Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Rootkit-Pakes.AA and others


  • This topic is locked This topic is locked
18 replies to this topic

#1 Joseph Aliano

Joseph Aliano

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 20 May 2010 - 07:35 PM

My HP Compaq 6735b laptop is running WinXP/SP3. It has AMD Athlon X2 DualCore QL64 CPU, 2.10 GHz, 2.4 GB RAM, 300 GB storage, and 500 GB external storage. Since May 14th, this computer has had multiple infections daily, as listed below, and I've been chasing and deleting or quarantining them, only to have them re-appear elsewhere in some form. My Win firewall was shut down and all my Restore points disappeared. I've been using my five (5) installed A/V programs: Free AVG 9.0.819, Free Ad-Aware 8.2.3, Free Malwarebytes 1.46, Free SpyBot S&D 1.6.2 and Free SUPERAntiSpyware 4.37.1000, and I'm keeping the logs, but losing the battle. My two most recent scans, both on 05/18/10 (AVG and Malwarebytes) showed zero infections, but I know that cannot be true, because there are 2 files in my Temporary Internet Files that I cannot delete: cookie:administrator@facebook.com AND cookie:administrator@tacoda.net. One day I had 7 infections, of which only 4 could be cured, leaving 3 infected files. The same scans the following day reported NO infections, as if the 3 viruses had vanished. On another occasion, while I was away from the computer, an AVG Resident Shield Alert appeared, saying: Accessed file infected, detected on Open. -- Filename: C:\Windows\System32\ndis.sys -- Threat: Trojan horse Rootkit-Pakes.AA -- Details: Process name C:\Windows\System32\svchost.exe ProcessID: 1468. // In another instance: Runtime Packed NSPack // Named files in other instances: C\Windows\Temp\mbme.tmp (was actually an empty folder, not a file.) C:\Windows\System32\adgvqacq.dll. The computer is barely functional. Windows Explorer often freezes, even when attempting to open a simple .txt file, and I cannot open the Task Manager to close the Application; it requires a hard reboot.

I have read and complied 100% with your Preparation Guide. Please, please help me as soon as you can. My wife and I are leaving next week for a family reunion in Ohio, and this is our only laptop computer. Thank you very much for your consideration. (See virus names below, by the A/V program that reported them.)

AVG:
Trojan horse Rootkit.Pakes AA
Trojan horse Clicker.AISY
Trojan horse SHeur3.VSN
Trojan horse SHeur3.WUG
Trojan horse Crypt.VSN
Trojan horse 17.CBST
Trojan horse 17.BZAA
Trojan horse 17.BVQN
Trojan horse 17.CCHS

Ad-Aware:
Cookies Engine *2o7*

MalwareBytes:
Rootkit.Agent
Trojan.FakeAlert
Trojan.Refpron
Trojan.Agent
Trojan.Downloader
Trojan.Koblu
Backdoor.Bot
Malware.Trace
Adware.MyWebSearch
Adware.MyWay
Adware.SpeedApps
Trojan.Fraudpack

Spybot S&R:
Microsoft.WindowsSecurityCenter_disabled
Win32.Agent.atta

SUPERAntiSpyware:
Trojan.Agent/Gen-Nullo[Short]
Trojan.Agent/Gen-Krpytik
Adware.Tracking Cookie
_______________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 11:35:28.90 on Wed 05/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.1790 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
c:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot S&D\TeaTimer.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\PREP\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://edition.cnn.com/
uDefault_Page_URL = hxxp://www.msn.com
uSearch Bar = res://c:\program files\copernic agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
uURLSearchHooks: N/A: {be89472c-b803-4d1d-9a9a-0a63660e0fe3} - c:\progra~1\copern~1\COPERN~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: : {b2efd23a-8e10-4d5b-b9af-5f27c1e00979} - c:\windows\system32\sgfxirp.dll
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\progra~1\textware\quickf~1\plugins\IEHelp.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: AOL Email Toolbar Loader: {fbea8524-8c72-4208-9d12-7fb73e9926eb} - c:\program files\aol email toolbar\aolmailtb.dll
TB: SYSTRAN Toolbar: {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AOL Email Toolbar: {a3704fa3-dbf6-46b5-b95e-0677dfd39577} - c:\program files\aol email toolbar\aolmailtb.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: Copernic Agent Results: {6f480f82-c3a6-4d35-96f7-b297ad49fbe8} - c:\program files\copernic agent\CopernicAgentExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot s&d\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mExplorerRun: [kkzzv] c:\docume~1\admini~1\locals~1\temp\mp6fs.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &AOL Email Toolbar Search - c:\documents and settings\all users\application data\aol email toolbar\ietoolbar\resources\en-us\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF
IE: Convert link target to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: SYSTRAN Lookup - c:\program files\systran\6\\GUIres.dll/lookup.js
IE: SYSTRAN Translate - c:\program files\systran\6\\GUIres.dll/translate.js
IE: {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\prmt7\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\prmt7\prmtie\options.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\hide my ip 2007\ProxyFilter.dll
LSP: bmnet.dll
Trusted Zone: cnet.com\download
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242286201093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1243644797944&h=8627f57bc98c24ecb19c1608384e6e2c/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - c:\windows\system32\textwareilluminatorbaseProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: adgvqacq - adgvqacq.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli ASWLNPkg
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2009-07-18 20:06:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071820090719\index.dat

============= FINISH: 11:37:11.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:36 PM

Posted 20 May 2010 - 08:23 PM


Hello Joseph Aliano,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Joseph Aliano

Joseph Aliano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 21 May 2010 - 01:56 PM

Hello fireman4it,

Thank you so much for your prompt reply and for your help thus far. Yes, I will be sending a donation when it's over. You asked me to respond with: (1) How my machine is running, and (2) A copy of ComboFix.txt.

I've not yet restored CD Emulation with Defogger, nor have I re-activated any of the three A/V programs that were running in the background: AVG, Ad-Aware and Spybot S&D. Until I've done that, and run some scans, I won't know if the infections are gone. I trust you'll tell me when to turn on the A/V's. I opened and closed several .pub, .doc and .txt documents, and I opened and closed a few installed programs, and accessed the Internet. The machine is much more stable; there was no hanging whatsoever, and the speed was much increased, like when the machine was new in May 2009. However, those two cookies (tacoda and facebook) in Temporary Internet Files still cannot be deleted, so I think something's still going on.

Please advise. Again, thank you!

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:36 PM

Posted 21 May 2010 - 05:31 PM

Hello,

QUOTE
However, those two cookies (tacoda and facebook) in Temporary Internet Files still cannot be deleted, so I think something's still going on.

The good new is Cookies are nothing to worry about.smile.gif Your logs look pretty good lets do a little more checking to make sure.
Please copy and paste all logs directly into your reply.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

Rootkit::
c:\docume~1\admini~1\locals~1\temp\mp6fs.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"kkzzv"=-

Driver::
mppxuvuh

Reglock::
[HKEY_USERS\S-1-5-21-1437147020-329301242-38715736-500\Software\Microsoft\Internet Explorer]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
Combofix.txt
MBAM log
Eset log
A new DDS log
No need for attach.txt this time
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Joseph Aliano

Joseph Aliano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 22 May 2010 - 02:14 PM

Hello Fireman4it,

ME: However, those two cookies (tacoda and facebook) in Temporary Internet Files still cannot be deleted, so I think something's still going on.

YOU: The good news is Cookies are nothing to worry about.

Sir, to that I say, fine, you're the driver here. But, (1) I've manually emptied the Temporary Internet Files folder daily for the last dozen years, and, until this week, (1) No cookies have ever appeared in the Temporary Internet Files folder, and (2) In the Cookies folder, there has never ben a cookie that could not be deleted. (3) I distinctly recall the name, "tacoda" having been somehow associated with a virus I had on another machine several years ago. ______________________________________
In re your instruction to download and install Malwarebytes v1.44 (01/07/10) and allow it to update if possible, you will note that I've been running the latest v1.46 (04/29/10). Therefore, in order to comply implicitly with the instruction, I uninstalled, then reinstalled my Malwarebytes v1.46, following the prescribed installation and scan procedure.
______________________________________
In re the ESET Online Scanner, after nearly a dozen attempts, it was impossible to start the scan, because the I never got past the EULA. Inside the small ESET Online Scanner EULA box, I checked, "YES, I accept the Terms of Use," then hit the Start button. After a 30-second pause of the solid azure ESET box, a fleeting balloon message appeared: "This tab has been recovered. A problem was encountered that caused Internet Explorer to close and reopen the page." I am working with administrative authority (I'm the sole computer operator.) I added "http://www.eset.com" to my IE Trusted Sites. I emptied the Temporary Internet Files folder and the Cookies folder between attempts. I looked at Internet Options for some Advanced setting that might be restricting ActiveX from kicking in. Finally, I shut down and restarted my machine, but to no avail.
______________________________________
Otherwise, my computer seems to be running fine, although I still wonder about the two irremovable cookies in the wrong folder. At this point, I've still not restored CD Emulation, nor re-activated any A/V programs to run further scans. In this order, I'm pasting a new ComboFix.txt, the MBAM log, and a new DDS log. I'll be standing by to get your take on the ESET scan problem and for further instructions. Joe Aliano

___________________________________ ComboFix.txt ____________________________
ComboFix 10-05-21.04 - Administrator 05/21/2010 19:43:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.2021 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Joes rootkit work\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\Joes rootkit work\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MPPXUVUH
-------\Service_mppxuvuh


((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-21 17:48 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-05-16 18:30 . 2010-05-16 18:14 15880 ------w- c:\windows\system32\lsdelete.exe
2010-05-16 18:14 . 2010-05-16 18:14 95024 ------w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-16 18:06 . 2010-05-16 18:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Sunbelt Software
2010-05-16 18:04 . 2010-05-16 18:04 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-16 18:04 . 2010-02-04 15:53 2954656 -c----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-16 00:23 . 2010-05-16 00:23 63488 ------w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-16 00:23 . 2010-05-16 00:23 52224 ------w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-16 00:23 . 2010-05-16 00:23 117760 ------w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-16 00:22 . 2010-05-16 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-16 00:22 . 2010-05-16 00:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-16 00:22 . 2010-05-16 00:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-05-15 23:55 . 2010-05-15 23:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-14 01:35 . 2010-05-14 01:35 -------- d-----w- C:\$AVG
2010-05-14 00:02 . 2010-05-14 00:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\AOL Email Toolbar
2010-05-13 21:11 . 2010-05-13 21:11 12464 ------w- c:\windows\system32\avgrsstx.dll
2010-05-13 21:11 . 2010-05-13 21:11 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-13 21:11 . 2010-05-13 21:11 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-13 21:11 . 2010-05-13 21:11 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-13 21:11 . 2010-05-22 01:35 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\program files\AVG
2010-05-13 21:11 . 2010-05-13 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-05-05 06:50 . 2010-05-05 06:50 -------- d-----w- c:\program files\ATI
2010-05-05 06:48 . 2010-05-05 06:48 -------- d-----w- C:\ATI
2010-04-25 23:34 . 2010-04-25 23:34 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 18:22 . 2009-05-15 01:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-05-18 17:23 . 2009-05-16 10:18 -------- d-----w- c:\program files\uTorrent
2010-05-16 19:05 . 2009-05-21 17:12 -------- d-----w- c:\program files\Spybot S&D
2010-05-16 18:04 . 2009-05-29 08:40 -------- d-----w- c:\program files\Lavasoft
2010-05-16 17:13 . 2009-05-12 03:59 108080 ------w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-16 08:45 . 2010-03-27 22:50 -------- d-----w- c:\program files\NCH Software
2010-05-16 06:20 . 2009-05-16 02:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Jarte
2010-05-15 20:19 . 2010-03-28 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-05-14 00:49 . 2009-05-16 17:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-13 23:25 . 2009-06-01 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 10:57 . 2010-03-27 18:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Software Informer
2010-04-29 22:39 . 2009-06-01 03:32 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-06-01 03:32 20952 ------w- c:\windows\system32\drivers\mbam.sys
2010-04-25 23:33 . 2009-05-15 00:42 -------- d-----w- c:\program files\Palm
2010-04-24 09:25 . 2009-05-22 22:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Folder Guard
2010-04-10 18:45 . 2010-04-10 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2010-04-10 06:16 . 2009-05-12 01:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-04-05 19:13 . 2010-04-05 19:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Tidy Start Menu
2010-04-05 19:13 . 2010-04-05 19:13 -------- d-----w- c:\program files\Tidy Start Menu
2010-04-02 19:41 . 2010-03-27 08:48 -------- d-----w- c:\program files\SysResources Manager
2010-03-28 07:45 . 2010-03-28 07:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\NCH Software
2010-03-27 18:40 . 2010-03-27 18:40 -------- d-----w- c:\program files\Software Informer
2010-03-27 08:51 . 2010-03-27 08:51 15620 ------w- c:\windows\system32\SystemRes13.sm.SYS
2010-03-27 07:56 . 2010-03-27 07:56 -------- d-----w- c:\program files\SIW
2010-03-27 07:30 . 2010-03-27 07:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2010-03-27 07:30 . 2010-03-27 07:30 -------- d-----w- c:\program files\IObit
2008-05-04 18:06 . 2009-05-19 23:58 527 ------w- c:\program files\A JoeRead.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-27 1040384]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\Palm\HOTSYNC.EXE [2004-4-13 299008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2007-05-15 23:08 112640 ------w- c:\windows\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2007-05-15 23:08 281088 ------w- c:\program files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-05-13 21:11 12464 ------w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2008-05-21 00:42 111888 ------w- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/21/2008 8:24 PM 174600]
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [6/21/2008 8:49 PM 15416]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 4:53 PM 64288]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [5/30/2008 9:36 AM 108752]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [5/30/2008 9:37 AM 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [5/30/2008 9:37 AM 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/28/2008 3:14 AM 24064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/13/2010 2:11 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/13/2010 2:11 PM 242896]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [5/30/2008 9:37 AM 12496]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient\accoca.exe [5/15/2007 4:08 PM 182576]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 1:00 AM 14336]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/15/2008 3:11 PM 1176824]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/13/2010 2:11 PM 308064]
R2 ComodoBackupService;ComodoBackupService;c:\program files\Comodo\BackUp\CmdBkSvc.exe [6/2/2009 2:28 PM 1023488]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe [6/2/2008 10:32 AM 18944]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [5/30/2008 9:36 AM 256512]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [5/15/2008 1:29 PM 475520]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/4/2007 12:16 PM 41216]
S2 gkhovxao;Microsoft UAA Bus for High Definition AudioMonitor;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 1:00 AM 14336]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 10:07 PM 113152]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/21/2008 9:50 PM 193840]
S3 DBGMSG;DBGMSG;dbgmsg.sys --> dbgmsg.sys [?]
S3 FGUARD32;FGUARD32;c:\program files\Adobe\AcroGuard\FG\FGUARD32.SYS [5/22/2009 3:23 PM 48896]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1314704]
S3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\drivers\mosuport.sys [7/6/2009 4:21 PM 817202]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 5:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 5:36 PM 142976]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [6/9/2009 2:50 PM 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [6/9/2009 2:50 PM 5248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gkhovxao
.
Contents of the 'Scheduled Tasks' folder

2009-05-15 c:\windows\Tasks\1 Copernic Intra-Daily ~CLIENT Administrator.job
- c:\program files\Copernic Agent\CopernicAgent.exe [2009-05-15 02:16]

2009-05-15 c:\windows\Tasks\2 Copernic Daily ~CLIENT Administrator.job
- c:\program files\Copernic Agent\CopernicAgent.exe [2009-05-15 02:16]

2009-05-15 c:\windows\Tasks\3 Copernic Weekly ~CLIENT Administrator.job
- c:\program files\Copernic Agent\CopernicAgent.exe [2009-05-15 02:16]

2009-05-15 c:\windows\Tasks\4 Copernic Monthly ~CLIENT Administrator.job
- c:\program files\Copernic Agent\CopernicAgent.exe [2009-05-15 02:16]

2010-05-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 18:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://edition.cnn.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
IE: &AOL Email Toolbar Search - c:\documents and settings\All Users\Application Data\AOL Email Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF
IE: Convert link target to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: SYSTRAN Lookup - c:\program files\SYSTRAN\6\\GUIres.dll/lookup.js
IE: SYSTRAN Translate - c:\program files\SYSTRAN\6\\GUIres.dll/translate.js
IE: {{7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\PRMT7\PRMTIE\prmtie5.htm
LSP: c:\program files\Hide My IP 2007\ProxyFilter.dll
LSP: bmnet.dll
Trusted Zone: cnet.com\download
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 19:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\ackpbsc.dll
c:\windows\system32\aclog.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\windows\system32\MFC42u.DLL
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\asphatrc.dll
c:\windows\system32\msi.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\brand.dll
c:\program files\Hewlett-Packard\IAM\Bin\AsChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\HPPlugIn.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHostServices.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.HPQWMIEXLib.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTHstServsLib.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHstServs.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\BIOSDomain.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Interop.PTPluginLib.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTStrings.dll
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\HPjCard.dll
c:\windows\system32\acomx.dll
c:\windows\system32\acbsi21.dll
c:\program files\ActivIdentity\ActivClient\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\aipinguirc.dll
c:\program files\ActivIdentity\ActivClient\resources\acCobAPIrc.dll
c:\program files\ActivIdentity\ActivClient\Resources\Merged\acunlockrc.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItReports.DLL
c:\program files\Hewlett-Packard\IAM\Bin\ItVCard.dll
c:\program files\Hewlett-Packard\IAM\Bin\NetAdmin.dll

- - - - - - - > 'lsass.exe'(864)
c:\program files\Hide My IP 2007\ProxyFilter.dll
c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(7460)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\program files\ActivIdentity\ActivClient\acevents.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\IAM\Bin\AsGHost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-05-21 19:59:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 02:59
ComboFix2.txt 2010-05-21 17:59

Pre-Run: 186,102,255,616 bytes free
Post-Run: 186,055,217,152 bytes free

- - End Of File - - 23D17F3DEC81F01B8910A00BD3A788D3

___________________________________ MBAM log _______________________________
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4129

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/21/2010 8:51:30 PM
mbam-log-2010-05-21 (20-51-30).txt

Scan type: Quick scan
Objects scanned: 126950
Time elapsed: 5 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

___________________________________ DDS log _________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 11:08:36.03 on Sat 05/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.1928 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
c:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\PREP\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://edition.cnn.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
uURLSearchHooks: N/A: {be89472c-b803-4d1d-9a9a-0a63660e0fe3} - c:\progra~1\copern~1\COPERN~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: QUICKfind BHO Object: {c08df07a-3e49-4e25-9ab0-d3882835f153} - c:\progra~1\textware\quickf~1\plugins\IEHelp.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: AOL Email Toolbar Loader: {fbea8524-8c72-4208-9d12-7fb73e9926eb} - c:\program files\aol email toolbar\aolmailtb.dll
TB: SYSTRAN Toolbar: {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AOL Email Toolbar: {a3704fa3-dbf6-46b5-b95e-0677dfd39577} - c:\program files\aol email toolbar\aolmailtb.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
IE: &AOL Email Toolbar Search - c:\documents and settings\all users\application data\aol email toolbar\ietoolbar\resources\en-us\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF
IE: Convert link target to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: SYSTRAN Lookup - c:\program files\systran\6\\GUIres.dll/lookup.js
IE: SYSTRAN Translate - c:\program files\systran\6\\GUIres.dll/translate.js
IE: {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\prmt7\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\prmt7\prmtie\options.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\hide my ip 2007\ProxyFilter.dll
LSP: bmnet.dll
Trusted Zone: bleepingcomputer.com\www
Trusted Zone: cnet.com\download
Trusted Zone: eset.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242286201093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1243644797944&h=8627f57bc98c24ecb19c1608384e6e2c/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - c:\windows\system32\textwareilluminatorbaseProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: c:\windows\system32\APSHook.dll APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-6-21 174600]
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [2008-6-21 15416]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64288]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-5-30 108752]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-5-30 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-5-30 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-13 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-13 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-13 242896]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-5-30 12496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-15 1176824]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-13 308064]
R2 ComodoBackupService;ComodoBackupService;c:\program files\comodo\backup\CmdBkSvc.exe [2009-6-2 1023488]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security manager\PTChangeFilterService.exe [2008-6-2 18944]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2008-5-30 256512]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-5-15 475520]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-4 41216]
S2 gkhovxao;Microsoft UAA Bus for High Definition AudioMonitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-11-20 113152]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-21 193840]
S3 DBGMSG;DBGMSG;dbgmsg.sys --> dbgmsg.sys [?]
S3 FGUARD32;FGUARD32;c:\program files\adobe\acroguard\fg\FGUARD32.SYS [2009-5-22 48896]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
S3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\drivers\mosuport.sys [2009-7-6 817202]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-8-20 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-8-20 142976]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2009-6-9 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2009-6-9 5248]

=============== Created Last 30 ================

2010-05-22 03:37:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-22 03:37:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-22 03:37:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 17:48:48 50176 ----a-w- c:\windows\system32\proquota.exe
2010-05-21 17:28:27 0 d-sha-r- C:\cmdcons
2010-05-21 17:23:49 98816 ----a-w- c:\windows\sed.exe
2010-05-21 17:23:49 77312 ----a-w- c:\windows\MBR.exe
2010-05-21 17:23:49 256512 ----a-w- c:\windows\PEV.exe
2010-05-21 17:23:49 161792 ----a-w- c:\windows\SWREG.exe
2010-05-19 18:24:27 54 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-05-16 18:30:36 15880 ------w- c:\windows\system32\lsdelete.exe
2010-05-16 18:14:46 95024 ------w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-16 18:04:27 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-16 00:22:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-16 00:22:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-16 00:22:14 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-05-15 23:55:42 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-14 01:35:15 0 d-----w- C:\$AVG
2010-05-13 21:11:31 12464 ------w- c:\windows\system32\avgrsstx.dll
2010-05-13 21:11:30 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-13 21:11:24 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-13 21:11:16 0 d-----w- c:\windows\system32\drivers\Avg
2010-05-13 21:11:01 0 d-----w- c:\program files\AVG
2010-05-13 21:11:01 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-05-05 06:50:37 0 d-----w- c:\program files\ATI
2010-05-05 06:48:27 0 d-----w- C:\ATI
2010-04-25 23:34:02 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-04-20 09:37:38 78076 ------w- c:\windows\fonts\GazetteLTStd-Roman.ttf
2010-04-20 09:36:00 28968 ------w- c:\windows\fonts\Monospaced Bold.ttf
2010-04-20 09:34:00 28860 ------w- c:\windows\fonts\Monospaced.ttf
2010-04-20 09:32:11 72900 ------w- c:\windows\fonts\GraphiteStd-Bold.ttf
2010-04-20 09:31:29 43472 ------w- c:\windows\fonts\Graphite Light Narrow ATT.ttf
2010-04-20 09:30:36 73300 ------w- c:\windows\fonts\GraphiteStd-Regular.ttf
2010-04-20 09:27:52 38816 ------w- c:\windows\fonts\Graphite Light ATT.ttf
2010-04-20 09:23:59 43956 ------w- c:\windows\fonts\Challenge Extra Bold.ttf
2010-04-20 09:15:02 44552 ------w- c:\windows\fonts\Nadianne Bold.ttf
2010-03-27 08:51:06 15620 ------w- c:\windows\system32\SystemRes13.sm.SYS
2008-05-04 18:06:57 527 ------w- c:\program files\A JoeRead.txt
2009-07-18 20:06:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071820090719\index.dat

============= FINISH: 11:09:16.01 ===============






#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:36 PM

Posted 22 May 2010 - 03:05 PM

Hello,

QUOTE
1) No cookies have ever appeared in the Temporary Internet Files folder, and (2) In the Cookies folder, there has never ben a cookie that could not be deleted. (3) I distinctly recall the name, "tacoda" having been somehow associated with a virus I had on another machine several years ago.


Cookies cant hurt your machine only thing they can do is track your surfing habits on the net nothing more they cant steal passwords or nothing like that. Tocoda seems to be a partner of AOL

Here is how you can block that cookie
How to Block the Tacoda Tracking Cookie


Please try a different online scanner
Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Things to include in your next reply:
BitDefender log
How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Joseph Aliano

Joseph Aliano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 23 May 2010 - 02:50 AM

Hi fireman4it,

Sorry, I inadvertently caused a number of "clean" files to get reflected in the report. Of the total 32 infected files, less than 10 are at the top of the report, and the remainder are at the bottom. As you can see, one was disinfected, and 31 were deleted. Nothing I needed.

As far as I can tell, my computer is operating fine. Admittedly, I haven't used any programs or used my email account, but the machine is not hanging, and it's running faster.

OOPS! I just tried to attach BitDefender Log.html. "Upload failed. The file was larger than the available space." Because of the 2,000 or so "clean" files I caused to be included, this filesize is 554kb, while the maximum single upload limit is 481kb. Again, I'm sorry. I would be glad to attach it to an email to you, if you give me your address. However, I've copied/pasted all the relevant data below. It is 100% accurate, so I hope it will suffice.

Please advise. I'm standing by.

Joe Aliano
____________________________________________________
BitDefender Online Scanner

Scan report generated at: Sat, May 22, 2010 - 23:10:48

Scan path: C:\;D:\;E:\;G:\;

Statistics

Time
08:32:22

Files
1911760

Folders
29801

Boot Sectors
0

Archives
125063

Packed Files
106968

Results

Identified Viruses
9

Infected Files
32

Suspect Files
0

Warnings
0

Disinfected
1

Deleted Files
31

Engines Info

Virus Definitions
6035947

Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Apr 09 2010)

Scan plugins
17

Archive plugins
43

Unpack plugins
10

E-mail plugins
6

System plugins
4

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes


Scanned File
Status

C:\$ 2009 OVERFLOW\Adobe Acrobat 9 Pro (Multilingual)\Adobe9proSolutions.exe Infected with: Trojan.Zlob.58025

C:\$ 2009 OVERFLOW\Adobe Acrobat 9 Pro (Multilingual)\Adobe9proSolutions.exe Deleted

C:\$ STORAGE ALL\STORAGE 1\Games\Bigfish\Bigfish Mahjong Towers\Crack\eclmte13.exe Infected with: Trojan.Generic.3612095

C:\$ STORAGE ALL\STORAGE 1\Games\Bigfish\Bigfish Mahjong Towers\Crack\eclmte13.exe Deleted

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe Disinfection failed

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe Deleted

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe Disinfection failed

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe Deleted

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallTradewinds.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallTradewinds.exe Disinfection failed

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallTradewinds.exe Deleted

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Disinfection failed

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Deleted

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe Disinfection failed

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe Deleted

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe Disinfection failed

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\compbatt.sys.vir Infected with: Rootkit.Patched.TDSS.Gen

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\compbatt.sys.vir Disinfected

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016670.exe Infected with: Trojan.Zlob.58025

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016670.exe Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016671.exe Infected with: Trojan.Generic.3612095

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016671.exe Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016672.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016672.exe Disinfection failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016672.exe Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016673.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016673.exe Disinfection failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016673.exe Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016674.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016674.exe Disinfection failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016674.exe Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016675.dll Detected with: Adware.Generic.16375

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016675.dll Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016676.dll Detected with: Adware.Generic.16375

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016676.dll Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016677.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016677.exe Disinfection failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016677.exe Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016678.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016678.exe Disinfection failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016678.exe Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016679.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016679.exe Disinfection failed

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016679.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\$ 2009 OVERFLOW\Adobe Acrobat 9 Pro (Multilingual)\Adobe9proSolutions.exe Infected with: Trojan.Zlob.58025

G:\X Lapback\0 0 0 BACKUP 2010\$ 2009 OVERFLOW\Adobe Acrobat 9 Pro (Multilingual)\Adobe9proSolutions.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Bigfish\Bigfish Mahjong Towers\Crack\eclmte13.exe Infected with: Trojan.Generic.3612095

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Bigfish\Bigfish Mahjong Towers\Crack\eclmte13.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallTradewinds.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallTradewinds.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallTradewinds.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 3\New Stuff\Cambridge Dictionary\setup\view\IEHelp.dll Detected with: Adware.Generic.16375

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 3\New Stuff\Cambridge Dictionary\setup\view\IEHelp.dll Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallCrystalMaze.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallCrystalMaze.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallCrystalMaze.exe Deleted

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallTradewinds.exe Infected with: DeepScan:Generic.Zlob.5C2B25B7

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallTradewinds.exe Disinfection failed

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallTradewinds.exe Deleted

XXXXXXXXXXXXXXXXXXXXXX LOG ENDED HERE // NOTHING FOLLOWS XXXXXXXXXXXXXXXXXXXXXX





#8 Joseph Aliano

Joseph Aliano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 23 May 2010 - 05:26 AM

fireman4it,

Qoobox is a 118kb file created Friday, May 21, 2010, 10:19:11 AM. That's less than 48 hours ago, during our removal operation, and I don't know how that occured. But it was surely a function of a previously infected machine. Below is an excerpt from the recently produced BitDefender log. This is the only one of the 32 infected files that was disinfected (the other 31 were deleted.) Qoobox contains 38 files in 12 folders, all malware. One of the folders is named "Registry_backups", and contains 8 .dat files and 1 .reg file. Other files are duplicates or variations of files you had me create and forward to you: ComboFix.txt AND CFScript_used_2010-05-21_19.43.44.txt AND ComboFix-quarantined-files.txt AND SnapShot@2010-05-22_02.53.55.dat. Also, catchme.txt AND catchme.log. Scary stuff! I want to Shift-delete the entire folder and be rid of it forever. What say you?

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\compbatt.sys.vir Infected with: Rootkit.Patched.TDSS.Gen
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\compbatt.sys.vir Disinfected

Joe Aliano

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:36 PM

Posted 23 May 2010 - 01:12 PM

Hello,

QUOTE
Qoobox is a 118kb file created Friday, May 21, 2010, 10:19:11 AM. That's less than 48 hours ago, during our removal operation, and I don't know how that occured. But it was surely a function of a previously infected machine. Below is an excerpt from the recently produced BitDefender log. This is the only one of the 32 infected files that was disinfected (the other 31 were deleted.) Qoobox contains 38 files in 12 folders, all malware. One of the folders is named "Registry_backups", and contains 8 .dat files and 1 .reg file. Other files are duplicates or variations of files you had me create and forward to you: ComboFix.txt AND CFScript_used_2010-05-21_19.43.44.txt AND ComboFix-quarantined-files.txt AND SnapShot@2010-05-22_02.53.55.dat. Also, catchme.txt AND catchme.log. Scary stuff! I want to Shift-delete the entire folder and be rid of it forever. What say you?


No, don't delete these. These are all part of Combofix's Quarantine and the backups of everything we have done. We will take care of those when we uninstall Combofix.

Please play around and make sure you are not infected anymore. This includes but not limited to surfing the internet and using your email. Let me know how it goes.

Edited by fireman4it, 23 May 2010 - 01:12 PM.
spelling

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 Joseph Aliano

Joseph Aliano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 23 May 2010 - 02:26 PM

Hello fireman4it,

Me again with another observation and some help, in a small way, for you to read and analyse the BitDefender report. (1) I'm submitting it again, in text format, as I did some 12 or so hours ago. This time, however, I've eliminated the report's single-line spacing, and I grouped the actions of each occurence together, by individual file. You'll see what I mean as you read on. (2) Please note that, of the 32 infected files reported, all of which were cured, 15 of them consisted of 3 game files that, due to my sloppy filing system, I had stored in 5 different locations on 2 hard drives. Two of them are a single game file stored on two hard drives. Ten of the infected files were all in C-drive Restore Point #9, which, when counting the new, available RP's since they were wiped out last week, would be the most recent, dated May 22nd, yesterday. Since 10 files are supposedly deleted from RP9, it's more than likely fragmented and useless. There is a duplicate Abobe file, and two other files reported only once. My point is, of the 32 infected files reported, only eight (8) files are actually involved, most of them multiple times. But, of course, as my wife just pointed out, you will figure this out immediately on reviewing the report. I'm standing by.

Joe Aliano
____________________________________________________________
BitDefender Online Scanner

Scan report generated at: Sat, May 22, 2010 - 23:10:48

Scan path: C:\;D:\;E:\;G:\;

Time: 08:32:22

Files: 1911760

Folders: 29801

Boot Sectors: 0

Archives: 125063

Packed Files: 106968

Identified Viruses: 9

Infected Files: 32

Suspect Files: 0

Warnings: 0

Disinfected: 1

Deleted Files: 31

Virus Definitions: 6035947

Engine build: AVCORE v2.1 Windows/i386 11.0.0.33 (Apr 09 2010)

Scan plugins: 17

Archive plugins: 43

Unpack plugins: 10

E-mail plugins: 6

System plugins: 4

First Action: Disinfect

Second Action: Delete

Heuristics: Yes

Enable Warnings: Yes

Scanned Extensions: *;

Exclude Extensions: none

Scan Emails: Yes

Scan Archives: Yes

Scan Packed: Yes

Scan Files: Yes

Scan Boot: Yes

Scanned File: / Status:

C:\$ 2009 OVERFLOW\Adobe Acrobat 9 Pro (Multilingual)\Adobe9proSolutions.exe / Infected with: Trojan.Zlob.58025
C:\$ 2009 OVERFLOW\Adobe Acrobat 9 Pro (Multilingual)\Adobe9proSolutions.exe / Deleted

C:\$ STORAGE ALL\STORAGE 1\Games\Bigfish\Bigfish Mahjong Towers\Crack\eclmte13.exe / Infected with: Trojan.Generic.3612095
C:\$ STORAGE ALL\STORAGE 1\Games\Bigfish\Bigfish Mahjong Towers\Crack\eclmte13.exe / Deleted

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe / Disinfection failed
C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe / Deleted

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe / Disinfection failed
C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe / Deleted

C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallTradewinds.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallTradewinds.exe / Disinfection failed
C:\$ STORAGE ALL\STORAGE 1\Games\Shockwave\InstallTradewinds.exe / Deleted

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Disinfection failed
C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Deleted

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Disinfection failed
C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Deleted

C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe / Disinfection failed
C:\$ STORAGE ALL\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe / Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\compbatt.sys.vir / Infected with: Rootkit.Patched.TDSS.Gen
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\compbatt.sys.vir / Disinfected

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016670.exe / Infected with: Trojan.Zlob.58025
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016670.exe / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016671.exe / Infected with: Trojan.Generic.3612095
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016671.exe / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016672.exe / Inf. with: DeepScan:Generic.Zlob.5C2B25B7
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016672.exe / Disinfection failed
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016672.exe / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016673.exe / Inf. with: DeepScan:Generic.Zlob.5C2B25B7
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016673.exe / Disinfection failed
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016673.exe / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016674.exe / Inf. with: DeepScan:Generic.Zlob.5C2B25B7
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016674.exe / Disinfection failed
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016674.exe / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016675.dll / Detected with: Adware.Generic.16375
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016675.dll / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016676.dll / Detected with: Adware.Generic.16375
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016676.dll / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016677.exe / Inf. with: DeepScan:Generic.Zlob.5C2B25B7
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016677.exe / Disinfection failed
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016677.exe / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016678.exe / Inf. with: DeepScan:Generic.Zlob.5C2B25B7
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016678.exe / Disinfection failed
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016678.exe / Deleted

C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016679.exe / Inf. with: DeepScan:Generic.Zlob.5C2B25B7
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016679.exe / Disinfection failed
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP9\A0016679.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\$ 2009 OVERFLOW\Adobe Acrobat 9 Pro (Multilingual)\Adobe9proSolutions.exe / Infected with: Trojan.Zlob.58025
G:\X Lapback\0 0 0 BACKUP 2010\$ 2009 OVERFLOW\Adobe Acrobat 9 Pro (Multilingual)\Adobe9proSolutions.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Bigfish\Bigfish Mahjong Towers\Crack\eclmte13.exe / Infected with: Trojan.Generic.3612095
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Bigfish\Bigfish Mahjong Towers\Crack\eclmte13.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallBlasterball2Remix.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallCrystalMaze.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallTradewinds.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallTradewinds.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 1\Games\Shockwave\InstallTradewinds.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 3\New Stuff\Cambridge Dictionary\setup\view\IEHelp.dll / Detected with: Adware.Generic.16375
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 3\New Stuff\Cambridge Dictionary\setup\view\IEHelp.dll / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\STORAGE 6\Stick1\Games\Shockwave\InstallTradewinds.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Inf. with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallBlasterball2Remix.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallCrystalMaze.exe / Deleted

G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallTradewinds.exe / Infected with: DeepScan:Generic.Zlob.5C2B25B7
G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallTradewinds.exe / Disinfection failed
G:\X Lapback\0 0 0 BACKUP 2010\X From DESKTOP\Stick1\Games\Shockwave\InstallTradewinds.exe / Deleted

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX LOG ENDED HERE // NOTHING FOLLOWS XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


#11 Joseph Aliano

Joseph Aliano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 23 May 2010 - 03:02 PM

fireman4it,

It appears that I was busy explaning my analysis of the online scan report when your last post came in. Apparently, you've accepted and worked with the report in my copy/paste text format, single-line spaced. Thanks.

You tell me to use the machine, and to surf the Internet and use my email account, then report back to you. I would like nothing better; however, I need for you to tell me if I should do so before activating my antivirus protection (AVG). I think I'm supposed to do that first, but I want to be sure. Please advise.

Joe Aliano

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:36 PM

Posted 23 May 2010 - 03:02 PM

Hello.

How is your machine running? Any redirect or popups when surfing the net and sign or malware?

Please post the answer to these questions along with a new DDS log. thumbup2.gif

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 Joseph Aliano

Joseph Aliano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 23 May 2010 - 03:23 PM

fireman4it,

Apparently our last 2 posts crossed at exactly 1:02pm, so I'll send this again. I will not go online until I hear from you on this:

"You tell me to use the machine, and to surf the Internet and use my email account, then report back to you. I would like nothing better; however, I need for you to tell me if I should do so before activating my antivirus protection (AVG). I think I'm supposed to do that first, but I want to be sure. Please advise."

Joe Aliano

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:36 PM

Posted 23 May 2010 - 04:19 PM

Hello,
I'm going to put this as plain as I can. When I give you direction like surf the net and check your email. It means surf sites like yahoo, msn and do some google searches of things you already know. I don't want your Antivirus back on because it will go wild about Combofix and it Quarantine files. Just surf a few safe place and see if it redirect. You should know within the first couple of searches and first few minutes if your still infected.

Edited by fireman4it, 23 May 2010 - 04:20 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 Joseph Aliano

Joseph Aliano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 23 May 2010 - 06:46 PM

Hello,

YOU SAY: "I'm going to put this as plain as I can. When I give you direction like surf the net and check your email. It means surf sites like Yahoo, and do some google searches of things you already know. I don't want your Antivirus back on because it will go wild about Combofix and it Quarantine files. Just surf a few safe place and see if it redirect. You should know within the first couple of searches and first few minutes if your still infected."

I SAY: It's not like I have a hard time with English, and those weren't dumb questions, given the (lack of) information I had. You are so much easier to understand when you do, in fact, say what you mean. I'm not good at guessing, and we both have too much time invested in this to have it end without success.

YOU SAY: How is your machine running? Any redirect or popups when surfing the net and sign or malware? // Please post the answer to these questions along with a new DDS log.

I SAY: I've been all over CNN, AOL, Yahoo, Microsoft, Fox News, and a half dozen other reputable sites. No sign whatsoever of redirects or popups. No hanging or freezing. As far as I can tell without the benefit of an active A/V shield, my machine is virus free at this moment in time. // I will post a new DDS log below.

Joe Aliano
____________________________________

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 16:33:09.20 on Sun 05/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2813.1639 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
c:\Program Files\Fingerprint Sensor\AtService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
c:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTChangeFilterService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
c:\Program Files\Hewlett-Packard\IAM\Bin\AsGHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\Administrator\Desktop\Joe's rootkit work\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://edition.cnn.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=all&pf=cmnb
uURLSearchHooks: N/A: {be89472c-b803-4d1d-9a9a-0a63660e0fe3} - c:\progra~1\copern~1\COPERN~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-

packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: AOL Email Toolbar Loader: {fbea8524-8c72-4208-9d12-7fb73e9926eb} - c:\program files\aol email toolbar\aolmailtb.dll
TB: SYSTRAN Toolbar: {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AOL Email Toolbar: {a3704fa3-dbf6-46b5-b95e-0677dfd39577} - c:\program files\aol email toolbar\aolmailtb.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
IE: &AOL Email Toolbar Search - c:\documents and settings\all users\application data\aol email toolbar\ietoolbar\resources\en-

us\local\search.html
IE: Append Link Target to Existing PDF - c:\program files\common

files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF
IE: Convert link target to existing PDF
IE: Convert to Adobe PDF
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: SYSTRAN Lookup - c:\program files\systran\6\\GUIres.dll/lookup.js
IE: SYSTRAN Translate - c:\program files\systran\6\\GUIres.dll/translate.js
IE: {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - c:\progra~1\copern~1\COPERN~1.EXE
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - c:\program files\prmt7\prmtie\prmtie5.htm
IE: {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - c:\program files\prmt7\prmtie\options.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11

\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\hide my ip 2007\ProxyFilter.dll
LSP: bmnet.dll
Trusted Zone: bleepingcomputer.com\www
Trusted Zone: cnet.com\download
Trusted Zone: eset.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242286201093
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586

-jc.cab?e=1243644797944&h=8627f57bc98c24ecb19c1608384e6e2c/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\copern~1\COPERN~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - c:\windows\system32

\textwareilluminatorbaseProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ackpbsc - c:\windows\system32\ackpbsc.dll
Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: c:\windows\system32\APSHook.dll APSHook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-6-21 174600]
R0 Amddfltr;Amd Disk Lower Filter Driver;c:\windows\system32\drivers\Amddfltr.sys [2008-6-21 15416]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-2 64288]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [2008-5-30 108752]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2008-5-30 51376]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2008-5-30 12928]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-13 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-13 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-13 242896]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2008-5-30 12496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R2 accoca;ActivClient Middleware Service;c:\program files\actividentity\activclient\accoca.exe [2007-5-15 182576]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2004-8-4 14336]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-15 1176824]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-13 308064]
R2 ComodoBackupService;ComodoBackupService;c:\program files\comodo\backup\CmdBkSvc.exe [2009-6-2 1023488]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\hp protecttools security

manager\PTChangeFilterService.exe [2008-6-2 18944]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2008-5-30 256512]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-5-15 475520]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-4-4 41216]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
S2 gkhovxao;Microsoft UAA Bus for High Definition AudioMonitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-11-20 113152]
S3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-21 193840]
S3 DBGMSG;DBGMSG;dbgmsg.sys --> dbgmsg.sys [?]
S3 FGUARD32;FGUARD32;c:\program files\adobe\acroguard\fg\FGUARD32.SYS [2009-5-22 48896]
S3 mosuport;USB Serial/Parallel Ports;c:\windows\system32\drivers\mosuport.sys [2009-7-6 817202]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-8-20 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-8-20 142976]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2009-6-9 160640]
S4 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2009-6-9 5248]

=============== Created Last 30 ================

2010-05-22 03:37:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-22 03:37:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-22 03:37:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-21 17:48:48 50176 ----a-w- c:\windows\system32\proquota.exe
2010-05-21 17:28:27 0 d-sha-r- C:\cmdcons
2010-05-21 17:23:49 98816 ----a-w- c:\windows\sed.exe
2010-05-21 17:23:49 77312 ----a-w- c:\windows\MBR.exe
2010-05-21 17:23:49 256512 ----a-w- c:\windows\PEV.exe
2010-05-21 17:23:49 161792 ----a-w- c:\windows\SWREG.exe
2010-05-19 18:24:27 54 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-05-16 18:30:36 15880 ------w- c:\windows\system32\lsdelete.exe
2010-05-16 18:14:46 95024 ------w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-16 18:04:27 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-16 00:22:29 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-16 00:22:14 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-16 00:22:14 0 d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-05-15 23:55:42 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-14 01:35:15 0 d-----w- C:\$AVG
2010-05-13 21:11:31 12464 ------w- c:\windows\system32\avgrsstx.dll
2010-05-13 21:11:30 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-13 21:11:24 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-13 21:11:16 0 d-----w- c:\windows\system32\drivers\Avg
2010-05-13 21:11:01 0 d-----w- c:\program files\AVG
2010-05-13 21:11:01 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-05-05 06:50:37 0 d-----w- c:\program files\ATI
2010-05-05 06:48:27 0 d-----w- C:\ATI
2010-04-25 23:34:02 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-04-20 09:37:38 78076 ------w- c:\windows\fonts\GazetteLTStd-Roman.ttf
2010-04-20 09:36:00 28968 ------w- c:\windows\fonts\Monospaced Bold.ttf
2010-04-20 09:34:00 28860 ------w- c:\windows\fonts\Monospaced.ttf
2010-04-20 09:32:11 72900 ------w- c:\windows\fonts\GraphiteStd-Bold.ttf
2010-04-20 09:31:29 43472 ------w- c:\windows\fonts\Graphite Light Narrow ATT.ttf
2010-04-20 09:30:36 73300 ------w- c:\windows\fonts\GraphiteStd-Regular.ttf
2010-04-20 09:27:52 38816 ------w- c:\windows\fonts\Graphite Light ATT.ttf
2010-04-20 09:23:59 43956 ------w- c:\windows\fonts\Challenge Extra Bold.ttf
2010-04-20 09:15:02 44552 ------w- c:\windows\fonts\Nadianne Bold.ttf
2010-03-27 08:51:06 15620 ------w- c:\windows\system32\SystemRes13.sm.SYS
2008-05-04 18:06:57 527 ------w- c:\program files\A JoeRead.txt
2009-07-18 20:06:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5

\mshist012009071820090719\index.dat

============= FINISH: 16:33:47.32 ===============






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users