A few days ago I was hit with the Fake Windows Security 2010. Crazy pops everywhere, Google results redirected to spam sites (any browser), and Chrome my primary browser didn't load and pages. Firefox and IE were working OK when directly typing in a URL. I had been running Panda Anti virus (never again) and without a firewall (bad I know)
First thing I tried is system restore to before I had the problem. That seemed to help and removed the crazy pop ups, but I still had Google results going to the wrong place and Chrome didn't work. Also have a new problem where the Just-in-time debugger is constantly trying to run. Other browsers are still OK when directly typing URLs.
Tried to get Spybot Search and Destroy to run (was already installed) but it hung on load.
Next I installed AVG Internet Security. Their firewall is now active. I ran their scan and it found and quarantined the below problems.
- Trojan horse Cyrptic HJ
- Trojan horse SHeur3.UMU
- Trojan horse Crypt.MBP
Installed and ran Ad-aware, it found and quarantined the below problems.
- Win32.Adware.Burn4Free - Adware
- Win32.TrojanDownloader.Genome - Malware
Next I installed and ran Malwarebytes, below is what is found and removed.
<snip>
Registry Keys Infected:
HKEY_CLASSES_ROOTInterface{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTTypelib{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtSettings{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTminibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTminibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREAvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallWeather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
<snip>
Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterAntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterFirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
<snip>
Rebooted but no change in computer behavior at this point.
So then I tried Spybot Search and Destroy again, this time it came up.
<trying to find logs>
Rebooted but no change in computer behavior at this point.
Next I ran Dr.Web Scanner for Windows. It found a few things. I can't find the log, so I don't know exactly. I had it fix what it found. But the problem is that whenever I reboot computer and rerun Dr.Web it is still finding and removing the below.
Process in memory: C:WINDOWSExplorer.EXE:512, Status=BackDoorTdss.565
So although a lot stuff has been cleaned up, the malware is still hiding somewhere.
DDS (Ver_10-03-17.01) - NTFSx86
Run by Stefan at 14:09:51.37 on Tue 05/04/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1233 [GMT -4:00]
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
============== Running Processes ===============
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
C:WINDOWSsystem32Ati2evxx.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesAVGAVG9avgcsrvx.exe
svchost.exe
svchost.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9Identity ProtectionAgentBinAVGIDSAgent.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:Program FilesWeather Watcherww.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesATI TechnologiesATI.ACECore-StaticMOM.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesHPDigital Imagingbinhpomau08.exe
C:Program FilesHPDigital Imagingbinhpotdd01.exe
svchost.exe
C:Program FilesJungle Disk DesktopJungleDiskMonitor.exe
C:Documents and SettingsStefanLocal SettingsApplication DataGoogleUpdate1.2.183.23GoogleCrashHandler.exe
C:WINDOWSSYSTEM32taskmgr.exe
C:Program FilesAVGAVG9Identity Protectionagentbinavgidsmonitor.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:Program FilesHPDigital Imagingbinhpoevm08.exe
C:Program FilesAVGAVG9avgfws9.exe
C:WINDOWSSystem32CTSvcCDA.EXE
C:WINDOWSsystem32crypserv.exe
C:Program FilesAVGAVG9avgam.exe
C:Program FilesAVGAVG9avgnsx.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Program FilesJavajre6binjqs.exe
C:Program FilesJungle Disk DesktopJungleDiskMonitor.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSSystem32tcpsvcs.exe
C:WINDOWSSystem32svchost.exe -k imgsvc
C:WINDOWSSystem32MsPMSPSv.exe
C:WINDOWSSystem32HPZipm12.exe
C:Program FilesAVGAVG9avgui.exe
C:Program FilesATI TechnologiesATI.ACECore-Staticccc.exe
C:Documents and SettingsStefanLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Program FilesHPDigital ImagingBinhpoSTS08.exe
C:Program FilesHPDigital ImagingBinhpoFXM08.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsStefanMy DocumentsDownloadslz8p34aa.exe
C:DOCUME~1StefanLOCALS~1TempRarSFX39k3857.exe
C:DOCUME~1StefanLOCALS~1TempRarSFX3yax2gXP.exe
C:PROGRA~1COMMON~1MICROS~1VS7Debugvs7jit.exe
C:Documents and SettingsStefanMy DocumentsDownloadsdds.scr
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: Virtual Storage Mount Notification: {3cf560dc-dfcb-4737-82c2-9564ca8f733b} - c:windowssystem32VSMntNtf.dll
BHO: IeCaptureBho Object: {7c1ce531-09e9-4fc5-9803-1c2956615786} - c:program filesgooglegoogle desktop searchGoogleDesktopIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.4.4525.1752swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_B7C5AC242193BB3E.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {5AA06644-BC46-4220-A460-47A6EB47C96D} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [WeatherWatcher] c:program filesweather watcherww.exe
uRun: [Google Update] "c:documents and settingsstefanlocal settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [AVG9_TRAY] c:progra~1avgavg9avgtray.exe
mRun: [StartCCC] "c:program filesati technologiesati.acecore-staticCLIStart.exe" MSRun
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:docume~1stefanstartm~1programsstartupshortc~1.lnk -
c:windowssystem32taskmgr.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpoffi~1.lnk - c:program fileshpdigital
imagingbinhpomau08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpoddt~1.lnk - c:program fileshpdigital
imagingbinhpotdd01.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupjungle~1.lnk - c:program filesjungle
disk desktopJungleDiskMonitor.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:windowssystem32GPhotos.scr/200
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:program filespokerstarsPokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -
c:progra~1micros~3office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -
c:windowssystem32Shdocvw.dll
DPF: {01111C00-3E00-11D2-8470-0060089874ED} - hxxp://help.rr.com/Foundrysdccommon/download/tgctlar.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -
hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} - hxxp://www.merriam-webster.com/toolbar/webinstall.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://pdclive.convergys.com/download/iftwclix.cab
DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} - hxxp://fdl.msn.com/public/investor/v11/ticker.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} -
hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238199286859
DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} -
hxxp://xms.keynote.com/applications/connector/download/ConnectorLauncher.cab
DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} - hxxps://www.stu.uophx.edu/secure/PhxStudent15.CAB
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://10.0.0.104/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {94B82441-A413-4E43-8422-D49930E69764} - hxxps://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37986.4012152778
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D0} - hxxp://www.therealyellowpageslive.net/live/ezlistng.cab
DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - hxxp://www.therealyellowpageslive.net/live/ezinit.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://www.stu.uophx.edu/secure/PhxStudent15.CAB
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/51/install/gtdownls.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} -
hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/mail/autocomplete.cab
DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} -
hxxp://helpdeskreports.cmg.convergys.com/viewer/activeXViewer/activexviewer.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} -
hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} -
hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/asa/SymAData.cab
DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - hxxp://wsp.livedownloads.com/nugster/dlControl.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
hxxps://convergys.webex.com/client/latest/webex/ieatgpc.cab
DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} -
hxxp://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
c:windowssystem32WPDShServiceObj.dll
SSODL: EldosMountNotificator - {3CF560DC-DFCB-4737-82C2-9564CA8F733B} - c:windowssystem32VSMntNtf.dll
STS: Virtual Storage Mount Notification: {3cf560dc-dfcb-4737-82c2-9564ca8f733b} -
c:windowssystem32VSMntNtf.dll
================= FIREFOX ===================
FF - ProfilePath - c:docume~1stefanapplic~1mozillafirefoxprofiles5w0a0j4d.default
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:documents and settingsstefanapplication
datamozillafirefoxprofiles5w0a0j4d.defaultextensions{3112ca9c-de6d-4884-a869-9855de68056c}compone
ntsfrozen.dll
FF - component: c:program filesavgavg9firefoxcomponentsavgssff.dll
FF - plugin: c:documents and settingsstefanlocal settingsapplication
datagoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesgooglegoogle updater2.4.1895.7162npCIDetect14.dll
FF - plugin: c:program filesgooglepicasa3npPicasa3.dll
FF - plugin: c:program filesgoogleupdate1.2.183.23npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -
c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla
firefoxextensions{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla
firefoxextensions{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:program filesmozilla firefoxgreprefsall.js -
pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:program filesmozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:program filesmozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:program filesmozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:program filesmozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:program filesmozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js -
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js -
pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesmozilla firefoxgreprefssecurity-prefs.js -
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js -
pref("security.ssl.require_safe_negotiation", false);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js -
pref("app.update.download.backgroundInterval", 600);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual",
"http://www.firefox.com");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js -
pref("browser.search.param.yahoo-fr-ja", "mozff");
c:program filesmozilla firefoxdefaultspreffirefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add",
"addons.mozilla.org");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36",
"getpersonas.com");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled",
true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:program filesmozilla firefoxdefaultspreffirefox.js -
pref("plugins.hide_infobar_for_outdated_plugin", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet",
false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable",
false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime",
20);
============= SERVICES / DRIVERS ===============
R0 AVGIDSErHrxpx;AVG9IDSErHr;c:windowssystem32driversAVGIDSxx.sys [2010-5-3 25096]
R0 AvgRkx86;avgrkx86.sys;c:windowssystem32driversavgrkx86.sys [2010-5-3 52872]
R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-5-3 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2010-5-3 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys
[2010-5-3 29512]
R1 AvgTdiX;AVG Network Redirector;c:windowssystem32driversavgtdix.sys [2010-5-3 242896]
R1 CbFs;CbFs;c:windowssystem32driverscbfs.sys [2010-3-25 145504]
R2 avg9wd;AVG WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-5-3 308064]
R2 avgfws9;AVG Firewall;c:program filesavgavg9avgfws9.exe [2010-5-3 2325816]
R2 AVGIDSAgent;AVG9IDSAgent;c:program filesavgavg9identity protectionagentbinAVGIDSAgent.exe
[2010-5-3 5888008]
R2 DPIFLTNT;DPIFLTNT;c:windowssystem32dpifltnt.sys [2003-12-31 17775]
R2 JungleDiskService;JungleDiskService;c:program filesjungle disk desktopJungleDiskMonitor.exe
[2010-3-19 6858496]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe
[2010-2-4 1285864]
R3 Avgfwdx;Avgfwdx;c:windowssystem32driversavgfwdx.sys [2010-5-3 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:program filesavgavg9identity
protectionagentdriverplatform_xpAVGIDSDriver.sys [2010-5-3 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:program filesavgavg9identity
protectionagentdriverplatform_xpAVGIDSFilter.sys [2010-5-3 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:program filesavgavg9identity
protectionagentdriverplatform_xpAVGIDSShim.sys [2010-5-3 26120]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-3-21
133104]
S3 Avgfwfd;AVG network filter service;c:windowssystem32driversavgfwdx.sys [2010-5-3 30104]
S3 UltraMonMirror;UltraMonMirror;c:windowssystem32driversultramonmirror.sys -->
c:windowssystem32driversUltraMonMirror.sys [?]
=============== Created Last 30 ================
2010-05-04 18:08:44 0 ----a-w- c:documents and settingsstefandefogger_reenable
2010-05-04 16:18:17 0 d-----w- c:documents and settingsstefanDoctorWeb
2010-05-04 12:10:39 0 d-----w- c:docume~1stefanapplic~1Malwarebytes
2010-05-04 12:10:17 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-05-04 12:10:15 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-05-04 12:10:15 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2010-05-04 12:10:15 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2010-05-03 19:34:22 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-05-03 19:32:40 0 d-----w- c:program filesExterminate It!
2010-05-03 19:11:09 64288 ----a-w- c:windowssystem32driversLbd.sys
2010-05-03 19:11:01 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-05-03 19:08:10 0 dc-h--w-
c:docume~1alluse~1applic~1{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-03 19:07:47 0 d-----w- c:program filesLavasoft
2010-05-03 15:59:25 0 d--h--w- C:$AVG
2010-05-03 15:32:39 12464 ----a-w- c:windowssystem32avgrsstx.dll
2010-05-03 15:32:38 25096 ----a-w- c:windowssystem32driversAVGIDSxx.sys
2010-05-03 15:32:37 52872 ----a-w- c:windowssystem32driversavgrkx86.sys
2010-05-03 15:32:33 242896 ----a-w- c:windowssystem32driversavgtdix.sys
2010-05-03 15:32:24 216200 ----a-w- c:windowssystem32driversavgldx86.sys
2010-05-03 15:32:13 0 d-----w- c:windowssystem32driversAvg
2010-05-03 15:29:24 50968 ----a-w- c:windowssystem32avgfwdx.dll
2010-05-03 15:29:24 30104 ----a-w- c:windowssystem32driversavgfwdx.sys
2010-05-03 15:26:26 0 d-----w- c:docume~1alluse~1applic~1avg9
2010-04-29 21:27:29 0 d-----w- c:program filesSDHelper (Spybot - Search & Destroy)
2010-04-29 17:17:36 0 d-----w- c:windowssystem32wbemRepository
==================== Find3M ====================
2010-03-24 14:58:27 19545 ----a-w- c:windowshpoins01.dat
2010-03-10 13:18:21 13824 ----a-w- c:windowssystem32dllcacheieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:windowssystem32dllcacheie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:windowssystem32vbscript.dll
2010-03-09 11:09:18 430080 ----a-w- c:windowssystem32dllcachevbscript.dll
2010-02-24 13:11:07 455680 ----a-w- c:windowssystem32dllcachemrxsmb.sys
2010-02-23 05:20:02 634648 ----a-w- c:windowssystem32dllcacheiexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:windowssystem32dllcacheieakui.dll
2010-02-19 23:47:50 3604480 ----a-w- c:windowssystem32GPhotos.scr
2010-02-17 13:10:28 2189952 ----a-w- c:windowssystem32ntoskrnl.exe
2010-02-17 13:10:28 2189952 ----a-w- c:windowssystem32dllcachentoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:windowssystem32dllcachentkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ----a-w- c:windowssystem32dllcachentkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:windowssystem32dllcachentkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:windowssystem326to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:windowssystem32dllcache6to4svc.dll
2010-02-11 12:02:15 226880 ----a-w- c:windowssystem32dllcachetcpip6.sys
2010-02-05 17:38:58 235576 ----a-w- c:windowssystem32VSNetRdr.dll
2010-02-05 17:38:58 137272 ----a-w- c:windowssystem32VSMntNtf.dll
2008-03-25 01:38:26 62464 ----a-w- c:program filesCakeConverter.exe
2008-03-17 00:09:24 46592 ----a-w- c:program filesPokerFunctions.dll
2003-10-29 12:53:28 176128 ----a-w- c:program filesdirms.exe
2008-09-05 23:32:14 32768 --sha-w- c:windowssystem32configsystemprofilelocal
settingshistoryhistory.ie5mshist012008090520080906index.dat
============= FINISH: 14:12:38.46 ===============
Attached Files
Edited by Orange Blossom, 04 May 2010 - 07:00 PM.
Merged topics then posts removing redundant portions. ~ OB