:40 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-03-08 01:40 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-03-08 01:40 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-06 01:39 . 2009-11-08 20:04 31776 ----a-w- c:\programdata\nvModes.dat
    2010-04-05 17:48 . 2009-09-30 12:32 211720 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
    2010-04-05 17:48 . 2009-09-30 12:32 1352968 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
    2010-04-05 17:46 . 2008-06-12 00:31 -------- d-----w- c:\programdata\Google Updater
    2010-04-04 03:08 . 2007-02-15 05:50 -------- d-----w- c:\program files\Trend Micro
    2010-04-01 22:22 . 2008-12-25 20:06 -------- d-----w- c:\program files\Common Files\Apple
    2010-03-29 18:25 . 2009-09-27 17:12 3732 ----a-w- c:\programdata\Intuit\QuickBooks 2009\qbbackup.sys
    2010-03-29 00:46 . 2009-09-30 12:26 869664 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\DownloadQB19\Patch\qbpatch.exe
    2010-03-27 02:23 . 2007-02-14 01:25 -------- d-----w- c:\program files\Google
    2010-03-27 01:02 . 2008-04-09 02:11 -------- d-----w- c:\programdata\pdf995
    2010-03-19 01:33 . 2007-02-15 06:32 -------- d-----w- c:\programdata\Microsoft Help
    2010-03-10 01:20 . 2008-12-26 20:40 -------- d-----w- c:\users\Mike\AppData\Roaming\uTorrent
    2010-03-01 18:29 . 2010-03-01 18:29 -------- d-----w- c:\users\Mike\AppData\Roaming\PeerNetworking
    2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-02-03 20:56 . 2010-02-03 20:56 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb1AF1.tmp.exe
    2010-01-28 02:05 . 2010-01-28 02:01 103863 ----a-w- c:\windows\hpqins11.dat
    2010-01-28 01:57 . 2010-01-28 01:57 507696 ----a-w- c:\programdata\HP\Installer\Temp\HpqReg40.exe
    2010-01-28 01:57 . 2010-01-28 01:57 353584 ----a-w- c:\programdata\HP\Installer\Temp\HpqReg01.exe
    2010-01-06 15:38 . 2010-03-08 01:40 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-01-06 15:38 . 2010-03-08 01:40 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2010-01-06 15:38 . 2010-03-08 01:40 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-01-06 15:38 . 2010-03-08 01:40 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2007-07-16 01:45 . 2007-07-16 01:44 3655608 ----a-w- c:\program files\FLV PlayerRCATSetup.exe
    2007-07-16 01:44 . 2007-07-16 01:41 25990432 ----a-w- c:\program files\FLV PlayerRCSetup.exe
    2007-01-23 09:50 . 2007-01-23 09:50 38119 ----a-w- c:\program files\db_pcc.dat
    2007-01-11 02:33 . 2007-01-11 02:33 3817984 ----a-w- c:\program files\tmpcc64.msi
    2007-01-11 02:30 . 2007-01-11 02:30 3927024 ----a-w- c:\program files\pcc.exe
    2007-01-11 02:30 . 2007-01-11 02:30 3342848 ----a-w- c:\program files\tmpcc.msi
    2006-12-29 22:52 . 2006-12-29 22:52 64 ----a-w- c:\program files\Tmsrl.dat
    2006-12-29 22:52 . 2006-12-29 22:52 274 ----a-w- c:\program files\setup.ini
    2006-12-29 22:52 . 2006-12-29 22:52 3584 ----a-w- c:\program files\1033.mst
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-12 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-10-25 4702208]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
    "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
    "Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2006-07-19 549376]
    "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-10-28 1085704]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 13789728]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
    "LVCOMS"="c:\program files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 90112]
    "QCDriverInstaller"="c:\progra~1\COMMON~1\Logitech\QCDRIV~1\Lqdsw.exe" [2002-09-20 638976]
    "LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 155648]
    "LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 45056]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2010-04-04 1020248]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-10 984352]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux2"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-10-03 12:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    2006-09-29 20:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-03-26 08:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-03-09 04:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(cool.gif:b6,53,20,62,90,fc,c9,01

    R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-03-14 716272]
    R2 gupdate1c9cc0ffb8b24b4;Google Update Service (gupdate1c9cc0ffb8b24b4);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 133104]
    S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2010-04-04 146448]
    S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
    S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2010-04-04 283152]
    S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-05-24 501248]
    S3 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2010-04-04 50704]
    S3 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2010-04-04 497008]
    S3 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2010-04-04 689416]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-04-06 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 17:56]

    2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 16:55]

    2010-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 16:55]

    2010-04-06 c:\windows\Tasks\User_Feed_Synchronization-{3E0DBEB3-19ED-498E-94FE-BE14BA90C5FA}.job
    - c:\windows\system32\msfeedssync.exe [2010-01-22 04:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    Trusted Zone: apple.com\www
    Trusted Zone: microsoft.com\update
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: torrentz.com\www
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
    FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\n8dypcg8.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\users\Mike\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    HKCU-Run-SpybotSD TeaTimer - c:\program files\IronMouse\TeaTimer.exe
    HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    MSConfigStartUp-Launch LGDCore - c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe
    AddRemove-HijackThis - c:\users\Mike\Desktop\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-05 19:04
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1831635016-1148291682-131195038-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*X*V*I*D*-*F*O*X*-*M*F*D*s*s*"!\OpenWithList]
    @Class="Shell"
    .
    Completion time: 2010-04-05 19:07:50
    ComboFix-quarantined-files.txt 2010-04-06 02:07

    Pre-Run: 145,308,540,928 bytes free
    Post-Run: 145,468,776,448 bytes free

    - - End Of File - - 571991B6D6865212BD824EAABF9E06C3






    thanks,

    mike crazy.gif



    #6 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:10:09 PM

    Posted 06 April 2010 - 10:54 AM

    You're welcome Mike, smile.gif




    It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



    Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

    If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
    • Open the Kaspersky WebScanner
      page.
    • Click on the button on the main page.
    • The program will launch and fill in the Information section on the left.
    • Read the "Requirements and Limitations" then press the button.
    • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
    • Once the files have been downloaded, click on the ...button.
      In the scan settings make sure the following are selected:
      • Detect malicious programs of the following categories:
        Viruses, Worms, Trojan Horses, Rootkits
        Spyware, Adware, Dialers and other potentially dangerous programs
      • Scan compound files (doesn't apply to the File scan area):
        Archives
        Mail databases
        By default the above items should already be checked.
      • Click the button, if you made any changes.
    • Now under the Scan section on the left:

      Select My Computer
    • The program will now start and scan your system. This will run for a while, be patient and let it finish.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • In the drop down box labeled Files of type change the type to Text file.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    You can refer to this animation by sundavis if needed.
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #7 mike4262

    mike4262
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:CA
    • Local time:07:09 PM

    Posted 06 April 2010 - 12:19 PM

    hello,

    i was not able to run kaspersky because it failed at uploading the updates before scanning. i tried many times and always got the same error message that it failed to update and to check my internet connection. this is the problem im having. nothing updates on my computer. the virus is not letting me. what else shall i do?

    mike

    #8 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:10:09 PM

    Posted 06 April 2010 - 12:39 PM

    Try this one instead:


    I'd like us to scan your machine with ESET OnlineScan
    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Push the Start button.
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, push
    11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Push the button.
    13. Push

    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #9 mike4262

    mike4262
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:CA
    • Local time:07:09 PM

    Posted 06 April 2010 - 12:48 PM

    hello,

    ok this one didnt work from the start. i clicked on the eset link while holding control and the page couldnt be found. i tried many times and nothing. then i searched for it, found it and the link still didnt work. eventually i found a link for it but i needed to pay for it.


    what shall i do?


    mike

    #10 mike4262

    mike4262
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:CA
    • Local time:07:09 PM

    Posted 06 April 2010 - 12:58 PM

    ok i finally got it to work, but when i accept the user agreement it wont open the next window. i even triend with firefox and nothing.

    mike

    #11 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:10:09 PM

    Posted 06 April 2010 - 01:11 PM

    Run DDS again for me. I won't need the Attach.txt log just the DDS.tXt.



    Download DDS and save it to your desktop from here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
  • Save both reports to your desktop, post the DDS.txt in the reply window and attach the Attach.txt

  • If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #12 mike4262

    mike4262
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:CA
    • Local time:07:09 PM

    Posted 06 April 2010 - 03:53 PM

    hello,

    heres the other dds log you requested. i tried again with eset and kaspersky but they still didnt work.




    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Mike at 13:49:15.22 on Tue 04/06/2010
    Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_13
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1085 [GMT -7:00]

    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\hp\support\hpsysdrv.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\MIKE\bleepVirus\Programs\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
    mRun: [Logitech Utility] Logi_MwX.Exe
    mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver2\LVCOMS.EXE
    mRun: [QCDriverInstaller] c:\progra~1\common~1\logitech\qcdriv~1\Lqdsw.exe /addrun /l 1033 /LaunchAtStart
    mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
    mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    Trusted Zone: apple.com\www
    Trusted Zone: microsoft.com\update
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: torrentz.com\www
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\n8dypcg8.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\users\mike\appdata\roaming\move networks\plugins\npqmp071503000010.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2010-4-3 146448]
    R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-4-3 36368]
    R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2010-4-3 283152]
    R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]
    R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-4-3 50704]
    R3 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2010-4-3 497008]
    R3 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2010-4-3 689416]
    S2 gupdate1c9cc0ffb8b24b4;Google Update Service (gupdate1c9cc0ffb8b24b4);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-6 21504]

    =============== Created Last 30 ================

    2010-04-06 17:01:29 244 ---ha-w- C:\sqmnoopt00.sqm
    2010-04-06 17:01:29 232 ---ha-w- C:\sqmdata00.sqm
    2010-04-06 02:07:57 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-06 01:43:18 98816 ----a-w- c:\windows\sed.exe
    2010-04-06 01:43:18 77312 ----a-w- c:\windows\MBR.exe
    2010-04-06 01:43:18 261632 ----a-w- c:\windows\PEV.exe
    2010-04-06 01:43:18 161792 ----a-w- c:\windows\SWREG.exe
    2010-04-04 03:07:26 0 d-----w- c:\programdata\Trend Micro
    2010-04-04 03:05:07 89872 ----a-w- c:\windows\system32\drivers\tmtdi.sys
    2010-04-04 03:05:07 59920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
    2010-04-04 03:05:07 50704 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
    2010-04-04 03:05:07 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
    2010-04-04 03:05:07 283152 ----a-w- c:\windows\system32\drivers\tmwfp.sys
    2010-04-04 03:05:07 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
    2010-04-04 03:05:07 158224 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2010-04-04 03:05:07 146448 ----a-w- c:\windows\system32\drivers\tmlwf.sys
    2010-04-04 03:05:07 1220120 ----a-w- c:\windows\system32\drivers\VsapiNT.sys
    2010-04-04 02:55:32 0 d-----w- c:\windows\system32\Interactive
    2010-04-01 22:22:34 0 d-----w- c:\program files\iPod
    2010-04-01 22:22:30 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-04-01 22:22:30 0 d-----w- c:\program files\iTunes
    2010-04-01 22:10:55 0 d-----w- c:\program files\Bonjour
    2010-04-01 03:41:03 0 d-----w- c:\programdata\Spybot - Search & Destroy
    2010-03-30 00:14:22 0 d-----w- c:\windows\system32\Adobe
    2010-03-29 23:02:40 0 d-----w- c:\programdata\Lavasoft
    2010-03-29 00:54:48 0 d-----w- c:\users\mike\appdata\roaming\Malwarebytes
    2010-03-29 00:54:41 0 d-----w- c:\programdata\Malwarebytes
    2010-03-27 02:22:10 287608 ----a-w- c:\windows\system32\drivers\Tmfilter.sys
    2010-03-18 04:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-03-18 04:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-03-08 01:41:20 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-03-08 01:40:50 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-03-08 01:40:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-03-08 01:40:49 28672 ----a-w- c:\windows\system32\Apphlpdm.dll

    ==================== Find3M ====================

    2010-04-06 20:32:37 31776 ----a-w- c:\programdata\nvModes.dat
    2010-04-04 03:09:57 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-04-04 03:09:57 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-04-04 03:09:56 143360 ----a-w- c:\windows\inf\infstor.dat
    2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-01-28 02:05:24 103863 ----a-w- c:\windows\hpqins11.dat
    2009-11-24 03:28:39 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-06-07 06:25:43 174 --sha-w- c:\program files\desktop.ini
    2007-07-16 01:45:01 3655608 ----a-w- c:\program files\FLV PlayerRCATSetup.exe
    2007-07-16 01:44:35 25990432 ----a-w- c:\program files\FLV PlayerRCSetup.exe
    2007-01-23 09:50:10 38119 ----a-w- c:\program files\db_pcc.dat
    2007-01-11 02:33:48 3817984 ----a-w- c:\program files\tmpcc64.msi
    2007-01-11 02:30:00 3927024 ----a-w- c:\program files\pcc.exe
    2007-01-11 02:30:00 3342848 ----a-w- c:\program files\tmpcc.msi
    2006-12-29 22:52:48 64 ----a-w- c:\program files\Tmsrl.dat
    2006-12-29 22:52:48 274 ----a-w- c:\program files\setup.ini
    2006-12-29 22:52:46 3584 ----a-w- c:\program files\1033.mst
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-10-15 20:06:57 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

    ============= FINISH: 13:50:56.21 ===============





    thanks,

    mike

    #13 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:10:09 PM

    Posted 06 April 2010 - 04:31 PM

    Are you still experiencing basically the same symptoms you were before we ran ComboFix or has anything changed?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

    #14 mike4262

    mike4262
    • Topic Starter

    • Members
    • 21 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:CA
    • Local time:07:09 PM

    Posted 06 April 2010 - 05:03 PM

    nothing has changed. i still cant update anything on my computer and i still get an annoying pop up from time to time. do the logs say i have anything strange on my computer?


    mike

    #15 thewall

    thewall

    • Malware Response Team
    • 6,425 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Florida
    • Local time:10:09 PM

    Posted 06 April 2010 - 05:38 PM

    ComboFix took a few things off but I am still looking. Are you having any redirection issues?
    If I have helped you then please consider donating so I can continue the fight against malware Posted Image
    All donations go directly to the helper

    Posted Image

    Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users