Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo!/Google link hijacker


  • This topic is locked This topic is locked
15 replies to this topic

#1 Tai MT

Tai MT

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 05 July 2010 - 02:51 PM

I recently downloaded a piece of Malware while thinking I was downloading a Adobe Flash player. I was running two different windows at a time and I ended up with "Defense Center". I ran through all the ways to remove it that I could think of, and finally just reverted to a previous point in my computer to undo the downloading of this malicious program. However, now I am having an issue with my searches. When I do a search, it produced valid results and links. But, as soon as I click a link from this search, my browser is redirected to any number of other sites which "guarantee" they can find what I'm looking for with minimal fuss. Since encountering this problem, I have run Spyware Search And Destroy and Emisoft Anti-Malware. I did not remove anything Emisoft Anti-Malware suggested, simply because some of the things it suggested were Trojans, were actually files that another program I have, uses. I figured I would wait for help before doing anything drastic that might harm the computer further.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Terell Ness at 12:06:22.12 on Mon 07/05/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.771 [GMT -5:00]

AV: Emsisoft Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe -k getPlusHelper
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Terell Ness\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [a-squared] "c:\program files\emsisoft anti-malware\a2guard.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\terell~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272546080796
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-7-4 1935120]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-7-4 71008]

=============== Created Last 30 ================

2010-07-05 17:05:24 0 ----a-w- c:\documents and settings\terell ness\defogger_reenable
2010-07-04 22:30:25 0 d-----w- c:\program files\Emsisoft Anti-Malware
2010-07-04 16:35:25 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-04 16:35:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-04 16:30:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-04 16:29:49 0 d-----w- c:\docume~1\terell~1\applic~1\PC Tools
2010-07-04 16:29:49 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-07-04 15:50:33 2716 ----a-w- c:\windows\inurujiqigis.dll
2010-07-04 15:46:38 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-07-04 15:46:38 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-04 15:46:31 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-04 15:46:31 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-07-04 15:46:31 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-07-04 15:46:31 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-04 15:46:27 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-07-04 15:46:27 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-04 15:46:23 0 d-----w- c:\program files\Spyware Doctor
2010-07-04 15:46:23 0 d-----w- c:\program files\common files\PC Tools
2010-07-04 15:39:43 120 ----a-w- c:\windows\Bcadipidurayap.dat
2010-07-04 15:39:43 0 ----a-w- c:\windows\Spubim.bin
2010-07-04 15:38:33 0 d-----w- c:\windows\PRAGMArxvjkikbfg
2010-06-12 17:33:07 0 d-----w- c:\program files\WiFiConnector
2010-06-11 03:32:36 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-05-25 00:44:11 94208 ----a-w- c:\windows\ScUnin.exe
2010-05-25 00:44:11 35382 ----a-w- c:\windows\scunin.dat
2010-05-12 22:27:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2010-05-12 22:27:36 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 17:55:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 12:49:06 315392 ----a-w- c:\windows\HideWin.exe
2010-04-27 21:44:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 12:07:16.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:46 PM

Posted 07 July 2010 - 08:18 PM

Hello Tai MT

Welcome to BleepingComputer smile.gif
========================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================
Download TDSSKiller and save it to your Desktop.
  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log
========

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 Tai MT

Tai MT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 09 July 2010 - 10:56 AM

Alright, with no hope of getting to a "clean" computer for me, I'd like to proceed with cleaning this one. I understand that it may never be "safe" again, but I think I can live with that. I don't do my banking or financial transactions online, so I doubt there's much danger in that. However, to air on the safe side, I'll be investing in an anti-identity theft program after we're done cleaning here. Never can be too sure. I'll also be changing all my passwords after clean up (silly me, I only use five or six passwords for everything. Now I need a new list!). And, sometime, at a later date, perhaps (which really means "when I have more money") I'll be formatting and reinstalling the computer after backing up some of my files to flash drive or otherwise.

Anyway, thank you in advance, and lets kick this popcicle stand.


10:30:50:561 2448 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
10:30:50:561 2448 ================================================================================
10:30:50:561 2448 SystemInfo:

10:30:50:561 2448 OS Version: 5.1.2600 ServicePack: 3.0
10:30:50:561 2448 Product type: Workstation
10:30:50:561 2448 ComputerName: TERELL-EF1342D3
10:30:50:561 2448 UserName: Terell Ness
10:30:50:561 2448 Windows directory: C:\WINDOWS
10:30:50:561 2448 System windows directory: C:\WINDOWS
10:30:50:561 2448 Processor architecture: Intel x86
10:30:50:561 2448 Number of processors: 1
10:30:50:561 2448 Page size: 0x1000
10:30:50:561 2448 Boot type: Normal boot
10:30:50:561 2448 ================================================================================
10:30:50:717 2448 Initialize success
10:30:50:717 2448
10:30:50:717 2448 Scanning Services ...
10:30:50:936 2448 Raw services enum returned 307 services
10:30:50:951 2448
10:30:50:951 2448 Scanning Drivers ...
10:30:51:795 2448 a2acc (130638992f393300a81e68c56456c533) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
10:30:51:920 2448 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:30:51:983 2448 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:30:52:045 2448 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:30:52:108 2448 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
10:30:52:311 2448 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:30:52:342 2448 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:30:52:358 2448 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:30:52:389 2448 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:30:52:436 2448 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:30:52:467 2448 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:30:52:529 2448 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:30:52:529 2448 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:30:52:545 2448 Cdrom (dbd2a92ca276b19ea36a5f3b04504c89) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:30:52:545 2448 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: dbd2a92ca276b19ea36a5f3b04504c89, Fake md5: 1f4260cc5b42272d71f79e570a27a4fe
10:30:52:545 2448 File "C:\WINDOWS\system32\DRIVERS\cdrom.sys" infected by TDSS rootkit ... 10:30:53:717 2448 Backup copy found, using it..
10:30:53:717 2448 will be cured on next reboot
10:30:53:889 2448 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:30:53:920 2448 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:30:54:029 2448 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:30:54:092 2448 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:30:54:154 2448 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:30:54:186 2448 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:30:54:233 2448 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:30:54:248 2448 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
10:30:54:279 2448 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:30:54:295 2448 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
10:30:54:311 2448 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
10:30:54:358 2448 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:30:54:373 2448 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:30:54:420 2448 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:30:54:436 2448 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:30:54:483 2448 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:30:54:545 2448 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
10:30:54:654 2448 HSXHWBS2 (ed98350ecd4a5a9c9f1e641c09872bb2) C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
10:30:54:733 2448 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:30:54:842 2448 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
10:30:54:889 2448 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:30:55:014 2448 IntcAzAudAddService (dbc702fbc70dc58d9122ce56eadbd659) C:\WINDOWS\system32\drivers\RtkHDAud.sys
10:30:55:154 2448 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
10:30:55:186 2448 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:30:55:186 2448 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:30:55:233 2448 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:30:55:248 2448 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:30:55:295 2448 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:30:55:342 2448 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:30:55:358 2448 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:30:55:373 2448 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:30:55:420 2448 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
10:30:55:483 2448 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:30:55:529 2448 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:30:55:576 2448 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
10:30:55:623 2448 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:30:55:670 2448 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:30:55:717 2448 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:30:55:748 2448 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:30:55:764 2448 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:30:55:779 2448 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:30:55:826 2448 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:30:55:842 2448 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:30:55:889 2448 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:30:55:936 2448 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:30:55:967 2448 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:30:55:998 2448 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:30:56:014 2448 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
10:30:56:029 2448 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:30:56:045 2448 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:30:56:061 2448 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:30:56:092 2448 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:30:56:108 2448 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
10:30:56:108 2448 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:30:56:123 2448 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:30:56:154 2448 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:30:56:186 2448 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:30:56:233 2448 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:30:56:436 2448 nv (cce4877e45f5300fffbb4a6bc5e7fda7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:30:56:608 2448 NVENETFD (1492c7738f68625805f5f53c8bad24c6) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
10:30:56:623 2448 nvnetbus (ae73e61f07ddc84255bece6b02f18390) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
10:30:56:639 2448 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:30:56:654 2448 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:30:56:686 2448 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
10:30:56:717 2448 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:30:56:733 2448 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:30:56:748 2448 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:30:56:779 2448 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:30:56:826 2448 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:30:56:920 2448 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:30:56:951 2448 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
10:30:56:983 2448 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:30:57:029 2448 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:30:57:092 2448 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
10:30:57:233 2448 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:30:57:264 2448 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:30:57:264 2448 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:30:57:295 2448 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:30:57:326 2448 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:30:57:342 2448 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:30:57:389 2448 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
10:30:57:420 2448 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:30:57:483 2448 RT25USBAP (9c377dbf9d2d19098db935dc1e8361a3) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
10:30:57:529 2448 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:30:57:545 2448 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
10:30:57:561 2448 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:30:57:639 2448 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:30:57:686 2448 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:30:57:717 2448 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
10:30:57:764 2448 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:30:57:764 2448 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:30:57:842 2448 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:30:57:904 2448 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:30:57:951 2448 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:30:57:967 2448 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:30:57:998 2448 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:30:58:045 2448 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:30:58:123 2448 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:30:58:186 2448 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
10:30:58:233 2448 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:30:58:248 2448 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:30:58:264 2448 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:30:58:279 2448 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
10:30:58:326 2448 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:30:58:358 2448 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:30:58:373 2448 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:30:58:389 2448 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:30:58:436 2448 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
10:30:58:498 2448 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:30:58:576 2448 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
10:30:58:623 2448 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:30:58:654 2448 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:30:58:686 2448 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\WINDOWS\system32\DRIVERS\xaudio.sys
10:30:58:733 2448 xusb21 (a640c90b007762939507c28a021be3b3) C:\WINDOWS\system32\DRIVERS\xusb21.sys
10:30:58:904 2448 Reboot required for cure complete..
10:30:59:623 2448 Cure on reboot scheduled successfully
10:30:59:623 2448
10:30:59:623 2448 Completed
10:30:59:623 2448
10:30:59:623 2448 Results:
10:30:59:623 2448 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:30:59:623 2448 File objects infected / cured / cured on reboot: 1 / 0 / 1
10:30:59:623 2448
10:30:59:623 2448 KLMD(ARK) unloaded successfully

Attached Files



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:46 PM

Posted 10 July 2010 - 08:04 AM

1. Open notepad and copy/paste the text in the codebox below into it:



CODE
http://www.bleepingcomputer.com/forums/t/329299/yahoogoogle-link-hijacker/?p=1834083

Collect::
c:\windows\Bcadipidurayap.dat
c:\windows\Spubim.bin

SrPeek::
c:\windows\system32\sfcfiles.dll



2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



4. During this run Combofix will collect and automatically upload some sample files.
You will see it say Combofix needs to upload some samples.
If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 Tai MT

Tai MT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 10 July 2010 - 11:53 AM

Alright, I did that, and it said a new version of Combo Fix was available. So, I updated the software and it ran. When it was done running, it said samples were required. I clicked "okay" and then it finished. It never asked me to reboot.

Do you still want the file, even if it didn't ask for a reboot?

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:46 PM

Posted 10 July 2010 - 05:52 PM

Yes please post the log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 Tai MT

Tai MT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 11 July 2010 - 07:11 PM

Alright, pretty sure all it did was overwrite the previous log, since this one says it was last modified/created yesterday.

ComboFix 10-07-10.01 - Terell Ness 07/10/2010 11:44:22.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1549 [GMT -5:00]
Running from: c:\documents and settings\Terell Ness\Desktop\Bleeping Computer\ComboFix.exe
Command switches used :: c:\documents and settings\Terell Ness\Desktop\CFScript.txt
AV: Emsisoft Anti-Malware *On-access scanning disabled* (Outdated) {0F8591BB-342B-4493-91C3-4E948ED21255}
* Created a new restore point

file zipped: c:\windows\Bcadipidurayap.dat
file zipped: c:\windows\Spubim.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Bcadipidurayap.dat
c:\windows\Spubim.bin

.
((((((((((((((((((((((((( Files Created from 2010-06-10 to 2010-07-10 )))))))))))))))))))))))))))))))
.

2010-07-09 16:51 . 2008-04-14 05:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-07-09 16:51 . 2008-04-14 05:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-09 16:51 . 2009-04-03 21:00 1310720 ----a-w- c:\windows\system32\CNC250C.dll
2010-07-09 16:51 . 2009-04-03 20:59 110592 ----a-w- c:\windows\system32\CNC250I.dll
2010-07-09 16:51 . 2009-04-03 20:57 106496 ----a-w- c:\windows\system32\CNC250U.dll
2010-07-09 16:51 . 2009-03-11 16:34 303104 ----a-w- c:\windows\system32\CNC250L.dll
2010-07-09 16:51 . 2008-08-25 23:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2010-07-09 09:34 . 2010-07-09 09:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-04 22:30 . 2010-07-04 23:18 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-07-04 16:49 . 2010-07-04 16:49 -------- d-----w- c:\program files\NOS
2010-07-04 16:35 . 2010-07-04 16:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-04 16:35 . 2010-07-04 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-04 16:30 . 2010-07-04 16:30 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-04 16:30 . 2010-07-04 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-04 16:29 . 2010-07-04 16:29 -------- d-----w- c:\documents and settings\Terell Ness\Application Data\PC Tools
2010-07-04 16:29 . 2010-07-04 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-07-04 16:17 . 2010-07-04 16:17 -------- d-----w- c:\documents and settings\Administrator\IETldCache
2010-07-04 16:13 . 2010-07-04 16:30 -------- d-s---w- c:\documents and settings\Administrator
2010-07-04 16:13 . 2010-07-04 16:30 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-07-04 15:46 . 2010-02-05 14:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-04 15:46 . 2010-03-10 16:36 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-04 15:46 . 2009-11-23 18:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-04 15:46 . 2010-02-05 14:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-04 15:46 . 2010-07-04 16:29 -------- d-----w- c:\program files\Spyware Doctor
2010-07-04 15:46 . 2010-07-04 15:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-07-04 15:46 . 2010-07-04 16:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-12 17:33 . 2010-06-12 17:33 -------- d-----w- c:\program files\WiFiConnector
2010-06-12 17:32 . 2010-06-12 17:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-11 03:32 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-10 05:19 . 2010-05-01 17:12 -------- d-----w- c:\documents and settings\Terell Ness\Application Data\LimeWire
2010-07-09 16:51 . 2010-07-09 16:43 -------- d-----w- c:\program files\Canon
2010-07-09 16:49 . 2010-07-09 16:49 -------- d-----w- c:\program files\Common Files\CANON
2010-07-09 16:45 . 2010-07-09 16:45 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-07-09 16:44 . 2010-07-09 16:44 -------- d--h--w- c:\program files\CanonBJ
2010-07-09 15:32 . 2008-04-14 05:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-07-09 12:22 . 2010-05-02 12:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-04 15:37 . 2010-07-04 16:28 143020 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-06-09 00:06 . 2010-05-25 00:42 -------- d-----w- c:\program files\Starcraft
2010-06-06 21:48 . 2010-04-29 13:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-25 00:44 . 2010-05-25 00:42 967 ----a-w- c:\windows\ScUnin.pif
2010-05-25 00:44 . 2010-05-25 00:42 94208 ----a-w- c:\windows\ScUnin.exe
2010-05-25 00:44 . 2010-05-25 00:42 35382 ----a-w- c:\windows\scunin.dat
2010-05-23 12:57 . 2010-05-23 12:57 61440 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-660c547a-n\decora-sse.dll
2010-05-23 12:57 . 2010-05-23 12:57 503808 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49cb33e8-n\msvcp71.dll
2010-05-23 12:57 . 2010-05-23 12:57 499712 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49cb33e8-n\jmc.dll
2010-05-23 12:57 . 2010-05-23 12:57 348160 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-49cb33e8-n\msvcr71.dll
2010-05-23 12:57 . 2010-05-23 12:57 12800 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-660c547a-n\decora-d3d.dll
2010-05-12 23:46 . 2010-05-12 12:42 -------- d-----w- c:\program files\Project64 1.6
2010-05-12 22:27 . 2010-05-12 22:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2010-05-12 22:27 . 2010-05-12 22:27 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-05-12 12:42 . 2010-05-12 12:42 8854 ----a-r- c:\documents and settings\Terell Ness\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-05-12 12:42 . 2010-05-12 12:42 40960 ----a-r- c:\documents and settings\Terell Ness\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-05-12 12:42 . 2010-05-12 12:42 40960 ----a-r- c:\documents and settings\Terell Ness\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-05-06 10:41 . 2008-04-23 04:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-04-14 06:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 17:55 . 2010-04-30 17:55 503808 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-674027c0-n\msvcp71.dll
2010-04-30 17:55 . 2010-04-30 17:55 499712 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-674027c0-n\jmc.dll
2010-04-30 17:55 . 2010-04-30 17:55 348160 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-674027c0-n\msvcr71.dll
2010-04-30 17:55 . 2010-04-30 17:55 61440 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e59adb4-n\decora-sse.dll
2010-04-30 17:55 . 2010-04-30 17:55 12800 ----a-w- c:\documents and settings\Terell Ness\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-4e59adb4-n\decora-d3d.dll
2010-04-30 17:55 . 2010-04-30 17:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 17:40 . 2010-04-30 17:34 12912 ----a-w- c:\documents and settings\Terell Ness\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 12:49 . 2010-04-29 12:49 315392 ----a-w- c:\windows\HideWin.exe
2010-04-27 22:27 . 2010-04-27 21:46 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-27 21:44 . 2010-04-27 21:44 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-20 05:30 . 2008-04-14 10:39 285696 ----a-w- c:\windows\system32\atmfd.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2008-08-26 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-07-09_15.47.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-09 16:51 . 2009-05-26 18:48 98304 c:\windows\twain_32\MP250 series\SG_TRK.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 94208 c:\windows\twain_32\MP250 series\SG_THA.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 73728 c:\windows\twain_32\MP250 series\SG_KOR.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 73728 c:\windows\twain_32\MP250 series\SG_JPN.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 98304 c:\windows\twain_32\MP250 series\SG_ENU.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 61440 c:\windows\twain_32\MP250 series\SG_CHT.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 61440 c:\windows\twain_32\MP250 series\SG_CHS.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 98304 c:\windows\twain_32\MP250 series\SG_ARA.dll
+ 2010-07-09 16:51 . 2007-09-11 19:21 86016 c:\windows\twain_32\MP250 series\rstcol.dll
+ 2010-07-09 16:51 . 2009-03-09 22:56 98304 c:\windows\twain_32\MP250 series\MC2Plus.dll
+ 2010-07-09 16:51 . 2007-12-06 18:46 73728 c:\windows\twain_32\MP250 series\IJFSHLIB.dll
+ 2010-07-09 16:51 . 2007-11-09 13:48 53248 c:\windows\twain_32\MP250 series\HSL.DLL
+ 2010-07-09 16:51 . 2008-11-19 18:31 73728 c:\windows\twain_32\MP250 series\DDT.dll
+ 2010-07-09 16:45 . 2009-02-04 13:17 90112 c:\windows\twain_32\MP250 series\cncisco3.dll
+ 2010-07-09 16:51 . 2009-02-16 15:09 30720 c:\windows\twain_32\MP250 series\CNC250.DAT
+ 2010-07-09 16:51 . 2005-04-15 20:34 57344 c:\windows\twain_32\MP250 series\BaLCo.dll
+ 2010-07-09 16:45 . 2009-03-17 10:00 70656 c:\windows\system32\spool\prtprocs\w32x86\CNMPP9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 27648 c:\windows\system32\spool\prtprocs\w32x86\CNMPD9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 12288 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMW39W.DLL
+ 2010-07-09 16:45 . 2009-03-14 06:11 58192 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMVS9W.EXE
+ 2010-07-09 16:45 . 2009-03-17 10:00 14336 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMVS9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 78336 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMSR9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 44032 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMSQ9W.DLL
+ 2010-07-09 16:45 . 2009-03-14 06:11 18768 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMSE9W.EXE
+ 2010-07-09 16:45 . 2009-03-17 10:00 48128 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMSD9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 12288 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMPI9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 05:00 30320 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMP29W.DAT
+ 2010-07-09 16:45 . 2009-03-17 05:00 27140 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMP19W.DAT
+ 2010-07-09 16:45 . 2009-03-17 05:00 23280 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMP09W.DAT
+ 2010-07-09 16:45 . 2009-03-17 10:00 28160 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMOP9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 62976 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMLH9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 86016 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMIC9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 10240 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMFU9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 57344 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMEI9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 13824 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMBU39W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 35840 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMBS39W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 13824 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMBM39W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 12288 c:\windows\system32\spool\drivers\w32x86\3\CNMW39W.DLL
+ 2010-07-09 16:45 . 2009-03-14 06:11 58192 c:\windows\system32\spool\drivers\w32x86\3\CNMVS9W.EXE
+ 2010-07-09 16:45 . 2009-03-17 10:00 14336 c:\windows\system32\spool\drivers\w32x86\3\CNMVS9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 78336 c:\windows\system32\spool\drivers\w32x86\3\CNMSR9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 44032 c:\windows\system32\spool\drivers\w32x86\3\CNMSQ9W.DLL
+ 2010-07-09 16:45 . 2009-03-14 06:11 18768 c:\windows\system32\spool\drivers\w32x86\3\CNMSE9W.EXE
+ 2010-07-09 16:45 . 2009-03-17 10:00 48128 c:\windows\system32\spool\drivers\w32x86\3\CNMSD9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 12288 c:\windows\system32\spool\drivers\w32x86\3\CNMPI9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 05:00 30320 c:\windows\system32\spool\drivers\w32x86\3\CNMP29W.DAT
+ 2010-07-09 16:45 . 2009-03-17 05:00 27140 c:\windows\system32\spool\drivers\w32x86\3\CNMP19W.DAT
+ 2010-07-09 16:45 . 2009-03-17 05:00 23280 c:\windows\system32\spool\drivers\w32x86\3\CNMP09W.DAT
+ 2010-07-09 16:45 . 2009-03-17 10:00 28160 c:\windows\system32\spool\drivers\w32x86\3\CNMOP9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 62976 c:\windows\system32\spool\drivers\w32x86\3\CNMLH9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 86016 c:\windows\system32\spool\drivers\w32x86\3\CNMIC9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 10240 c:\windows\system32\spool\drivers\w32x86\3\CNMFU9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 57344 c:\windows\system32\spool\drivers\w32x86\3\CNMEI9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 13824 c:\windows\system32\spool\drivers\w32x86\3\CNMBU39W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 35840 c:\windows\system32\spool\drivers\w32x86\3\CNMBS39W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 13824 c:\windows\system32\spool\drivers\w32x86\3\CNMBM39W.DLL
+ 2010-07-09 16:51 . 2008-04-14 05:15 15104 c:\windows\system32\drivers\usbscan.sys
+ 2010-07-09 16:51 . 2008-04-14 05:15 15104 c:\windows\system32\dllcache\usbscan.sys
+ 2010-07-09 16:45 . 2009-02-04 13:17 90112 c:\windows\system32\CNC250O.dll
+ 2010-07-09 16:45 . 2009-03-18 09:08 92672 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstUS.dll
+ 2010-07-09 16:45 . 2009-03-16 09:35 92672 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstTW.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 95744 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstTR.dll
+ 2010-07-09 16:45 . 2009-03-16 09:57 92672 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstTH.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 95744 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstSE.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 98304 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstRU.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 98304 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstPT.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 94208 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstNO.dll
+ 2010-07-09 16:45 . 2009-03-16 08:46 92672 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstKR.dll
+ 2010-07-09 16:45 . 2009-03-18 09:08 68096 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstJP.dll
+ 2010-07-09 16:45 . 2009-03-16 10:08 96256 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstID.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 99840 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstHU.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 93696 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstFI.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 96768 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstDK.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 95232 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstCZ.dll
+ 2010-07-09 16:45 . 2009-03-16 09:25 92672 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstCN.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 92672 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstAR.dll
+ 2010-07-09 16:51 . 2009-02-09 22:45 6054 c:\windows\twain_32\MP250 series\SCNDB.DAT
+ 2010-07-09 16:45 . 2009-03-17 10:00 9216 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNML29W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 9216 c:\windows\system32\spool\drivers\w32x86\3\CNML29W.DLL
+ 2010-07-09 16:51 . 2009-03-11 21:20 487424 c:\windows\twain_32\MP250 series\usip.dll
+ 2010-07-09 16:51 . 2009-09-24 21:06 229376 c:\windows\twain_32\MP250 series\TPM.dll
+ 2010-07-09 16:51 . 2009-01-21 16:41 122880 c:\windows\twain_32\MP250 series\softfare.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 102400 c:\windows\twain_32\MP250 series\SG_SVE.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 106496 c:\windows\twain_32\MP250 series\SG_RUS.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 110592 c:\windows\twain_32\MP250 series\SG_PTB.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 106496 c:\windows\twain_32\MP250 series\SG_PLK.dll
+ 2010-07-09 16:51 . 2009-06-23 14:36 102400 c:\windows\twain_32\MP250 series\SG_NOR.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 110592 c:\windows\twain_32\MP250 series\SG_NLD.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 114688 c:\windows\twain_32\MP250 series\SG_ITA.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 102400 c:\windows\twain_32\MP250 series\SG_IND.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 106496 c:\windows\twain_32\MP250 series\SG_HUN.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 110592 c:\windows\twain_32\MP250 series\SG_FRA.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 102400 c:\windows\twain_32\MP250 series\SG_FIN.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 114688 c:\windows\twain_32\MP250 series\SG_ESP.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 114688 c:\windows\twain_32\MP250 series\SG_ELL.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 110592 c:\windows\twain_32\MP250 series\SG_DEU.dll
+ 2010-07-09 16:51 . 2009-05-26 18:48 102400 c:\windows\twain_32\MP250 series\SG_DAN.dll
+ 2010-07-09 16:51 . 2009-06-23 14:36 102400 c:\windows\twain_32\MP250 series\SG_CSY.dll
+ 2010-07-09 16:51 . 2007-07-02 16:04 114688 c:\windows\twain_32\MP250 series\scrprmvl.dll
+ 2010-07-09 16:51 . 2005-02-02 23:34 118784 c:\windows\twain_32\MP250 series\SCRPRMV.DLL
+ 2010-07-09 16:51 . 2009-09-24 21:09 446464 c:\windows\twain_32\MP250 series\SCNIF.dll
+ 2010-07-09 16:51 . 2009-09-24 21:09 376832 c:\windows\twain_32\MP250 series\SCNFLW.dll
+ 2010-07-09 16:51 . 2009-09-24 21:05 204800 c:\windows\twain_32\MP250 series\SCNDB.dll
+ 2010-07-09 16:51 . 2008-01-23 21:45 454656 c:\windows\twain_32\MP250 series\RACSLIB.dll
+ 2010-07-09 16:51 . 2009-01-22 16:09 139264 c:\windows\twain_32\MP250 series\MC2.dll
+ 2010-07-09 16:51 . 2004-06-07 17:58 290816 c:\windows\twain_32\MP250 series\libBLC.dll
+ 2010-07-09 16:51 . 2008-11-07 19:20 176128 c:\windows\twain_32\MP250 series\CUBS.dll
+ 2010-07-09 16:45 . 2009-02-04 13:18 104960 c:\windows\twain_32\MP250 series\cncisco6.dll
+ 2010-07-09 16:51 . 2008-10-30 20:36 148200 c:\windows\twain_32\MP250 series\CNC250P.DAT
+ 2010-07-09 16:51 . 2005-08-24 20:51 126976 c:\windows\twain_32\MP250 series\CFine2.dll
+ 2010-07-09 16:51 . 2008-11-05 15:10 118784 c:\windows\twain_32\MP250 series\CAPS.dll
+ 2010-07-09 16:51 . 2007-10-24 18:36 118784 c:\windows\twain_32\MP250 series\AG.dll
+ 2010-07-09 16:45 . 2009-03-17 10:00 418816 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMUR9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 308736 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMUB9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 477184 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMSM9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 671232 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMSB9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 105472 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMPV9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 189440 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMLR9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 560128 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMDR9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 356864 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMD59W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 102912 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMCP9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 418816 c:\windows\system32\spool\drivers\w32x86\3\CNMUR9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 308736 c:\windows\system32\spool\drivers\w32x86\3\CNMUB9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 477184 c:\windows\system32\spool\drivers\w32x86\3\CNMSM9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 671232 c:\windows\system32\spool\drivers\w32x86\3\CNMSB9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 105472 c:\windows\system32\spool\drivers\w32x86\3\CNMPV9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 189440 c:\windows\system32\spool\drivers\w32x86\3\CNMLR9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 560128 c:\windows\system32\spool\drivers\w32x86\3\CNMDR9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 356864 c:\windows\system32\spool\drivers\w32x86\3\CNMD59W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 102912 c:\windows\system32\spool\drivers\w32x86\3\CNMCP9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 272384 c:\windows\system32\CNMLM9W.DLL
+ 2010-07-09 16:45 . 2009-03-18 09:09 178176 c:\windows\system32\CNMIU9W.DLL
+ 2010-07-09 16:45 . 2009-04-07 16:00 101376 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstPL.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 102400 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstNL.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 103424 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstIT.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 112128 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstGR.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 105472 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstFR.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 104960 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstES.dll
+ 2010-07-09 16:45 . 2009-04-07 16:00 108544 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\RES\DLL\IJInstDE.dll
+ 2010-07-09 16:45 . 2009-03-18 09:20 451928 c:\windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series\DelDrv.exe
+ 2010-07-09 16:51 . 2008-12-26 15:57 1159168 c:\windows\twain_32\MP250 series\SGCFLTR.dll
+ 2010-07-09 16:51 . 2009-09-24 21:13 2297856 c:\windows\twain_32\MP250 series\SCNUI.dll
+ 2010-07-09 16:51 . 2008-12-01 23:04 2102320 c:\windows\twain_32\MP250 series\CNC250R.DAT
+ 2010-07-09 16:45 . 2009-03-17 10:00 2720256 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMUI9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 2308608 c:\windows\system32\spool\drivers\w32x86\canonmp250_series74dd\CNMCB9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 2720256 c:\windows\system32\spool\drivers\w32x86\3\CNMUI9W.DLL
+ 2010-07-09 16:45 . 2009-03-17 10:00 2308608 c:\windows\system32\spool\drivers\w32x86\3\CNMCB9W.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-04 8466432]
"nwiz"="nwiz.exe" [2007-09-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-04 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"a-squared"="c:\program files\Emsisoft Anti-Malware\a2guard.exe" [2010-06-28 3627912]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\Terell Ness\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2010-6-12 1073152]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [7/4/2010 5:30 PM 1935120]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [7/4/2010 5:30 PM 71008]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-10 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-07-10 11:48:27
ComboFix-quarantined-files.txt 2010-07-10 16:48
ComboFix2.txt 2010-07-09 15:48

Pre-Run: 105,855,602,688 bytes free
Post-Run: 105,876,123,648 bytes free

- - End Of File - - 51B3A9D86462F767256784BB38EB32EF
Upload was successful

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:46 PM

Posted 12 July 2010 - 06:24 AM

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
============
* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 Tai MT

Tai MT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 13 July 2010 - 12:13 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4307

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/12/2010 10:19:22 PM
mbam-log-2010-07-12 (22-19-22).txt

Scan type: Quick scan
Objects scanned: 126219
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Terell Ness\Application Data\Microsoft\Internet Explorer\Quick Launch\Defense Center.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

----

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=091e09ac4b46dd44baacd049a729a0ee
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-13 04:58:11
# local_time=2010-07-12 11:58:11 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=82547
# found=17
# cleaned=17
# scan_time=5412
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudDefenseCenter1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Terell Ness\Application Data\Sun\Java\Deployment\cache\6.0\14\13fd124e-2021e35c multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Terell Ness\Application Data\Sun\Java\Deployment\cache\6.0\16\66507850-43d42562 probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Terell Ness\Application Data\Sun\Java\Deployment\cache\6.0\25\260a4bd9-67dda385 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Terell Ness\Application Data\Sun\Java\Deployment\cache\6.0\30\3015bfde-114923e2 probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Terell Ness\Application Data\Sun\Java\Deployment\cache\6.0\40\624c7d28-7b5afab0 probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Terell Ness\Application Data\Sun\Java\Deployment\cache\6.0\44\256440ec-664fbb56 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Terell Ness\Application Data\Sun\Java\Deployment\cache\6.0\47\3f8d57ef-163bb502 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Terell Ness\Application Data\Sun\Java\Deployment\cache\6.0\54\52c576f6-2ac83da9 probably a variant of Win32/Agent trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{81FA24CB-F67D-454F-B70C-CD73209B0F7B}\RP67\A0003573.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{81FA24CB-F67D-454F-B70C-CD73209B0F7B}\RP68\A0003768.sys a variant of Win32/Rootkit.Kryptik.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{81FA24CB-F67D-454F-B70C-CD73209B0F7B}\RP68\A0003769.dll a variant of Win32/Cimag.CU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{81FA24CB-F67D-454F-B70C-CD73209B0F7B}\RP68\A0003770.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{81FA24CB-F67D-454F-B70C-CD73209B0F7B}\RP68\A0003807.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{81FA24CB-F67D-454F-B70C-CD73209B0F7B}\RP68\A0003808.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{81FA24CB-F67D-454F-B70C-CD73209B0F7B}\RP68\A0003809.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\apaqiracevenupeh.dll a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:46 PM

Posted 13 July 2010 - 06:29 AM

Looks good now how are things running?
Please run DDS once more and post the new DDS.txt log that opens please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 Tai MT

Tai MT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 13 July 2010 - 10:49 PM


DDS (Ver_10-03-17.01) - NTFSx86
Run by Terell Ness at 22:43:13.96 on Tue 07/13/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1007 [GMT -5:00]

AV: Emsisoft Anti-Malware *On-access scanning disabled* (Outdated) {0F8591BB-342B-4493-91C3-4E948ED21255}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Terell Ness\Desktop\Bleeping Computer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [a-squared] "c:\program files\emsisoft anti-malware\a2guard.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\terell~1\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\runnin~1.lnk - c:\program files\wificonnector\NintendoWFCReg.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1272546080796
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2010-7-4 1935120]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2010-7-4 71008]

=============== Created Last 30 ================

2010-07-13 03:25:08 0 d-----w- c:\program files\ESET
2010-07-13 03:14:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-13 03:14:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-13 03:14:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 16:51:55 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-07-09 16:51:55 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-09 16:51:46 303104 ----a-w- c:\windows\system32\CNC250L.dll
2010-07-09 16:51:46 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2010-07-09 16:51:46 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-09 16:51:46 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-09 16:51:46 1310720 ----a-w- c:\windows\system32\CNC250C.dll
2010-07-09 16:51:46 12288 ----a-w- c:\windows\system32\CNC173AD.TBL
2010-07-09 16:51:46 110592 ----a-w- c:\windows\system32\CNC250I.dll
2010-07-09 16:51:46 106496 ----a-w- c:\windows\system32\CNC250U.dll
2010-07-09 16:49:03 0 d-----w- c:\program files\common files\CANON
2010-07-09 16:45:26 272384 ----a-w- c:\windows\system32\CNMLM9W.DLL
2010-07-09 16:45:15 90112 ----a-w- c:\windows\system32\CNC250O.dll
2010-07-09 16:45:06 178176 ----a-w- c:\windows\system32\CNMIU9W.DLL
2010-07-09 16:43:35 0 d-----w- c:\program files\Canon
2010-07-09 15:43:34 0 d-sha-r- C:\cmdcons
2010-07-09 15:41:34 98816 ----a-w- c:\windows\sed.exe
2010-07-09 15:41:34 77312 ----a-w- c:\windows\MBR.exe
2010-07-09 15:41:34 256512 ----a-w- c:\windows\PEV.exe
2010-07-09 15:41:34 161792 ----a-w- c:\windows\SWREG.exe
2010-07-05 17:05:24 0 ----a-w- c:\documents and settings\terell ness\defogger_reenable
2010-07-04 22:30:25 0 d-----w- c:\program files\Emsisoft Anti-Malware
2010-07-04 16:35:25 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-04 16:35:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-04 16:30:20 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-04 16:29:49 0 d-----w- c:\docume~1\terell~1\applic~1\PC Tools
2010-07-04 16:29:49 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-07-04 15:46:38 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-07-04 15:46:38 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-04 15:46:31 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-04 15:46:31 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-07-04 15:46:31 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-07-04 15:46:31 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-04 15:46:27 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-07-04 15:46:27 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-04 15:46:23 0 d-----w- c:\program files\Spyware Doctor
2010-07-04 15:46:23 0 d-----w- c:\program files\common files\PC Tools

==================== Find3M ====================

2010-07-09 15:32:03 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-05-25 00:44:11 94208 ----a-w- c:\windows\ScUnin.exe
2010-05-25 00:44:11 35382 ----a-w- c:\windows\scunin.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 17:55:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-29 12:49:06 315392 ----a-w- c:\windows\HideWin.exe
2010-04-27 21:44:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 22:43:24.70 ===============


Well, everything seems to be working fine now except for one minor issue. It may be related or not. Now, when I visit one of my websites that I used to be able to browse (it's a website that hosts Doctor Who episodes online... it's got a ton of popups on it, which could be part of the issue) if I do not hit "stop" in the browser, as soon as the site finishes loading, it kicks me back to my homepage. However, this is the only website I've seen this with, so it may merely be some kind of fluke or protection against getting further malware/spyware/viruses. I did not encounter the problem ever before using any of these programs, so I can assume that's what's causing it. However, since this is the only website I encounter this problem with, I'm not about to complain now. One website not functioning is a small price to pay for the rest of my computer functioning the way it's meant to.

If that's all we had to do, then thanks. If you got more, let me know.

Attached Files



#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:46 PM

Posted 14 July 2010 - 06:01 AM

No if it is just one website then it is just that website.
Sometimes websites are filled with ads when you visit them nothing to worry with there and it may only be temporary.
This is not an infection on the system.

I do not see any antivirus running .
You will definitely need to get one installed and running.


I will need you to do is to download only ONE of these anti-virus programs and install it.
These are free.

This is antivirus and antispyware.
Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.
AVG free 9.0


This is just antivirus protection.
Antivir
=======Cleanup=======
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
======Next======
  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.
===============Update Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
======================Clear out infected System Restore points======================


Then we need to reset your System Restore points.
The link below shows how to do this.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set.


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 Tai MT

Tai MT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 15 July 2010 - 07:27 AM

Alright, all of that is done except for the OTL step. I don't know what OTL is, and I'm fairly certain we never downloaded it, unless I missed a step somewhere.

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:46 PM

Posted 15 July 2010 - 07:31 AM

No that was my mistake I thought I removed that part but I guess not.
Safe Surfing smile.gif
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 Tai MT

Tai MT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 15 July 2010 - 05:21 PM

I try to be safe, but sometimes things catch me off guard. Ha ha. Thanks for the help, and if I need it again, I'm sure to be back.

Have a great day and thanks again for the help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users