Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tidserv!gen5


  • This topic is locked This topic is locked
17 replies to this topic

#1 Esters42

Esters42

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 02 June 2010 - 01:28 AM

HI,

Someone from the Norton Community recommend I post my issue here.

This weekend my computer was infected with the Suspicious Cloud virus. I was able to download Malware Bytes and SuperAntiSpyware to remove most of the problem.

Today my Norton Internet Security showed that my computer was infected by the Backdoor.Tidserv!gen5 trojan. It says it quarantined the file and removed it, but I would love for someone to take a look and see if it is removed from my computer and recommend how i can properly protect my computer.

I was able to run DDS. However when I try to run GMER windows prevents it from working an gives this message, "gmer.exe has stopped working. A problem caused the program to stop working correctly."

Thank you in advance for your help! I appreciate this site and your willingness to help!!

Here is the DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Abbey at 1:51:39.32 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3573.1342 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PayPal Payment Request Wizard\QB US edition\OEHook.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\MCUI32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Abbey\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080926
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080926
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [AdobeBridge]
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\abbey\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [<NO NAME>]
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [skb] rundll32 "llehagnm.dll",,Run
mRun: [MChk] c:\windows\system32\spuanurc.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\paypal payment request wizard\qb us edition\OEHook.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\community
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\abbey\appdata\roaming\mozilla\firefox\profiles\6nxdq61l.default\
FF - prefs.js: browser.startup.homepage - www.pinkinkmedia.com
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\abbey\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\abbey\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\abbey\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-25 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-25 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-25 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100520.001\IDSvix86.sys [2009-10-28 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-25 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1107000.00c\symtdiv.sys [2010-5-25 339504]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-26 111616]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-28 38224]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2010-5-29 19968]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-10 19456]

=============== Created Last 30 ================

2010-06-01 07:01:21 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-01 07:01:20 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-01 07:01:20 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-31 07:30:08 0 d-----w- c:\program files\Windows Portable Devices
2010-05-31 07:29:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-31 07:28:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-31 07:08:03 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-05-31 07:08:03 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-05-31 07:08:03 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-30 13:54:43 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-30 13:54:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-30 13:54:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-30 03:44:38 0 d-----w- c:\windows\system32\eu-ES
2010-05-30 03:44:38 0 d-----w- c:\windows\system32\ca-ES
2010-05-30 03:44:37 0 d-----w- c:\windows\system32\vi-VN
2010-05-30 03:36:43 0 d-----w- c:\windows\system32\SPReview
2010-05-30 03:08:32 928768 ----a-w- c:\windows\system32\scavenge.dll
2010-05-30 03:08:08 57856 ----a-w- c:\windows\system32\compcln.exe
2010-05-30 03:05:59 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2010-05-30 03:04:59 128000 ----a-w- c:\windows\system32\gpresult.exe
2010-05-30 03:03:55 241664 ----a-w- c:\windows\system32\msltus40.dll
2010-05-30 02:58:51 0 d-----w- c:\windows\system32\EventProviders
2010-05-30 02:58:48 0 d-----w- C:\8113ec903718c1754813
2010-05-29 19:48:34 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-29 19:48:33 0 d-----w- c:\users\abbey\appdata\roaming\SUPERAntiSpyware.com
2010-05-29 19:47:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 18:08:07 0 d-----w- c:\program files\MSN Toolbar
2010-05-29 18:05:43 0 d-----w- c:\program files\MSN Toolbar Installer
2010-05-29 18:05:16 0 d-----w- c:\programdata\Sun
2010-05-29 18:02:58 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 22:47:55 0 d-----w- c:\users\abbey\appdata\roaming\Malwarebytes
2010-05-28 22:47:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 22:47:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 22:47:46 0 d-----w- c:\programdata\Malwarebytes
2010-05-28 22:47:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 20:35:56 37 ----a-w- c:\windows\wininit.ini
2010-05-28 17:55:01 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-28 17:39:24 50981 ----a-w- c:\windows\system32\eignktmskyngwam.exe
2010-05-26 12:14:19 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\spuanurc.exe
2010-05-12 07:11:29 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-09 18:56:54 11264 --sha-w- c:\users\abbey\Thumbs.db
2010-05-06 16:06:30 131 ----a-w- C:\DeletePrintJobs.cmd
2010-05-06 16:05:03 131 ----a-w- c:\users\abbey\DeletePrintJobs.cmd

==================== Find3M ====================

2010-05-31 07:29:46 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-31 07:29:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-31 07:29:45 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-31 07:29:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-30 03:33:57 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-04-08 22:29:56 26012 ----a-w- c:\windows\fonts\FABULOUS.TTF
2010-04-04 04:39:08 78820 ----a-w- c:\windows\fonts\SlabserifXhigh.ttf
2010-04-04 04:37:58 85768 ----a-w- c:\windows\fonts\JustOldFashion-Condensed.ttf
2010-04-04 04:37:58 79480 ----a-w- c:\windows\fonts\JustOldFashion.ttf
2010-04-04 04:36:27 65944 ----a-w- c:\windows\fonts\Charsup.ttf
2010-04-04 04:36:27 64692 ----a-w- c:\windows\fonts\Charwid.ttf
2010-04-04 04:36:27 64024 ----a-w- c:\windows\fonts\Charupp.ttf
2010-04-04 04:36:27 62952 ----a-w- c:\windows\fonts\Charstrwn.ttf
2010-04-04 04:36:26 82400 ----a-w- c:\windows\fonts\Charruff.ttf
2010-04-04 04:36:26 63196 ----a-w- c:\windows\fonts\Charnarr.ttf
2010-04-04 04:36:26 62796 ----a-w- c:\windows\fonts\Charbold.ttf
2010-04-04 04:36:26 62716 ----a-w- c:\windows\fonts\CHARRING.ttf
2010-04-04 04:36:26 59560 ----a-w- c:\windows\fonts\Charsbld.ttf
2010-04-04 04:36:26 116452 ----a-w- c:\windows\fonts\Charposh.ttf
2010-04-04 04:36:26 110312 ----a-w- c:\windows\fonts\Charout.ttf
2010-04-04 04:33:43 26556 ----a-w- c:\windows\fonts\LEMONCHI.TTF
2010-04-04 04:33:17 98212 ----a-w- c:\windows\fonts\Broadsheet LDO Bold.ttf
2010-04-04 04:33:17 89156 ----a-w- c:\windows\fonts\Broadsheet LDO Italic.ttf
2010-04-04 04:33:17 75608 ----a-w- c:\windows\fonts\Broadsheet LDO Bold Italic.ttf
2010-04-04 04:33:17 112040 ----a-w- c:\windows\fonts\Broadsheet LDO.ttf
2010-03-17 15:03:46 246 ----a-w- c:\users\abbey\appdata\roaming\wklnhst.dat
2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-09-26 13:57:29 76 --sh--r- c:\windows\CT4CET.bin
2009-10-18 11:50:03 262144 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-09-30 18:18:52 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-09-30 18:18:52 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-09-30 18:18:52 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2008-09-26 16:30:42 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 1:57:51.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 02 June 2010 - 03:19 PM

Hello. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log.

Can you try booting into Safe Mode and see if you can run GMER successfully?

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.


Additional instructions on booting into Safe Mode can be found here
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 Esters42

Esters42
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 02 June 2010 - 10:00 PM

EB!

Thank you so much for helping me.

I don't know why I didn't start it in Safe Mode after I couldn't get it the first time...I am still learning smile.gif Anyway I just did and I actually still had the same problem.

I tried it a few times. I noticed each time at the bottom of the scan it seemed to be stopping on
Device\Hardisk\VolumeShadowCopy1

The first time I tried to run it in Safe Mode it stopped and gave the windows error message and then shortly went to the Blue Screen of Death. It then just shut my computer down before I could write down any error messages.

Also -- when I restarted my computer normally it gave this windows error message : Error Loading llehagnm.dll Specific Module cannot be found.

Edited by Esters42, 02 June 2010 - 10:14 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 03 June 2010 - 02:57 PM

Hello again,

No problem. Thanks for the description. The error you got was related to a registry entry that has been already removed and now is just orphan and will be dealt with later easily.

Let's begin with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Esters42

Esters42
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 03 June 2010 - 10:39 PM

Here is the ComboFix log:

ComboFix 10-06-03.01 - Abbey 06/03/2010 22:47:51.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3573.2364 [GMT -4:00]
Running from: c:\users\Abbey\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-04 03:02 . 2010-06-04 03:02 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-06-04 02:57 . 2010-06-04 02:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-03 22:13 . 2010-06-03 22:13 309760 ----a-w- c:\windows\system32\znnkawue.dll
2010-06-03 22:11 . 2010-06-03 22:11 327680 ----a-w- c:\windows\system32\bjkmozkd.dll
2010-06-01 07:01 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-01 07:01 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-01 07:01 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-31 07:30 . 2010-05-31 07:30 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-31 07:08 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-31 07:08 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-05-31 07:08 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-05-30 13:54 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-30 13:54 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-30 13:54 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-30 03:44 . 2010-05-30 03:45 -------- d-----w- c:\windows\system32\ca-ES
2010-05-30 03:44 . 2010-05-30 03:45 -------- d-----w- c:\windows\system32\eu-ES
2010-05-30 03:44 . 2010-05-30 03:45 -------- d-----w- c:\windows\system32\vi-VN
2010-05-30 03:36 . 2010-05-30 03:36 -------- d-----w- c:\windows\system32\SPReview
2010-05-30 03:08 . 2009-04-11 03:28 928768 ----a-w- c:\windows\system32\scavenge.dll
2010-05-30 03:08 . 2009-04-11 03:27 57856 ----a-w- c:\windows\system32\compcln.exe
2010-05-30 03:05 . 2009-04-11 03:32 149480 ----a-w- c:\windows\system32\drivers\pci.sys
2010-05-30 03:04 . 2009-04-11 03:27 128000 ----a-w- c:\windows\system32\gpresult.exe
2010-05-30 03:03 . 2009-04-11 03:28 241664 ----a-w- c:\windows\system32\msltus40.dll
2010-05-30 02:58 . 2010-05-30 02:58 -------- d-----w- c:\windows\system32\EventProviders
2010-05-30 02:58 . 2010-05-30 03:36 -------- d-----w- C:\8113ec903718c1754813
2010-05-29 19:48 . 2010-05-29 19:48 -------- d-----w- c:\users\Abbey\AppData\Roaming\SUPERAntiSpyware.com
2010-05-29 19:47 . 2010-05-29 19:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 18:08 . 2010-05-29 18:08 -------- d-----w- c:\program files\MSN Toolbar
2010-05-29 18:05 . 2010-05-29 18:08 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-05-29 18:02 . 2010-05-29 18:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 22:47 . 2010-05-28 22:47 -------- d-----w- c:\users\Abbey\AppData\Roaming\Malwarebytes
2010-05-28 22:47 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 22:47 . 2010-05-28 22:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 22:47 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 17:55 . 2010-05-06 04:01 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-28 17:39 . 2010-05-28 17:39 50981 ----a-w- c:\windows\system32\eignktmskyngwam.exe
2010-05-26 12:14 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\spuanurc.exe
2010-05-12 07:11 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-06 16:06 . 2010-05-06 16:06 131 ----a-w- C:\DeletePrintJobs.cmd
2010-05-06 16:05 . 2010-05-06 16:05 131 ----a-w- c:\users\Abbey\DeletePrintJobs.cmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-03 03:40 . 2010-05-29 19:49 63488 ----a-w- c:\users\Abbey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-03 03:40 . 2010-05-29 19:49 117760 ----a-w- c:\users\Abbey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-31 07:29 . 2010-05-31 07:29 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-31 07:28 . 2010-05-31 07:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-30 03:49 . 2008-10-11 01:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2010-05-30 03:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-05-29 19:49 . 2010-05-29 19:49 52224 ----a-w- c:\users\Abbey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-29 18:05 . 2008-09-26 13:53 -------- d-----w- c:\program files\Common Files\Java
2010-05-29 18:01 . 2008-09-26 13:53 -------- d-----w- c:\program files\Java
2010-05-28 23:40 . 2008-10-14 17:34 6648 ----a-w- c:\users\Abbey\AppData\Local\d3d9caps.dat
2010-05-25 02:41 . 2008-09-30 16:09 178904 ----a-w- c:\users\Abbey\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-28 18:57 . 2010-04-28 18:57 50354 ----a-w- c:\users\Abbey\AppData\Roaming\Facebook\uninstall.exe
2010-04-28 18:57 . 2010-04-28 18:57 -------- d-----w- c:\users\Abbey\AppData\Roaming\Facebook
2010-04-27 19:26 . 2009-01-19 02:26 -------- d-----w- c:\users\Abbey\AppData\Roaming\Apple Computer
2010-04-21 17:51 . 2010-04-21 17:51 -------- d-----w- c:\users\Abbey\AppData\Roaming\Tific
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\users\Abbey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-04-09 12:10 . 2008-09-26 14:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 15:03 . 2010-03-17 15:03 246 ----a-w- c:\users\Abbey\AppData\Roaming\wklnhst.dat
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\users\Abbey\AppData\Roaming\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\users\Abbey\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-06 02:10 . 2010-02-06 02:10 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-26 13:57 . 2008-09-26 13:57 76 --sh--r- c:\windows\CT4CET.bin
2008-09-26 16:30 . 2008-09-26 16:29 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21FFC727-69E1-4FDA-9C11-600122CB8F0A}]
2010-06-03 22:13 309760 ----a-w- c:\windows\System32\znnkawue.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E87C6B6-93B9-49F3-B061-A0E7D6AC6880}]
2010-06-03 22:11 327680 ----a-w- c:\windows\System32\bjkmozkd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-26 68856]
"Google Update"="c:\users\Abbey\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-08 135664]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-07-03 3563520]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-06 30192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"skb"="bjkmozkd.dll" [2010-06-03 327680]
"MChk"="c:\windows\system32\spuanurc.exe" [2010-05-24 40633]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-1 25214]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-9-26 50688]
QuickBooks US Plugin.lnk - c:\program files\PayPal Payment Request Wizard\QB US edition\OEHook.exe [2009-12-10 888987]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-26 14:14 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks US Plugin.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks US Plugin.lnk
backup=c:\windows\pss\QuickBooks US Plugin.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-02-06 02:10 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-04-23 15:43 228088 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-26 14:04 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:4b,d6,78,b1,ab,ff,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2009-11-10 19456]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-06 30192]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1007020.00B\SYMNDISV.SYS [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100528.003\IDSvix86.sys [2010-05-28 344112]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1107000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-03-06 111616]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-26 01:21]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 03:10]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 03:10]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1230342131-3999310887-1461761498-1000Core.job
- c:\users\Abbey\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-08 17:04]

2010-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1230342131-3999310887-1461761498-1000UA.job
- c:\users\Abbey\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-08 17:04]

2010-06-04 c:\windows\Tasks\User_Feed_Synchronization-{CE3F2712-F626-486A-B7F8-59127C72FDC1}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080926
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: intuit.com\community
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
FF - ProfilePath - c:\users\Abbey\AppData\Roaming\Mozilla\Firefox\Profiles\6nxdq61l.default\
FF - prefs.js: browser.startup.homepage - www.pinkinkmedia.com
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\Abbey\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Abbey\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Abbey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
AddRemove-EPSON Scanner - c:\program files\epson\escndv\setup\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 23:01
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\znnkawue.dll 309760 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\%*"]
"Successes"=dword:80000000
"Failures"=dword:80000007
"{8C9F467E-20AA-4435-9552-D11E930956C1}"=hex:00,18,39,20,15,5c,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'Explorer.exe'(4936)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\STacSV.exe
c:\windows\system32\DllHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-06-03 23:11:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 03:11

Pre-Run: 35,163,144,192 bytes free
Post-Run: 35,210,203,136 bytes free

- - End Of File - - 793283F4AD28F4394A9F82E69724B4E3


#6 Esters42

Esters42
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 04 June 2010 - 12:22 PM

Shoot! Now this morning I am getting more infections. Malwarebytes cannot remove all it.
Here is the latest Malwarebytes log if that helps.

And Super AntiSpyware keeps detecting - TrojanAgent/Gen-Frauder

Thanks smile.gif

Attached Files


Edited by Esters42, 04 June 2010 - 12:27 PM.


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 05 June 2010 - 08:58 PM

Hello.

Please don't run tools or scans when I don't request as that can cause confusions and overlap things that needs to be done.

Since you ran SAS already, could you post the log so I can take a look.

Then...
Re-run scan with MalwareBytes Anti-Malware

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 Esters42

Esters42
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 06 June 2010 - 12:01 AM

The only problem I noticed was the other day (june 4) when I started getting tons of pop ups again when I used Internet Explorer. That is when I ran MalwareBytes.

I have selected to "remove selected". It shows that it deletes the files and reboots the computer. Then I ran it again to double check it removed everything and it shows up with the same infected files.

The files it keeps showing as infected --between MB and SAS are "znnkawue.dll" and "bjkmozkd.dll"


The pop ups have stopped and I've only been using Firefox. I guess I kinda jumped the gun, just let me know the next steps.

Thanks again.


SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 06/06/2010 at 00:27 AM

Application Version : 4.38.1004

Core Rules Database Version : 5036
Trace Rules Database Version: 2848

Scan type : Quick Scan
Total Scan Time : 00:35:10

Memory items scanned : 768
Memory threats detected : 0
Registry items scanned : 673
Registry threats detected : 34
File items scanned : 25079
File threats detected : 3

Trojan.Agent/Gen
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}#AppID
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}\InprocServer32
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}\InprocServer32#ThreadingModel
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}\ProgID
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}\Programmable
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}\TypeLib
HKCR\CLSID\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}\VersionIndependentProgID
HKCR\adShotHlpr.adShotHlpr.1.0
HKCR\adShotHlpr.adShotHlpr.1.0\CLSID
HKCR\adShotHlpr.adShotHlpr
HKCR\adShotHlpr.adShotHlpr\CLSID
HKCR\adShotHlpr.adShotHlpr\CurVer
HKCR\TypeLib\{38061EDC-40BB-4618-A8DA-E56353347E6D}
C:\WINDOWS\SYSTEM32\BJKMOZKD.DLL
HKU\S-1-5-21-1230342131-3999310887-1461761498-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8020DCCB-F8F3-4572-9E22-D3E4E6955DE0}

Trojan.Agent/Gen-Frauder
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE032148-96B4-421E-95C7-0513413E8503}
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}#AppID
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}\InprocServer32
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}\InprocServer32#ThreadingModel
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}\ProgID
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}\Programmable
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}\TypeLib
HKCR\CLSID\{DE032148-96B4-421E-95C7-0513413E8503}\VersionIndependentProgID
HKCR\adgj.agHlp.1
HKCR\adgj.agHlp.1\CLSID
HKCR\adgj.agHlp
HKCR\adgj.agHlp\CLSID
HKCR\adgj.agHlp\CurVer
HKCR\TypeLib\{7B6A2552-E65B-4A9E-ADD4-C45577FFD8FD}
C:\WINDOWS\SYSTEM32\ZNNKAWUE.DLL
HKU\S-1-5-21-1230342131-3999310887-1461761498-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DE032148-96B4-421E-95C7-0513413E8503}

Adware.Tracking Cookie
C:\Users\Abbey\AppData\Roaming\Microsoft\Windows\Cookies\abbey@cnfg.zigi-media-networks[1].txt






Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4172

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

6/5/2010 11:48:39 PM
mbam-log-2010-06-05 (23-48-39).txt

Scan type: Quick scan
Objects scanned: 137203
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CscrptXt.CscrptXt (Adware.EZlife) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\bjkmozkd.dll (Adware.EZlife) -> Quarantined and deleted successfully.









DDS (Ver_10-03-17.01) - NTFSx86
Run by Abbey at 0:31:27.00 on Sun 06/06/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3573.2157 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PayPal Payment Request Wizard\QB US edition\OEHook.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn\ytbb.exe
C:\Users\Abbey\Desktop\dds.scr
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080926
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: moigh Object: {52ceac0c-9c06-4778-ab01-b486ab8eee4e} - c:\windows\system32\znnkawue.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: adShotHlpr Object: {6168413a-1906-4e11-a102-6c9458527810} - c:\windows\system32\bjkmozkd.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\abbey\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [skb] rundll32 "bjkmozkd.dll",,Run
mRun: [MChk] c:\windows\system32\spuanurc.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\paypal payment request wizard\qb us edition\OEHook.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\community
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\googledesktopnetwork3.dll c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\abbey\appdata\roaming\mozilla\firefox\profiles\6nxdq61l.default\
FF - prefs.js: browser.startup.homepage - www.pinkinkmedia.com
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\abbey\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\abbey\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\abbey\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-25 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-25 173104]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-25 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100528.003\IDSvix86.sys [2010-5-28 344112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-25 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1107000.00c\symtdiv.sys [2010-5-25 339504]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-9-26 73728]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-25 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-2 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-26 111616]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-10 19456]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-26 30192]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2010-5-29 19968]

=============== Created Last 30 ================

2010-06-04 22:34:47 0 d-----w- c:\programdata\Yahoo! Companion
2010-06-04 22:34:44 0 d-----w- c:\program files\Yahoo!
2010-06-04 22:34:31 0 d-----w- c:\program files\CCleaner
2010-06-04 03:00:29 0 d-----w- C:\$RECYCLE.BIN
2010-06-04 02:44:39 98816 ----a-w- c:\windows\sed.exe
2010-06-04 02:44:39 77312 ----a-w- c:\windows\MBR.exe
2010-06-04 02:44:39 256512 ----a-w- c:\windows\PEV.exe
2010-06-04 02:44:39 161792 ----a-w- c:\windows\SWREG.exe
2010-06-03 22:13:36 309760 ----a-w- c:\windows\system32\znnkawue.dll
2010-06-03 22:11:38 327680 ----a-w- c:\windows\system32\bjkmozkd.dll
2010-06-01 07:01:21 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-01 07:01:20 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-01 07:01:20 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-31 07:30:08 0 d-----w- c:\program files\Windows Portable Devices
2010-05-31 07:29:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-31 07:28:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-31 07:08:03 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-05-31 07:08:03 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-05-31 07:08:03 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-30 13:54:43 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-30 13:54:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-30 13:54:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-30 03:44:38 0 d-----w- c:\windows\system32\eu-ES
2010-05-30 03:44:38 0 d-----w- c:\windows\system32\ca-ES
2010-05-30 03:44:37 0 d-----w- c:\windows\system32\vi-VN
2010-05-30 03:36:43 0 d-----w- c:\windows\system32\SPReview
2010-05-30 03:08:32 928768 ----a-w- c:\windows\system32\scavenge.dll
2010-05-30 03:08:08 57856 ----a-w- c:\windows\system32\compcln.exe
2010-05-30 03:05:59 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2010-05-30 03:04:59 128000 ----a-w- c:\windows\system32\gpresult.exe
2010-05-30 03:03:55 241664 ----a-w- c:\windows\system32\msltus40.dll
2010-05-30 02:58:51 0 d-----w- c:\windows\system32\EventProviders
2010-05-30 02:58:48 0 d-----w- C:\8113ec903718c1754813
2010-05-29 19:48:34 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-29 19:48:33 0 d-----w- c:\users\abbey\appdata\roaming\SUPERAntiSpyware.com
2010-05-29 19:47:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 18:08:07 0 d-----w- c:\program files\MSN Toolbar
2010-05-29 18:05:43 0 d-----w- c:\program files\MSN Toolbar Installer
2010-05-29 18:05:16 0 d-----w- c:\programdata\Sun
2010-05-29 18:02:58 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 22:47:55 0 d-----w- c:\users\abbey\appdata\roaming\Malwarebytes
2010-05-28 22:47:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 22:47:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 22:47:46 0 d-----w- c:\programdata\Malwarebytes
2010-05-28 22:47:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 20:35:56 37 ----a-w- c:\windows\wininit.ini
2010-05-28 17:55:01 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-28 17:39:24 50981 ----a-w- c:\windows\system32\eignktmskyngwam.exe
2010-05-26 12:14:19 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\spuanurc.exe
2010-05-12 07:11:29 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-09 18:56:54 11264 --sha-w- c:\users\abbey\Thumbs.db

==================== Find3M ====================

2010-05-31 07:29:46 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-31 07:29:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-31 07:29:45 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-31 07:29:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-30 03:33:57 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-06 16:06:30 131 ----a-w- C:\DeletePrintJobs.cmd
2010-05-06 16:05:03 131 ----a-w- c:\users\abbey\DeletePrintJobs.cmd
2010-04-08 22:29:56 26012 ----a-w- c:\windows\fonts\FABULOUS.TTF
2010-04-04 04:39:08 78820 ----a-w- c:\windows\fonts\SlabserifXhigh.ttf
2010-04-04 04:37:58 85768 ----a-w- c:\windows\fonts\JustOldFashion-Condensed.ttf
2010-04-04 04:37:58 79480 ----a-w- c:\windows\fonts\JustOldFashion.ttf
2010-04-04 04:36:27 65944 ----a-w- c:\windows\fonts\Charsup.ttf
2010-04-04 04:36:27 64692 ----a-w- c:\windows\fonts\Charwid.ttf
2010-04-04 04:36:27 64024 ----a-w- c:\windows\fonts\Charupp.ttf
2010-04-04 04:36:27 62952 ----a-w- c:\windows\fonts\Charstrwn.ttf
2010-04-04 04:36:26 82400 ----a-w- c:\windows\fonts\Charruff.ttf
2010-04-04 04:36:26 63196 ----a-w- c:\windows\fonts\Charnarr.ttf
2010-04-04 04:36:26 62796 ----a-w- c:\windows\fonts\Charbold.ttf
2010-04-04 04:36:26 62716 ----a-w- c:\windows\fonts\CHARRING.ttf
2010-04-04 04:36:26 59560 ----a-w- c:\windows\fonts\Charsbld.ttf
2010-04-04 04:36:26 116452 ----a-w- c:\windows\fonts\Charposh.ttf
2010-04-04 04:36:26 110312 ----a-w- c:\windows\fonts\Charout.ttf
2010-04-04 04:33:43 26556 ----a-w- c:\windows\fonts\LEMONCHI.TTF
2010-04-04 04:33:17 98212 ----a-w- c:\windows\fonts\Broadsheet LDO Bold.ttf
2010-04-04 04:33:17 89156 ----a-w- c:\windows\fonts\Broadsheet LDO Italic.ttf
2010-04-04 04:33:17 75608 ----a-w- c:\windows\fonts\Broadsheet LDO Bold Italic.ttf
2010-04-04 04:33:17 112040 ----a-w- c:\windows\fonts\Broadsheet LDO.ttf
2010-03-17 15:03:46 246 ----a-w- c:\users\abbey\appdata\roaming\wklnhst.dat
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-09-26 13:57:29 76 --sh--r- c:\windows\CT4CET.bin
2009-10-18 11:50:03 262144 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-09-26 16:30:42 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 0:33:20.73 ===============

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 06 June 2010 - 01:51 PM

Hello.

Yes, those still needs to be dealt with.

Please do the following...

First I see no Anti-Virus software installed.

Please go here and under the Anti-Virus Softwares heading, please go and download ONE of those free anti-virus softwares. Install it and update it.

Once that is done, please continue with the following on running Combofix.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/320966/backdoortidservgen5/
    Collect::[68]
    c:\windows\system32\bjkmozkd.dll
    c:\windows\system32\znnkawue.dll
    RegLock::
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6168413a-1906-4e11-a102-6c9458527810}]
    [-HKEY_CLASSES_ROOT\CLSID\{6168413a-1906-4e11-a102-6c9458527810}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52ceac0c-9c06-4778-ab01-b486ab8eee4e}]
    [-HKEY_CLASSES_ROOT\CLSID\{52ceac0c-9c06-4778-ab01-b486ab8eee4e}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "skb"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.


Let me know how it goes and if the upload went successfully or not in your next reply.


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Esters42

Esters42
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 06 June 2010 - 04:18 PM

It seems as though everything was successful. It said it was able to upload the combofix file.

I do have Norton Internet Security installed. However it didn't detect any of these problems.

I downloaded AVG. Should i just do one or the other? OR do they serve different purposes?

Thanks for your follow up.

ComboFix 10-06-06.01 - Abbey 06/06/2010 16:49:25.2.2 - x86
Microsoft® Windows Vistaâ„¢ Home Basic 6.0.6002.2.1252.1.1033.18.3573.2104 [GMT -4:00]
Running from: c:\users\Abbey\Desktop\ComboFix.exe
Command switches used :: c:\users\Abbey\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\system32\bjkmozkd.dll
file zipped: c:\windows\system32\znnkawue.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bjKMozkd.dll
c:\windows\system32\znnkawue.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

2010-06-06 21:00 . 2010-06-06 21:00 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-06 21:00 . 2010-06-06 21:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-06 20:43 . 2010-06-06 20:44 -------- d-----w- C:\32788R22FWJFW
2010-06-06 20:36 . 2010-06-06 20:36 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-06 20:36 . 2010-06-06 20:38 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-06 20:36 . 2010-06-06 20:36 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-06 20:36 . 2010-06-06 20:38 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-06 20:36 . 2010-06-06 20:36 -------- d-----w- c:\windows\system32\drivers\Avg
2010-06-06 20:33 . 2010-06-06 20:33 -------- d-----w- c:\program files\AVG
2010-06-04 22:34 . 2010-06-04 22:34 -------- d-----w- c:\users\Abbey\AppData\Roaming\Yahoo!
2010-06-04 22:34 . 2010-06-04 22:34 -------- d-----w- c:\program files\Yahoo!
2010-06-04 22:34 . 2010-06-04 22:34 -------- d-----w- c:\program files\CCleaner
2010-06-04 03:02 . 2010-06-04 03:02 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-06-01 07:01 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-01 07:01 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-01 07:01 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-31 07:30 . 2010-05-31 07:30 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-31 07:08 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-31 07:08 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-05-31 07:08 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-05-30 13:54 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-30 13:54 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-30 13:54 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-30 03:44 . 2010-05-30 03:45 -------- d-----w- c:\windows\system32\ca-ES
2010-05-30 03:44 . 2010-05-30 03:45 -------- d-----w- c:\windows\system32\eu-ES
2010-05-30 03:44 . 2010-05-30 03:45 -------- d-----w- c:\windows\system32\vi-VN
2010-05-30 03:36 . 2010-05-30 03:36 -------- d-----w- c:\windows\system32\SPReview
2010-05-30 03:08 . 2009-04-11 03:28 928768 ----a-w- c:\windows\system32\scavenge.dll
2010-05-30 03:08 . 2009-04-11 03:27 57856 ----a-w- c:\windows\system32\compcln.exe
2010-05-30 03:05 . 2009-04-11 03:32 149480 ----a-w- c:\windows\system32\drivers\pci.sys
2010-05-30 03:04 . 2009-04-11 03:27 128000 ----a-w- c:\windows\system32\gpresult.exe
2010-05-30 03:03 . 2009-04-11 03:28 241664 ----a-w- c:\windows\system32\msltus40.dll
2010-05-30 02:58 . 2010-05-30 02:58 -------- d-----w- c:\windows\system32\EventProviders
2010-05-30 02:58 . 2010-05-30 03:36 -------- d-----w- C:\8113ec903718c1754813
2010-05-29 19:49 . 2010-06-06 02:38 63488 ----a-w- c:\users\Abbey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-29 19:49 . 2010-05-29 19:49 52224 ----a-w- c:\users\Abbey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-29 19:49 . 2010-06-06 02:38 117760 ----a-w- c:\users\Abbey\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-29 19:48 . 2010-05-29 19:48 -------- d-----w- c:\users\Abbey\AppData\Roaming\SUPERAntiSpyware.com
2010-05-29 19:47 . 2010-05-29 19:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 18:08 . 2010-05-29 18:08 -------- d-----w- c:\program files\MSN Toolbar
2010-05-29 18:05 . 2010-05-29 18:08 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-05-29 18:02 . 2010-05-29 18:02 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 22:47 . 2010-05-28 22:47 -------- d-----w- c:\users\Abbey\AppData\Roaming\Malwarebytes
2010-05-28 22:47 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 22:47 . 2010-05-28 22:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 22:47 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 17:55 . 2010-05-06 04:01 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-28 17:39 . 2010-05-28 17:39 50981 ----a-w- c:\windows\system32\eignktmskyngwam.exe
2010-05-26 12:14 . 2010-04-23 14:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\spuanurc.exe
2010-05-12 07:11 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-31 07:29 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-31 07:29 . 2010-05-31 07:29 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-31 07:28 . 2010-05-31 07:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-30 03:49 . 2008-10-11 01:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2010-05-30 03:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-30 03:45 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2010-05-29 18:05 . 2008-09-26 13:53 -------- d-----w- c:\program files\Common Files\Java
2010-05-29 18:01 . 2008-09-26 13:53 -------- d-----w- c:\program files\Java
2010-05-28 23:40 . 2008-10-14 17:34 6648 ----a-w- c:\users\Abbey\AppData\Local\d3d9caps.dat
2010-05-25 02:41 . 2008-09-30 16:09 178904 ----a-w- c:\users\Abbey\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-06 16:06 . 2010-05-06 16:06 131 ----a-w- C:\DeletePrintJobs.cmd
2010-05-06 16:05 . 2010-05-06 16:05 131 ----a-w- c:\users\Abbey\DeletePrintJobs.cmd
2010-04-28 18:57 . 2010-04-28 18:57 50354 ----a-w- c:\users\Abbey\AppData\Roaming\Facebook\uninstall.exe
2010-04-28 18:57 . 2010-04-28 18:57 -------- d-----w- c:\users\Abbey\AppData\Roaming\Facebook
2010-04-27 19:26 . 2009-01-19 02:26 -------- d-----w- c:\users\Abbey\AppData\Roaming\Apple Computer
2010-04-21 17:51 . 2010-04-21 17:51 -------- d-----w- c:\users\Abbey\AppData\Roaming\Tific
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\users\Abbey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-04-09 12:10 . 2008-09-26 14:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-17 15:03 . 2010-03-17 15:03 246 ----a-w- c:\users\Abbey\AppData\Roaming\wklnhst.dat
2010-02-06 02:10 . 2010-02-06 02:10 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-26 13:57 . 2008-09-26 13:57 76 --sh--r- c:\windows\CT4CET.bin
2008-09-26 16:30 . 2008-09-26 16:29 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-26 68856]
"Google Update"="c:\users\Abbey\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-08 135664]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-07-03 3563520]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-02-06 30192]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"MChk"="c:\windows\system32\spuanurc.exe" [2010-05-24 40633]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" [2009-12-09 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-10-1 25214]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-9-26 50688]
QuickBooks US Plugin.lnk - c:\program files\PayPal Payment Request Wizard\QB US edition\OEHook.exe [2009-12-10 888987]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-26 14:14 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks US Plugin.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks US Plugin.lnk
backup=c:\windows\pss\QuickBooks US Plugin.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 06:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-02-06 02:10 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-04-23 15:43 228088 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-26 14:04 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:4b,d6,78,b1,ab,ff,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 135664]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-04-19 430152]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2009-11-10 19456]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-02-06 30192]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\Drivers\NIS\1007020.00B\SYMNDISV.SYS [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1107000.00C\SYMDS.SYS [2009-11-05 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-06-06 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-06-06 242896]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\IPSDefs\20100528.003\IDSvix86.sys [2010-05-28 344112]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1107000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-06-06 308064]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-27 102448]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-03-06 111616]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
*NewlyCreated* - AVGTDIX

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-26 01:21]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 03:10]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 03:10]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1230342131-3999310887-1461761498-1000Core.job
- c:\users\Abbey\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-08 17:04]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1230342131-3999310887-1461761498-1000UA.job
- c:\users\Abbey\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-08 17:04]

2010-06-06 c:\windows\Tasks\User_Feed_Synchronization-{CE3F2712-F626-486A-B7F8-59127C72FDC1}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080926
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: intuit.com\community
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
FF - ProfilePath - c:\users\Abbey\AppData\Roaming\Mozilla\Firefox\Profiles\6nxdq61l.default\
FF - prefs.js: browser.startup.homepage - www.pinkinkmedia.com
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\Abbey\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Abbey\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\Abbey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 17:00
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

[0] 0x0C030C19

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\%*"]
"Successes"=dword:80000000
"Failures"=dword:80000007
"{8C9F467E-20AA-4435-9552-D11E930956C1}"=hex:00,18,39,20,15,5c,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-06-06 17:05:15
ComboFix-quarantined-files.txt 2010-06-06 21:05
ComboFix2.txt 2010-06-04 03:11

Pre-Run: 42,164,195,328 bytes free
Post-Run: 42,021,515,264 bytes free

- - End Of File - - D3D38D6800EC9813C4C581B2B6D466D2
Upload was successful

Edited by Esters42, 06 June 2010 - 06:41 PM.


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 06 June 2010 - 06:32 PM

Hello.

For some reason, I didn't see you have Norton.

Since you already have one installed and updated, you can remove AVG. Sorry about that. You only need ONE AV at a time.

Post the C:\Combofix.txt still however.

Thanks.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 Esters42

Esters42
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 06 June 2010 - 07:18 PM

Hey Sorry! I just added it to my last post.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 07 June 2010 - 07:30 PM

That's looking good. How's your compute running? Let's get an Malwarebytes scan.

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 Esters42

Esters42
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:20 PM

Posted 09 June 2010 - 07:08 AM

Okay here are the logs.
My computer seems to be doing fine. No issues like before.
The scans seemed to show infections still though. Are these just remnants of what we already deleted.

Thanks!



Wednesday, June 9, 2010
Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 08, 2010 23:56:26
Records in database: 4220025


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Objects scanned 183833
Threats found 2
Infected objects found 3
Suspicious objects found 0
Scan duration 07:16:41

File name Threat Threats count
C:\Qoobox\Quarantine\C\Windows\System32\bjkmozkd.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.mgs 1

C:\Qoobox\Quarantine\[68]-Submit_2010-06-06_16.48.57.zip Infected: not-a-virus:AdWare.Win32.BHO.mgs 1

C:\Users\Abbey\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\4af76bac-3d880b22 Infected: Exploit.Java.Agent.f 1

Selected area has been scanned.




DDS (Ver_10-03-17.01) - NTFSx86
Run by Abbey at 7:57:53.94 on Wed 06/09/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3573.2147 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PayPal Payment Request Wizard\QB US edition\OEHook.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Users\Abbey\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080926
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\users\abbey\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0379.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\paypal payment request wizard\qb us edition\OEHook.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com\community
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab
DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\googledesktopnetwork3.dll c:\progra~1\google\google~2\googledesktopnetwork3.dll c:\windows\system32\avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\abbey\appdata\roaming\mozilla\firefox\profiles\6nxdq61l.default\
FF - prefs.js: browser.startup.homepage - www.pinkinkmedia.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\abbey\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\abbey\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\abbey\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-5-25 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-5-25 173104]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-6 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-6 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-6 242896]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-5-25 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.1.0.19\definitions\ipsdefs\20100604.004\IDSvix86.sys [2010-6-8 344112]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-5-25 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1107000.00c\symtdiv.sys [2010-5-25 339504]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-9-26 73728]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-6 308064]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.7.0.12\ccsvchst.exe [2010-5-25 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-2 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-26 111616]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-6-6 430152]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-10 19456]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-26 30192]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2010-5-29 19968]

=============== Created Last 30 ================

2010-06-08 22:46:25 0 d--h--w- C:\$AVG
2010-06-06 21:06:55 0 d-sh--w- C:\$RECYCLE.BIN
2010-06-06 20:36:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-06 20:36:23 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-06 20:36:17 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-06 20:36:13 0 d-----w- c:\windows\system32\drivers\Avg
2010-06-06 20:36:10 0 d-----w- c:\programdata\AVG Security Toolbar
2010-06-06 20:33:33 0 d-----w- c:\program files\AVG
2010-06-06 20:33:15 0 d-----w- c:\programdata\avg9
2010-06-04 22:34:47 0 d-----w- c:\programdata\Yahoo! Companion
2010-06-04 22:34:44 0 d-----w- c:\program files\Yahoo!
2010-06-04 22:34:31 0 d-----w- c:\program files\CCleaner
2010-06-04 02:44:39 98816 ----a-w- c:\windows\sed.exe
2010-06-04 02:44:39 77312 ----a-w- c:\windows\MBR.exe
2010-06-04 02:44:39 256512 ----a-w- c:\windows\PEV.exe
2010-06-04 02:44:39 161792 ----a-w- c:\windows\SWREG.exe
2010-06-01 07:01:21 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-01 07:01:20 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-01 07:01:20 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-31 07:30:08 0 d-----w- c:\program files\Windows Portable Devices
2010-05-31 07:29:31 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-31 07:28:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-31 07:08:03 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-05-31 07:08:03 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-05-31 07:08:03 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-30 13:54:43 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-30 13:54:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-30 13:54:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-30 03:44:38 0 d-----w- c:\windows\system32\eu-ES
2010-05-30 03:44:38 0 d-----w- c:\windows\system32\ca-ES
2010-05-30 03:44:37 0 d-----w- c:\windows\system32\vi-VN
2010-05-30 03:36:43 0 d-----w- c:\windows\system32\SPReview
2010-05-30 03:08:32 928768 ----a-w- c:\windows\system32\scavenge.dll
2010-05-30 03:08:08 57856 ----a-w- c:\windows\system32\compcln.exe
2010-05-30 03:05:59 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2010-05-30 03:04:59 128000 ----a-w- c:\windows\system32\gpresult.exe
2010-05-30 03:03:55 241664 ----a-w- c:\windows\system32\msltus40.dll
2010-05-30 02:58:51 0 d-----w- c:\windows\system32\EventProviders
2010-05-30 02:58:48 0 d-----w- C:\8113ec903718c1754813
2010-05-29 19:48:34 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-29 19:48:33 0 d-----w- c:\users\abbey\appdata\roaming\SUPERAntiSpyware.com
2010-05-29 19:47:52 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-29 18:08:07 0 d-----w- c:\program files\MSN Toolbar
2010-05-29 18:05:43 0 d-----w- c:\program files\MSN Toolbar Installer
2010-05-29 18:05:16 0 d-----w- c:\programdata\Sun
2010-05-29 18:02:58 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 22:47:55 0 d-----w- c:\users\abbey\appdata\roaming\Malwarebytes
2010-05-28 22:47:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 22:47:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 22:47:46 0 d-----w- c:\programdata\Malwarebytes
2010-05-28 22:47:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 20:35:56 37 ----a-w- c:\windows\wininit.ini
2010-05-28 17:55:01 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-05-28 17:39:24 50981 ----a-w- c:\windows\system32\eignktmskyngwam.exe
2010-05-26 12:14:19 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-12 07:11:29 738816 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-05-31 07:29:46 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-31 07:29:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-31 07:29:45 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-31 07:29:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-30 03:33:57 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-06 16:06:30 131 ----a-w- C:\DeletePrintJobs.cmd
2010-05-06 16:05:03 131 ----a-w- c:\users\abbey\DeletePrintJobs.cmd
2010-04-08 22:29:56 26012 ----a-w- c:\windows\fonts\FABULOUS.TTF
2010-04-04 04:39:08 78820 ----a-w- c:\windows\fonts\SlabserifXhigh.ttf
2010-04-04 04:37:58 85768 ----a-w- c:\windows\fonts\JustOldFashion-Condensed.ttf
2010-04-04 04:37:58 79480 ----a-w- c:\windows\fonts\JustOldFashion.ttf
2010-04-04 04:36:27 65944 ----a-w- c:\windows\fonts\Charsup.ttf
2010-04-04 04:36:27 64692 ----a-w- c:\windows\fonts\Charwid.ttf
2010-04-04 04:36:27 64024 ----a-w- c:\windows\fonts\Charupp.ttf
2010-04-04 04:36:27 62952 ----a-w- c:\windows\fonts\Charstrwn.ttf
2010-04-04 04:36:26 82400 ----a-w- c:\windows\fonts\Charruff.ttf
2010-04-04 04:36:26 63196 ----a-w- c:\windows\fonts\Charnarr.ttf
2010-04-04 04:36:26 62796 ----a-w- c:\windows\fonts\Charbold.ttf
2010-04-04 04:36:26 62716 ----a-w- c:\windows\fonts\CHARRING.ttf
2010-04-04 04:36:26 59560 ----a-w- c:\windows\fonts\Charsbld.ttf
2010-04-04 04:36:26 116452 ----a-w- c:\windows\fonts\Charposh.ttf
2010-04-04 04:36:26 110312 ----a-w- c:\windows\fonts\Charout.ttf
2010-04-04 04:33:43 26556 ----a-w- c:\windows\fonts\LEMONCHI.TTF
2010-04-04 04:33:17 98212 ----a-w- c:\windows\fonts\Broadsheet LDO Bold.ttf
2010-04-04 04:33:17 89156 ----a-w- c:\windows\fonts\Broadsheet LDO Italic.ttf
2010-04-04 04:33:17 75608 ----a-w- c:\windows\fonts\Broadsheet LDO Bold Italic.ttf
2010-04-04 04:33:17 112040 ----a-w- c:\windows\fonts\Broadsheet LDO.ttf
2010-03-17 15:03:46 246 ----a-w- c:\users\abbey\appdata\roaming\wklnhst.dat
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-09-26 13:57:29 76 --sh--r- c:\windows\CT4CET.bin
2009-10-18 11:50:03 262144 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-09-26 16:30:42 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 7:59:14.88 ===============

Attached Files



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:20 PM

Posted 09 June 2010 - 06:54 PM

Yes, two of what was detected were what we already deleted and quarantined. The other one is just simply a Java cache that can be removed easily..

Do the following...

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Other than that, logs look clean. smile.gif Let's wrap up.

Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips >over here<. Is your system a bit slow? If so, try some of the points and things suggested here.

If you would like, visit my http://computermalwaresecurity.blogspot.com/ and Subscribe/Follow along.


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users