Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • This topic is locked This topic is locked
33 replies to this topic

#1 mjoller

mjoller

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 25 June 2010 - 04:53 PM

Hi,

Recently, my google searches have been redirecting me to random sites. I've run scans with both my anti-virus and my anti-malware, but neither has solved the problem. Any help would be greatly appreciated.

As requested, here is the DDS report, as well as the Attach.txt and Ark.txt:

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 18:52:11.59 on 24/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1434 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Docume

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:58 PM

Posted 26 June 2010 - 07:17 PM

Hi mjoller,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 mjoller

mjoller
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 26 June 2010 - 08:52 PM

Hi,

Thanks for the reply. After I posted this, I ran both avast and malwarebytes in safe mode, which removed several threats. However, after I rebooted, I found this left me without an Internet connect. I use a wireless connection and it seems to not allow me to connect. I tried to run a system restore, but it told me I could not restore back to any points that I tried. It's impossible for me to get a wired connection, so any solutions needing a download would have to be through usb.

I apologize for running scans after this was posted, but my browser was acting up when I tried to post this, so I thought it didn't get through. I still have dds and gmer if the logs need to be updated, but would transferring the logs on my laptop for uploading transfer the infection as well?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:58 PM

Posted 27 June 2010 - 08:24 AM

Hi,

Thanks for the feedback. The type of infection is not a flash drive infection but we make sure the flash drive doesn't carry the infection. By doing step 1 the auto run feature will be removed from the USB drive to make it save and it should be opened via My Computer. The step 1 could be done on the clean computer.
  1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    • Turn of the auto-protect or resident-shield of your antivirus.
    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning which takes only a few seconds and then exit the program.
    • Reboot your computer when done.

    Note 1:Please temporarily disable your anti-virus program before downloading this tool as it can be falsely flagged as malware: How to disable anti-virus programs
    Note 2: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


  2. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller.2.3.2.0_Date_Time_log.txt). Please attach it to your replay.

  3. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt





#5 mjoller

mjoller
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 27 June 2010 - 03:19 PM

Hi,

Unfortunately, I'm having some problems running Flash Disinfector on my computer. When I try to open it, my mouse shows the loading icon ring for half a second, but nothing happens. I'm using an administrator account and my antivirus is disabled. If it matters, this computer is running Windows Vista SP2. Any ideas?

Edited by mjoller, 27 June 2010 - 03:27 PM.


#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:58 PM

Posted 27 June 2010 - 03:54 PM

Though the antivirus is disabled it might have blocked the tool. Try to run it from Safe Mode:

Start in Safe Mode Using the F8 key:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
  • Log to your usual account.


#7 mjoller

mjoller
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 27 June 2010 - 08:57 PM

Hi,

Even in safe mode, Flash Disinfector fails to run.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:58 PM

Posted 28 June 2010 - 01:19 AM

Delete your copy, disable your antivirus, download a fresh one but rename it before you save it. Then run it from Safe Mode.

If it didn't work:
  1. Please set your system to show all files:
    • Click Start, open Control Panel, menu and click Folder Options.
    • Select the View Tab. Under the Hidden files and folders heading, check Show hidden files and folders.
    • Uncheck: Hide file extensions for known file types
    • Uncheck: Hide protected operating system files (recommended) option.
    • Click Yes to confirm.

  2. Now on the Flash drive there is a file named autorun.inf, delete the file. This will remove the automatic opening of the flash drive.

  3. Use the flash drive to transfer TDSSKiller to infected computer. And get the TDSSKiller and DDS log. When you insert the Flash Drive again to the working computer let it scanned by the antivirus to make sure. Also instead of double-clicking to open it right-click it and select Explore. Or attach the logs without opening the flash-drive.


#9 mjoller

mjoller
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 28 June 2010 - 12:10 PM

Hi,

After running TTDSKiller, I didn't need to reboot.

Here are the two logs as request as well.

Attached Files



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:58 PM

Posted 28 June 2010 - 12:40 PM

We will run ComboFix then concentrate on the connection issue. Since you have no connection you can not install the recovery console.

Could you possibly connect directly (wired/hardcore) to internet before running ComboFix?

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.





#11 mjoller

mjoller
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 28 June 2010 - 12:46 PM

Hi,

Unfortunately, it's impossible for me to get a wired connection. Should I run Combofix anyways?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:58 PM

Posted 28 June 2010 - 12:52 PM

Could you tell me why it is impossible?

#13 mjoller

mjoller
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 28 June 2010 - 01:08 PM

Hi,

I managed to get a wired connection, but it seems I still cannot connect. When I hover my mouse over the icon, it says that it is "Acquiring network address", and when I try and repair it it says "Windows could not finish repairing the problem because the following action cannot be completed: Renewing your IP address For assistance contact the person who manages your network".

Perhaps, when I ran the scans in safemode before, Avast removed something important. Should I restore everything in the chest and try to see if I can connect?

Edited by mjoller, 28 June 2010 - 01:21 PM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:58 PM

Posted 28 June 2010 - 01:24 PM

No please don't go for drastic measures now. Let's run ComboFix. We will try to restore the connection after running ComboFix to make sure no malware is there.

#15 mjoller

mjoller
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 28 June 2010 - 01:39 PM

Hi,

I've run ComboFix and here is the log.

ComboFix 10-06-27.06 - HP_Administrator 28/06/2010 11:27:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1533 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\11422367.dll
c:\windows\system32\7233253.dll
c:\windows\xpsp1hfm.log
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-28 18:26 . 2010-06-28 18:26 -------- d-----w- C:\32788R22FWJFW
2010-06-25 21:56 . 2010-06-25 21:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-06-25 21:41 . 2010-06-25 21:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-24 19:36 . 2010-06-24 19:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ImgBurn
2010-06-24 19:36 . 2010-06-24 19:36 -------- d-----w- c:\program files\ImgBurn
2010-06-24 19:32 . 2010-06-24 19:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Sonic
2010-06-23 18:57 . 2010-06-23 18:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Auslogics
2010-06-21 19:36 . 2005-01-01 09:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2010-06-21 19:36 . 2010-06-21 19:36 -------- d-----w- c:\program files\Common Files\INCA Shared
2010-06-21 18:10 . 2010-06-21 18:10 -------- d-----w- c:\program files\softnyx
2010-06-20 02:31 . 2010-06-20 02:31 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Adobe
2010-06-19 21:23 . 2010-06-19 21:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-06-18 02:56 . 2010-06-18 02:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Shoddy Battle
2010-06-16 06:12 . 2010-06-16 06:13 -------- d-----w- C:\3c4a57fec85041262f52831005
2010-06-14 23:44 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\135a7a84.dll
2010-06-14 23:44 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\12895fb6.dll
2010-06-14 23:42 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\3b0d85e.dll
2010-06-14 23:42 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\2e1fe18.dll
2010-06-14 23:40 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\efaf08c.dll
2010-06-14 23:40 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\c3c00.dll
2010-06-14 23:38 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\187a32ed.dll
2010-06-14 23:35 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\536ebf0.dll
2010-06-14 23:34 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\4df62c3.dll
2010-06-14 23:34 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\181d2c68.dll
2010-06-14 23:33 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\b400663.dll
2010-06-14 23:33 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\2ee63f83.dll
2010-06-14 23:28 . 2010-06-16 06:13 -------- d-----w- c:\windows\system32\XPSViewer
2010-06-14 23:28 . 2010-06-14 23:28 -------- d-----w- c:\program files\Reference Assemblies
2010-06-14 23:28 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-06-14 23:27 . 2006-06-29 20:07 14048 ------w- c:\windows\system32\spmsg2.dll
2010-06-14 23:18 . 2010-06-14 23:18 -------- d-sh--w- c:\documents and settings\HP_Administrator\PrivacIE
2010-06-14 22:57 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\321c7700.dll
2010-06-14 22:57 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\12a27488.dll
2010-06-14 15:08 . 2010-06-14 15:08 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-06-14 15:08 . 2010-06-14 15:08 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-06-14 15:08 . 2010-06-14 15:08 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-06-14 15:08 . 2010-06-14 15:08 -------- d-----w- C:\Nexon
2010-06-14 15:08 . 2010-06-14 15:08 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-06-14 15:08 . 2010-06-14 15:08 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-06-14 15:08 . 2010-06-14 15:08 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-06-14 15:08 . 2010-06-14 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2010-06-14 05:09 . 2010-06-14 05:56 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\PMB Files
2010-06-14 05:09 . 2010-06-14 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-06-14 05:09 . 2010-06-14 05:09 -------- d-----w- c:\program files\Pando Networks
2010-06-14 03:39 . 2010-06-14 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-06-14 03:24 . 2010-06-14 03:24 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-06-14 03:20 . 2010-06-14 03:20 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2010-06-13 23:35 . 2006-02-15 20:06 254026 ----a-r- c:\windows\system32\hpovst09.dll
2010-06-13 23:35 . 2006-02-15 20:06 827392 ----a-r- c:\windows\system32\hpotiop2.dll
2010-06-13 23:35 . 2006-02-15 20:06 659456 ----a-r- c:\windows\system32\hpowiax2.dll
2010-06-13 23:35 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-13 23:35 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-13 22:03 . 2010-06-26 04:30 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Media Player Classic
2010-06-13 21:57 . 2010-06-13 21:57 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-13 21:54 . 2010-06-13 21:54 -------- d-----w- c:\windows\ie8updates
2010-06-13 21:54 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-13 21:54 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-13 21:54 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-13 21:54 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-13 21:54 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-13 21:54 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-13 21:54 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-13 21:03 . 2008-04-26 02:41 218624 ----a-w- c:\windows\system32\dllcache\uxtheme.dll
2010-06-13 20:58 . 2010-06-13 20:58 -------- d-sh--w- c:\documents and settings\HP_Administrator\IETldCache
2010-06-13 20:54 . 2010-06-13 20:55 -------- dc-h--w- c:\windows\ie8
2010-06-13 20:22 . 2010-06-13 20:22 -------- d-----w- c:\windows\system32\scripting
2010-06-13 20:22 . 2010-06-13 20:22 -------- d-----w- c:\windows\system32\en
2010-06-13 20:22 . 2010-06-13 20:22 -------- d-----w- c:\windows\system32\bits
2010-06-13 20:22 . 2010-06-13 20:22 -------- d-----w- c:\windows\l2schemas
2010-06-13 20:12 . 2004-08-04 05:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-06-13 19:50 . 2010-06-13 19:50 -------- d-----w- c:\program files\MSXML 4.0
2010-06-13 19:48 . 2010-06-13 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2010-06-13 17:39 . 2010-06-13 20:21 -------- d-----w- c:\windows\ServicePackFiles
2010-06-13 17:29 . 2010-02-24 13:11 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-13 17:29 . 2009-12-31 16:50 353792 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-13 17:28 . 2009-10-15 16:28 81920 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-06-13 17:28 . 2009-10-15 16:28 119808 ------w- c:\windows\system32\dllcache\t2embed.dll
2010-06-13 17:27 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-06-13 17:21 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2010-06-13 17:21 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2010-06-13 17:21 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2010-06-13 17:21 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2010-06-13 17:21 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2010-06-13 17:21 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-06-13 17:21 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2010-06-13 17:21 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2010-06-13 17:21 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2010-06-13 17:21 . 2010-02-17 16:10 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-06-13 17:21 . 2010-02-16 14:08 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-13 17:21 . 2010-02-16 13:25 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-13 17:19 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-06-13 17:19 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2010-06-13 17:19 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-06-13 17:19 . 2006-03-21 03:23 23040 ------w- c:\windows\kb913800.exe
2010-06-13 17:18 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-06-13 17:17 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-06-13 17:17 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2010-06-13 05:36 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-06-13 05:33 . 2010-06-13 05:34 -------- d-----w- c:\program files\FrostWire
2010-06-13 05:33 . 2010-06-13 05:33 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-13 05:33 . 2010-06-13 05:33 79488 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-13 05:33 . 2010-06-13 05:33 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-13 05:31 . 2010-06-13 05:31 -------- d-----w- c:\program files\Messenger Plus! Live
2010-06-13 05:24 . 2006-10-27 02:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-06-13 05:24 . 2006-10-27 02:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-06-13 05:23 . 2010-06-14 23:28 -------- d-----w- c:\program files\MSBuild
2010-06-13 05:22 . 2010-06-14 23:34 -------- d-----w- c:\program files\Microsoft.NET
2010-06-13 05:20 . 2010-06-13 05:20 -------- d-----w- c:\windows\SHELLNEW
2010-06-13 05:19 . 2010-06-13 05:19 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Microsoft Help
2010-06-13 05:19 . 2010-06-13 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-13 05:19 . 2010-06-13 05:19 -------- d-----r- C:\MSOCache
2010-06-13 05:17 . 2010-06-13 05:17 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Apple Computer
2010-06-13 05:17 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-06-13 05:17 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-06-13 05:16 . 2010-06-13 05:16 -------- d-----w- c:\program files\iPod
2010-06-13 05:16 . 2010-06-13 05:17 -------- d-----w- c:\program files\iTunes
2010-06-13 05:16 . 2010-06-13 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-13 05:15 . 2010-06-13 05:16 -------- d-----w- c:\program files\QuickTime
2010-06-13 05:15 . 2010-06-13 05:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-13 05:15 . 2010-06-13 05:15 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Apple
2010-06-13 05:15 . 2010-06-13 05:15 -------- d-----w- c:\program files\Apple Software Update
2010-06-13 05:15 . 2010-06-13 05:17 -------- dc----w- c:\windows\system32\DRVSTORE
2010-06-13 05:14 . 2010-06-13 05:15 -------- d-----w- c:\program files\Bonjour
2010-06-13 05:14 . 2010-06-13 05:16 -------- d-----w- c:\program files\Common Files\Apple
2010-06-13 05:14 . 2010-06-13 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-16 22:38 . 2010-06-13 04:13 89680 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-16 14:30 . 2006-06-10 12:32 89680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 03:31 . 2006-06-10 12:40 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-13 20:26 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-13 05:33 . 2006-06-10 12:04 -------- d-----w- c:\program files\Common Files\Java
2010-06-13 05:33 . 2006-06-10 12:04 -------- d-----w- c:\program files\Java
2010-06-13 05:23 . 2006-06-10 12:42 -------- d-----w- c:\program files\Microsoft Works
2010-06-13 04:33 . 2006-06-10 12:59 -------- d-----w- c:\program files\Symantec
2010-06-13 04:33 . 2006-06-10 12:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-13 04:30 . 2006-06-10 12:35 -------- d-----w- c:\program files\WildTangent
2010-06-13 04:29 . 2006-06-10 12:33 -------- d-----w- c:\program files\Common Files\Real
2010-06-13 04:28 . 2006-06-10 12:46 -------- d-----w- c:\program files\Quicken
2010-06-13 04:27 . 2006-06-10 12:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-13 04:21 . 2006-06-10 11:59 -------- d-----w- c:\program files\GemMaster
2010-06-13 04:15 . 2010-06-13 04:15 1895 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_RC525AA-ABA a1542n_YC_0Pavi_QMXF627_E63NAemMPA2_48_ILEUCITE_SASUSTek Computer INC._V2.00_B3.15_T060623_WXP2_L409_M2039_J300_7Intel_8Pentium D_92.8_#100613_N808627DC_Z14F12F20_G80862772.MRK
2010-05-06 10:41 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 04:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 22:45 . 2010-04-28 22:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-20 05:30 . 2004-08-10 04:00 285696 ------w- c:\windows\system32\atmfd.dll
2010-04-17 05:12 . 2010-04-17 05:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-08 20:20 . 2010-04-08 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 20:20 . 2010-04-08 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2006-07-27 20:44 . 2010-06-13 04:04 32 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2006-03-16 09:12 1077248 ----a-w- c:\program files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
2006-03-16 09:11 61440 ----a-w- c:\program files\DISC\DISCUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-03-20 16:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-12-16 01:18 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-02 06:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-10-13 02:30 139264 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IcoSet]
1999-11-07 06:11 27136 ----a-w- c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-02-07 15:36 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-02-07 15:40 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 22:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 05:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-03-08 11:54 16010240 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WUSB54GCSVC"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\softnyx\\GunboundS2\\GunBound.gme"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/06/2010 9:36 PM 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/06/2010 9:36 PM 19024]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15784&l=dis
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=63&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\3wct0lxx.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-PCDrProfiler - c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2010-06-28 11:33:31
ComboFix-quarantined-files.txt 2010-06-28 18:33

Pre-Run: 211,227,009,024 bytes free
Post-Run: 211,344,220,160 bytes free

- - End Of File - - 10348100085B9512018CDDEF57FD9583





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users