Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Links Redirect me and ranom tabs open up


  • This topic is locked This topic is locked
19 replies to this topic

#1 Scono

Scono

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 05 July 2010 - 05:51 PM

My computer got infected by malware a few days ago. I immediately downloaded Malewarebytes and sure enough, it detected and deleted most of the malware. I did some other scans but the problem was still there. I then decided to download Avast (Free edition) and it also detected and deleted the other files. However, Google links redirect me to random sites and random tabs open to other random sites. These problems start and stop so sometimes google works. I use Mozilla Firefox. After doing many other scans with the programs, I still couldn't find anything. This morning, I downloaded Hijackthis in hopes of getting my computer working again.
Here is my most recent log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:48:37 PM, on 7/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WTouch\WTouchService.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Belkin\F5D8055\v2\Belkinwcui.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Bamboo Dock\BambooCore.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\New User\My Documents\Downloads\avg_iswt_stb_all_9_115_cnet.exe
C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\7zS83.tmp\stub.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [CTAPR2] "C:\Program Files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" /r
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [F5D8055v2] C:\Program Files\Belkin\F5D8055\v2\Belkinwcui.exe
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [librtexec] javaw -jar "C:\Program Files\Java\jre6\lib\librtexec.jar"
O4 - HKLM\..\Run: [BambooCore] C:\Program Files\Bamboo Dock\BambooCore.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Vfazesavad] rundll32.exe "C:\WINDOWS\ewowakev.dll",Startup
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON WorkForce 600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE /FU "C:\WINDOWS\TEMP\E_S3DEB.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup"
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe /runonstartup" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15108/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Media Toolbox 6 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - C:\Program Files\WTouch\WTouchService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14572 bytes

Thanks.

Edited by Blade Zephon, 05 July 2010 - 05:54 PM.
Move to Logs Forum. ~BZ


BC AdBot (Login to Remove)

 


#2 Scono

Scono
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 06 July 2010 - 10:13 PM

Sorry, I forgot to add that I use Windows XP Professional SP3 and it is a desktop. I also confirmed it was not a router issue because my other computers running Windows XP or Windows 7 do not experience this problem. My friend (with a mac) also confirmed that a site I clicked on was infected. This problem started last Wednesday but I can not detect anything else. My infected computer remains shut down until I relieve a reply. Thanks again. I will be glad to add any other information if it will help cure my computer.

#3 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 09 July 2010 - 06:05 AM

Hello Scono, and welcome to Bleeping Computer smile.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below, I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed. Please use the Add Reply and add the new log to this thread.

Thanks and again sorry for the delay.


We need to see some additional information about what is happening in your machine. Please perform the following steps in the order given:

Step #1

DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.

  • Double click on the DDS icon, allow it to run.

  • A small box will open with an explanation about the tool. No input is needed, the scan is running.

  • Notepad will open with the results.

  • Follow the instructions that pop up for posting the results.

  • Close the program window and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Step #2

DeFogger:

Please download DeFogger to your Desktop.

Double click DeFogger to run the tool.
  • The application window will appear.

  • Click the Disable button to disable any CD Emulation drivers you may have, as these will interfere with the GMER scan we need to run next.

  • Click Yes to continue.

  • A 'Finished!' message will appear.

  • Click OK.

  • DeFogger will now ask to reboot the machine - click OK.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Step #3

GMER:

Download GMER to your Desktop. (It will have a randomly generated name, for example .... wjkl3ecz.exe)
  • Disconnect from the Internet and close all running programs.

  • There is a small chance this program may crash your computer, so save any work you have open.

  • Double click on the randomly named GMER file (eg .... wjkl3ecz.exe) to launch GMER.

  • Let the gmer.sys driver load if asked.

  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan ..... click OK.

  • If no warning:

    • Click Rootkit tab.
    • Ensure that all the boxes to the right of the program are checked except Show All.
    • Click Scan.

  • Do not use your computer while the scan is running.

  • Once the scan is finished click Copy.

    • Click Start > Run then type Notepad.exe then click OK.
    • This will open a Notepad file.
    • Hit Ctrl+V to paste log into it.
    • Save the log to your Desktop.

  • Reconnect to internet.

After completing all of the steps outlined above, please copy and paste the DDS log, and the GMER log with your next reply.

Regards,

MalwareMutilator

#4 Scono

Scono
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 09 July 2010 - 11:47 PM

Thanks for responding. The GMER scan took hours but here are the results.


DDS (Ver_10-03-17.01) - NTFSx86
Run by New User at 11:53:58.07 on Fri 07/09/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1471 [GMT -7:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WTouch\WTouchService.exe
svchost.exe
C:\Program Files\WTouch\WTouchUser.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Belkin\F5D8055\v2\Belkinwcui.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Bamboo Dock\BambooCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Documents and Settings\New User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =
uSearch Bar =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
mSearchAssistant =
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON WorkForce 600 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S3DEB.tmp" /EF "HKCU"
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [AdobeBridge]
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CTAPR2] "c:\program files\creative\sound blaster x-fi\console launcher\CTAPR2.exe" /r
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [F5D8055v2] c:\program files\belkin\f5d8055\v2\Belkinwcui.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [librtexec] javaw -jar "c:\program files\java\jre6\lib\librtexec.jar"
mRun: [BambooCore] c:\program files\bamboo dock\BambooCore.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Vfazesavad] rundll32.exe "c:\windows\ewowakev.dll",Startup
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\newuse~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: Antiwpa - antiwpa.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\newuse~1\applic~1\mozilla\firefox\profiles\xf00z5q0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\new user\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\new user\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\free ride games\npExentCtl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {E6E7AD98-4046-48F1-A0D4-A496EA43189C} - c:\documents and settings\new user\local settings\application data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-3 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-3 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-5-1 4497704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-5-1 113448]
R2 X4HS32Ex;X4HS32Ex;c:\program files\free ride games\X4HS32Ex.sys [2009-10-1 53280]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [2009-8-8 742936]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [2009-8-8 1803136]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-5-1 16168]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-6 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-8 1684736]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-8-12 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2009-8-12 79360]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 rt2870;Belkin N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\rt2870.sys [2009-8-8 713344]

=============== Created Last 30 ================

2010-07-09 18:43:16 183808 ------w- c:\windows\trz10.tmp
2010-07-05 20:08:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 17:32:38 0 d-----w- c:\program files\Trend Micro
2010-07-04 03:56:56 38848 ----a-w- c:\windows\avastSS.scr
2010-07-04 03:56:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-02 03:28:01 2422 ----a-w- c:\windows\system32\wpa.bak
2010-07-02 02:50:28 0 d-----w- c:\docume~1\newuse~1\applic~1\Malwarebytes
2010-07-02 02:50:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-02 02:50:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-02 02:50:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-02 02:50:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-01 21:13:53 120 ----a-w- c:\windows\Xgupesicog.dat
2010-07-01 21:13:53 0 ----a-w- c:\windows\Oqiwar.bin
2010-07-01 08:03:11 2724 ----a-w- c:\windows\ifuzawos.dll
2010-06-12 02:27:54 0 d-----w- c:\docume~1\newuse~1\applic~1\Facebook

==================== Find3M ====================

2010-06-05 01:31:14 720786 ----a-w- c:\windows\TestSaver.scr
2010-05-26 23:10:59 197120 ----a-w- c:\windows\system32\6041_081114_01.scr
2010-05-21 21:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2006-06-25 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2009-08-10 21:52:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080320090810\index.dat
2009-08-10 21:52:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081020090811\index.dat

============= FINISH: 11:54:53.56 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-09 20:57:41
Windows 5.1.2600 Service Pack 3
Running: dkevttzy.exe; Driver: C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\axwyraog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB457FCD2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB457FB8E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB4580142]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB458006C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB457F764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB457FC68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB457F6A4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB457F708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB457FD88]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB4580210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB457FD48]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB457FEC8]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB458CB9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB458C9C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB458CAFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP B458CAFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB38E 7 Bytes JMP B458C9C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP B45885B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP B4589F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP B458CBA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6CAF380, 0x566445, 0xE8000020]
.rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xB81F3F94]
init C:\WINDOWS\system32\drivers\t3filt.sys entry point in "init" section [0xB486EA40]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[512] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C9000A
.text C:\WINDOWS\Explorer.EXE[512] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009C000A
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009D000A
.text C:\WINDOWS\System32\svchost.exe[1172] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009B000C
.text C:\WINDOWS\System32\svchost.exe[1172] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E2000A
.text C:\WINDOWS\system32\wuauclt.exe[2792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\wuauclt.exe[2792] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\wuauclt.exe[2792] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009B000C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[744] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003B0002
IAT C:\WINDOWS\system32\services.exe[744] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003B0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat B00A6D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A5A3EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xFE 0x71 0x99 0x1E ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




I also have attached the Attach.txt doc in a zip folder as the DDS program instructed. The drive disabled from DeFogger has not been reenabled. An example of a problem I am having is when I open up Mozilla Firefox version 3.6.6 and google search a phrase like "flowers", it brings me to the next page effortlessely. If I want to click on a link such as en.wikipedia.org/wiki/Flower, I will be randomely directed to a site such as XXXXX or those sites will open a new tab while I am browsing. The problem starts and stops so sometimes I am directed to my desired site. All of the websites I get unwillingly directed to have a blue cursive 2 as the web icon. Just as I was writing that, a new tab opened up and took me to XXXXX . I quickly exited. Thanks for your help.

Edit - thcbytes
Deactivate malicious links

Attached Files


Edited by thcbytes, 10 July 2010 - 09:26 AM.


#5 Scono

Scono
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 10 July 2010 - 12:29 AM

Also, I got directed to XXXXXX
I received this a couple of minutes ago: Again thanks.

Edit - thcbytes
Deactivate malicious link

Edited by thcbytes, 10 July 2010 - 09:25 AM.


#6 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 10 July 2010 - 09:55 AM

Hello Scono, smile.gif

Thank you for your reply,

I am currently in the process of analyzing your log. In the meanwhile, I ask that you refrain from making any further changes to your computer, minimize the use of your computer, and please be patient.

I will reply with additional instructions as soon as possible. thumbup2.gif

Regards,

MM


#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 10 July 2010 - 11:58 AM

Hi scono,

I am thcbytes. I have been helping MalwareMutilator with your log.

Please first note..

One or more of the identified infections is a Backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If after careful consideration you have decided to move forward with cleanup then please proceed as I have outlined below.

==========

More importantly.....

I see this in your log...

QUOTE
Notify: Antiwpa - antiwpa.dll
2010-07-02 03:28:01 2422 ----a-w- c:\windows\system32\wpa.bak


This is possibly an indication that your copy of Windows XP is not legit.

What can you tell me about this?

Please do this...
  1. Please download MGADiag and save it to your desktop.
  2. Double click the icon on your desktop.
  3. Push
  4. Push
  5. Go to Start -> Run and type in "Notepad"
  6. Go to Edit -> Paste in notepad.
  7. x out all of the numbers and letters in the line beginning with "Windows Product Key:"
  8. Copy and paste that log here.

With your next post please provide:

* Answer to questions?
* WGA log

Kind regards,
~t




Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 Scono

Scono
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 10 July 2010 - 05:31 PM

I purchased my computer custom built from a company. If you, want I will be happy to provide their info. I have the Microsoft sticker with numbers on it that is attached to the back of the computer. I paid for Windows XP Pro so I don't know about those files. One time after a scan by Malwarebytes, my computer needed to reboot so it brought me to a page which wanted me to enter some numbers. It required me to call Microsoft and use a service which I entered numbers and the automated response machine gave me numbers to enter into the computer. Then, my computer went back to normal but still had the virus. However, this happens every time I start up:


Here is the log:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key:
Windows Product Key Hash:
Windows Product ID: 76487-OEM-2265114-59215
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {B9A692CA-0997-4822-B149-6861A596AB9F}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.40.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 108 Invalid VLK
Microsoft Office Enterprise 2007 - 108 Invalid VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{B9A692CA-0997-4822-B149-6861A596AB9F}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-WV7CJ</PKey><PID>76487-OEM-2265114-59215</PID><PIDType>3</PIDType><SID>S-1-5-21-1547161642-562591055-725345543</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0312 </Version><SMBIOSVersion major="2" minor="5"/><Date>20090507000000.000000+000</Date></BIOS><HWID>1CC530FF0184E078</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>108</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>108</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>64BC76978749586</Val><Hash>GW6PzcEVEDTVKeO5Ym5UUm41dBk=</Hash><Pid>89388-707-0441865-65492</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="108"/><App Id="16" Version="12" Result="108"/><App Id="18" Version="12" Result="108"/><App Id="19" Version="12" Result="108"/><App Id="1A" Version="12" Result="108"/><App Id="1B" Version="12" Result="108"/><App Id="44" Version="12" Result="108"/><App Id="A1" Version="12" Result="108"/><App Id="BA" Version="12" Result="108"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 13D40:ASUSTeK Computer Inc|153FF:GENUINE C&C INC
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A


I don't do any banking though I do check Email. I mainly use my computer for film editing but I do use the internet extensively. I also considered upgrading to Windows 7 so this may be the perfect opportunity/reason. I tried to make sure everything is legit. I called Adobe to check my licenses on my software before I installed it and the same with numerous other companies. Since I do film making, I try to do everything legally so I think that something with the computer may be the cause of that. Thanks for your help and I will do anything to get my computer up and running. I always shut down my computer after following your instructions and writing on this forum. Thanks again.

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 10 July 2010 - 06:57 PM

Hi there,

QUOTE
Windows Validation Data-->
Validation Status: Genuine


Windows is legit thumbup2.gif

QUOTE
OGA Data-->
Office Status: 108 Invalid VLK
Microsoft Office Enterprise 2007 - 108 Invalid VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005


Microsoft Office Enterprise 2007:

This installation was done with an invalid Product Key made by a pirating program known as a Key Generator. The product key was NOT issued by Microsoft, making it Invalid.

(Invalid VLK= Volume Licensing [Product] Key)

If your use of the installed Office Professional Plus 2007 is in association with a larger business, educational institution, or governmental agency that might have a Volume Licensing Agreement with Microsoft, please report this nongenuine problem to your organization's IT support staff for further troubleshooting and resolution.

If you are an individual consumer, you should never have been sold Volume Licensing materials such as a VL CD, and you certainly should not have received an Invalid Product Key. Quite often people purchase what is advertised and packaged as a retail license for Microsoft Office, but all too often, the product they receive is a counterfeit Office package that installs a nongenuine copy of Microsoft Office. This could be the situation in your case.

Your first course of action is to confront your seller with this information and demand a full refund. If the seller refuses to help, please pursue whatever remedies are available to you thru the selling venue, your payment method (credit card, PayPal, etc), or the legal system in your area.

Also, depending upon whether you received "high quality" counterfeit materials, you may qualify for the Office Complimentary Offer or for the Office Genuine Advantage discounted offer. Please see the FAQ here: http://www.microsoft.com/genuine/downloads...ang=en#ID0EKNAC If you decide to participate in the Office Genuine Offer, please initiate the process by clicking on the "Learn More Online" link shown in the nongenuine notices on your screen.

One other possibility is that at one time your computer did have a Genuine installation of Office installed, but for some reason it was replaced with the current installation which is nongenuine. This could have happened if you took your computer to a repair shop and they reinstalled Windows and/or some or all of your programs. You Get Genuine once again by uninstalling the current nongenuine installation of Office and using your Genuine Microsoft hologrammed Office installation CDs, along with the genuine Product Key found on your Office Edition's Certificate of Authenticity, to put back the genuine installation of Office you may have already had on the computer.

We can deal with this after the clean up is completed. I have some other options for you to consider!

==========

MalwareMutilator will be back shortly with your next steps.

I sincerely appreciate your patience.

Kind regards,
~ t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 11 July 2010 - 07:47 AM

Hello again, Scono, smile.gif

Your last reply indicates that you would like to clean your computer, so please proceed as follows:

Step #1

ComboFix:

Please download ComboFix from this location:
  • Please disable your Avast antivirus protection program, any other AntiVirus and AntiSpyware applications that you may be running. Usually, a right click on the System Tray icon will allow you to do so. Running such protection may otherwise interfere with our tools. Click on this link to see a list of programs that should be disabled. The list is not all inclusive.

  • Double click on Combofix.exe and follow the prompts.

  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, its strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue its malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:/ComboFix.txt with your next reply.

Regards,

MM

#11 Scono

Scono
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 11 July 2010 - 04:33 PM

Just a quick note, ComboFix did not ask about Microsoft Recovery console though I never installed it. Does my computer have the feature built in?
(Sorry, my exe was flawed and crashed my computer. I did another download of the program and it asked me about Microsoft recovery console so now it works. Sorry)

Edited by Scono, 11 July 2010 - 06:29 PM.


#12 Scono

Scono
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 11 July 2010 - 06:57 PM

Here is the combofix log:

ComboFix 10-07-11.03 - New User 07/11/2010 16:37:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1574 [GMT -7:00]
Running from: c:\documents and settings\New User\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ifuzawos.dll
c:\windows\system32\6041_081114_01.scr
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-11 to 2010-07-11 )))))))))))))))))))))))))))))))
.

2010-07-10 22:08 . 2010-07-10 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-10 05:10 . 2010-07-10 05:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-05 20:08 . 2010-07-10 05:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 17:32 . 2010-07-05 17:32 388096 ----a-r- c:\documents and settings\New User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-05 17:32 . 2010-07-05 17:32 -------- d-----w- c:\program files\Trend Micro
2010-07-04 03:57 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-04 03:57 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-04 03:57 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-04 03:57 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-04 03:57 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-04 03:57 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-04 03:57 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-04 03:56 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-04 03:56 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-04 03:56 . 2010-07-04 03:56 -------- d-----w- c:\program files\Alwil Software
2010-07-04 03:56 . 2010-07-04 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-03 00:37 . 2010-07-03 00:37 -------- d-----w- c:\documents and settings\New User\Local Settings\Application Data\ICS
2010-07-02 02:50 . 2010-07-02 02:50 -------- d-----w- c:\documents and settings\New User\Application Data\Malwarebytes
2010-07-02 02:50 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-02 02:50 . 2010-07-02 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-02 02:50 . 2010-07-02 02:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 02:50 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-01 21:13 . 2010-07-05 06:30 120 ----a-w- c:\windows\Xgupesicog.dat
2010-07-01 21:13 . 2010-07-05 05:08 0 ----a-w- c:\windows\Oqiwar.bin
2010-07-01 21:13 . 2010-07-01 21:13 -------- d-----w- c:\documents and settings\New User\Local Settings\Application Data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}
2010-07-01 08:00 . 2010-07-02 03:05 -------- d-----w- c:\documents and settings\New User\Local Settings\Application Data\fiuqwqtms
2010-06-12 02:27 . 2010-06-12 02:27 50354 ----a-w- c:\documents and settings\New User\Application Data\Facebook\uninstall.exe
2010-06-12 02:27 . 2010-06-12 02:27 -------- d-----w- c:\documents and settings\New User\Application Data\Facebook

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 23:36 . 2010-05-01 16:59 -------- d-----w- c:\documents and settings\New User\Application Data\WTablet
2010-07-04 01:36 . 2010-04-02 06:06 -------- d-----w- c:\program files\Youtube Downloader HD
2010-06-16 03:28 . 2009-08-20 00:16 -------- d-----w- c:\program files\MuseScore 0.9
2010-06-11 21:22 . 2010-05-05 22:56 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\New User\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-05 01:31 . 2010-06-05 01:34 720786 ----a-w- c:\windows\TestSaver.scr
2010-06-05 01:24 . 2010-06-05 01:24 -------- d-----w- c:\program files\InstantStorm
2010-06-03 23:01 . 2010-03-21 03:37 -------- d-----w- c:\program files\Ask.com
2010-06-03 22:52 . 2010-06-03 22:52 2944904 ----a-w- c:\documents and settings\New User\Application Data\Mozilla\Firefox\Profiles\xf00z5q0.default\extensions\toolbar@ask.com\chrome\temp\askToolbar.exe
2010-05-30 21:49 . 2010-05-30 21:11 -------- d-----w- c:\program files\FXhome EffectsLab Pro
2010-05-30 21:17 . 2010-05-30 21:17 3753 ---h--w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONT298ROMV32.DAT
2010-05-23 03:36 . 2010-05-23 03:36 -------- d-----w- c:\documents and settings\New User\Application Data\Media Player Classic
2010-05-22 15:34 . 2009-09-23 22:50 -------- d-----w- c:\documents and settings\New User\Application Data\U3
2010-05-22 02:02 . 2010-05-22 02:02 503808 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-372c4556-n\msvcp71.dll
2010-05-22 02:02 . 2010-05-22 02:02 499712 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-372c4556-n\jmc.dll
2010-05-22 02:02 . 2010-05-22 02:02 348160 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-372c4556-n\msvcr71.dll
2010-05-22 02:02 . 2010-05-22 02:02 61440 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3dc74e74-n\decora-sse.dll
2010-05-22 02:02 . 2010-05-22 02:02 12800 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3dc74e74-n\decora-d3d.dll
2010-05-21 21:14 . 2010-03-21 04:12 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 00:11 . 2009-08-11 23:19 -------- d-----w- c:\documents and settings\New User\Application Data\vlc
2010-05-13 23:00 . 2010-03-07 06:46 -------- d-----w- c:\program files\Google
2010-05-13 04:12 . 2010-05-13 04:10 -------- d-----w- c:\documents and settings\New User\Application Data\FontCreator
2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 17:15 . 2009-08-08 12:41 104840 ----a-w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 01:42 . 2010-05-01 01:42 290816 ----a-w- c:\documents and settings\New User\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-05-01 01:42 . 2010-05-01 01:42 290816 ----a-w- c:\documents and settings\New User\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-05-01 01:42 . 2010-05-01 01:42 290816 ----a-w- c:\documents and settings\New User\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-05-01 01:42 . 2010-05-01 01:42 290816 ----a-w- c:\documents and settings\New User\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-04-24 08:22 . 2009-08-20 18:43 38784 ----a-w- c:\documents and settings\New User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-21 00:26 . 2010-04-21 00:26 185 ----a-w- c:\windows\winnit.reg
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 00:29 . 2010-05-07 23:12 411368 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 22:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 73728]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2009-05-18 1694720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"librtexec"="javaw -jar" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 142360]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"CTAPR2"="c:\program files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" [2007-01-16 57344]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"SPIRun"="SPIRun.dll" [2009-03-05 8704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"F5D8055v2"="c:\program files\Belkin\F5D8055\v2\Belkinwcui.exe" [2009-04-08 1662976]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-20 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-08-12 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-20 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-11 289576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]
"BambooCore"="c:\program files\Bamboo Dock\BambooCore.exe" [2009-11-26 606296]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2009-05-18 1694720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\New User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi3"=xgusb.cpl
"midi4"=xgusb.cpl
"midi6"=xgusb.cpl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\EpsonNet\\EpsonNet Config V3\\ENConfig.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/3/2010 8:57 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/3/2010 8:57 PM 17744]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [5/1/2010 9:59 AM 4497704]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [5/1/2010 9:59 AM 113448]
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [10/1/2009 6:07 PM 53280]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [8/8/2009 5:30 AM 742936]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [8/8/2009 5:30 AM 1803136]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/1/2010 9:59 AM 16168]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 11:46 PM 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/8/2009 4:49 AM 1684736]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [8/12/2009 3:46 PM 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [8/12/2009 8:12 PM 79360]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 06:46]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 06:46]

2010-07-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-07-11 c:\windows\Tasks\RegPowerClean.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2009-10-02 21:48]

2010-07-11 c:\windows\Tasks\RPCReminder.job
- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2009-10-02 21:34]

2010-07-11 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\New User\Application Data\Mozilla\Firefox\Profiles\xf00z5q0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\New User\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\New User\Local Settings\Application Data\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\Free Ride Games\npExentCtl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Musicnotes\npmusicn.dll
FF - plugin: c:\program files\Musicnotes\NPSibelius.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {E6E7AD98-4046-48F1-A0D4-A496EA43189C} - c:\documents and settings\New User\Local Settings\Application Data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKLM-Run-nwiz - nwiz.exe
HKLM-Run-Vfazesavad - c:\windows\ewowakev.dll
AddRemove-6041_081114_01 - c:\windows\system32\6041_081114_01.scr
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-Sound Blaster X-Fi Windows Drivers - c:\program files\Creative\Sound Blaster X-Fi\Program\SETUP.EXE
AddRemove-_{53A908D4-99C6-469B-BC13-F4189F260742} - c:\program files\Corel\Corel Painter Essentials 4\MSILauncher {53A908D4-99C6-469B-BC13-F4189F260742}



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 16:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SPIRun = Rundll32 SPIRun.dll,RunDLLEntry?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:fe,71,99,1e,bd,c7,a3,e1,c2,3c,cb,ea,91,83,cd,fe,09,67,81,7b,b3,
96,56,58,ad,a8,53,92,b4,19,17,4c,3a,99,4b,f6,9f,6b,e0,27,d8,86,98,13,c3,2c,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:fe,71,99,1e,bd,c7,a3,e1,c2,3c,cb,ea,91,83,cd,fe,09,67,81,7b,b3,
96,56,58,ad,a8,53,92,b4,19,17,4c,3a,99,4b,f6,9f,6b,e0,27,d8,86,98,13,c3,2c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-07-11 16:50:40
ComboFix-quarantined-files.txt 2010-07-11 23:50

Pre-Run: 179,341,185,024 bytes free
Post-Run: 183,738,998,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BF0F3C8B12CFEA855227F6058DE337D3



Also, I will get my money back for Microsoft office. My new laptop needs Microsoft office so I might as well just get a traditional disc which allows me to upload Microsoft on up to three PCs. I checked their website. And once again, thank you very much.

#13 MalwareMutilator

MalwareMutilator

  • Members
  • 931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 12 July 2010 - 06:38 PM

Hello Scono, smile.gif

ComboFix successfully removed the rootkit on your computer, however, we still have some cleaning to do. Please continue as follows:

Step #1

Uninstall the Ask Toolbar:

Your ComboFix log indicates that the Ask Toolbar is installed on your computer.

I suggest you uninstall Ask Toolbar for the following reasons.
  • Promoting its toolbars on sites targeted to kids.

  • Promoting its toolbars through ads that appear to be part of other companies' sites.

  • Promoting its toolbars through other companies' spyware.

  • Installing without any disclosure whatsoever and without any consent whatsoever.

  • Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.

  • Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
More information can be found here.

Step #2

Execute ComboFix script:

We need to execute a ComboFix script. Tutorials on how to disable your antivirus and anti malware programs can be found here.
  • Close any open browsers.

  • Close/disable all antivirus and anti malware programs so they do not interfere with the running of ComboFix.

  • Open notepad and copy/paste the text in the quote box below into it:

  • Combofix might upload a few suspicious files. Please allow this!!



    QUOTE
    http://www.bleepingcomputer.com/forums/t/329356/google-links-redirect-me-and-ranom-tabs-open-up/

    Collect::
    c:\windows\Xgupesicog.dat
    c:\windows\Oqiwar.bin

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride =

    Folder::
    c:\documents and settings\New User\Local Settings\Application Data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}
    c:\documents and settings\New User\Local Settings\Application Data\fiuqwqtms

  • Save this as CFScript.txt, in the same location as ComboFix.exe




  • Referring to the picture above, drag CFScript into ComboFix.exe

  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step #3

Run MalwareBytes:

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.


If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:

    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware

  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.

  • Press the OK button to close that box and continue.

  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Step #4

Run ESET online scan:


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window: ESET OnlineScan

  • Click the button.

  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.

    • Double click on the icon on your Desktop.
  • Check

  • Click the button.

  • Accept any security warnings from your browser.

  • Check

  • Push the Start button.

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

  • Push the button.

  • Push

Step #5

Run DDS:
  • Run a new scan with DDS.

  • Save the new DDS log as we will need it along with your next reply.

Warnings regarding installed programs:

While examining your DDS log, I noticed that the following two programs are listed:

Carbonite Online Backup:

If you have made a recent backup of your computer utilizing Carbonite Online Backup, please aware that you may have backed-up your computer while it was infected. For your protection, I strongly suggest that you remove all previous backups after we have finished cleaning your computer. After I have given you the all-clean, you should then perform a new backup.

Winferno Registry Power Cleaner:

Registry Cleaners are not recommended as the registry is a delicate piece of Windows. Deleting the wrong key can make a computer unable to login, or worse. As well, there is no evidence that supports a clear performance increase. Although the decision is entirely yours, I suggest that you uninstall Winferno Registry Power Cleaner.

Summary:

After completing all of the above steps, please copy and past the contents from all of the following logs with your next reply. Also, please inform me of how your computer is running. Any more redirects or problems?
  • The ComboFix log.
  • The ESET log.
  • The MBAM log.
  • The new DDS log.

Regards,

MM




#14 Scono

Scono
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 13 July 2010 - 12:08 AM

Here they are. I didn't even know about the ASK toolbar, Carbonite backup, or registry cleaner. Thanks for the tip. Here are the logs.


ComboFix 10-07-11.03 - New User 07/12/2010 18:31:40.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1510 [GMT -7:00]
Running from: c:\documents and settings\New User\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\New User\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\Oqiwar.bin
file zipped: c:\windows\Xgupesicog.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\New User\Local Settings\Application Data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}
c:\documents and settings\New User\Local Settings\Application Data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}\chrome.manifest
c:\documents and settings\New User\Local Settings\Application Data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}\chrome\content\_cfg.js
c:\documents and settings\New User\Local Settings\Application Data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}\chrome\content\overlay.xul
c:\documents and settings\New User\Local Settings\Application Data\{E6E7AD98-4046-48F1-A0D4-A496EA43189C}\install.rdf
c:\documents and settings\New User\Local Settings\Application Data\fiuqwqtms
c:\windows\Oqiwar.bin
c:\windows\Xgupesicog.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-10 22:08 . 2010-07-10 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-10 05:10 . 2010-07-10 05:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-05 20:08 . 2010-07-10 05:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 17:32 . 2010-07-05 17:32 388096 ----a-r- c:\documents and settings\New User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-05 17:32 . 2010-07-05 17:32 -------- d-----w- c:\program files\Trend Micro
2010-07-04 03:57 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-04 03:57 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-04 03:57 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-04 03:57 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-04 03:57 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-04 03:57 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-04 03:57 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-04 03:56 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-04 03:56 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-04 03:56 . 2010-07-04 03:56 -------- d-----w- c:\program files\Alwil Software
2010-07-04 03:56 . 2010-07-04 03:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-03 00:37 . 2010-07-03 00:37 -------- d-----w- c:\documents and settings\New User\Local Settings\Application Data\ICS
2010-07-02 02:50 . 2010-07-02 02:50 -------- d-----w- c:\documents and settings\New User\Application Data\Malwarebytes
2010-07-02 02:50 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-02 02:50 . 2010-07-02 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-02 02:50 . 2010-07-02 02:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-02 02:50 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 01:25 . 2010-05-01 16:59 -------- d-----w- c:\documents and settings\New User\Application Data\WTablet
2010-07-13 00:11 . 2010-03-21 03:37 -------- d-----w- c:\program files\Ask.com
2010-07-04 01:36 . 2010-04-02 06:06 -------- d-----w- c:\program files\Youtube Downloader HD
2010-06-16 03:28 . 2009-08-20 00:16 -------- d-----w- c:\program files\MuseScore 0.9
2010-06-12 02:27 . 2010-06-12 02:27 50354 ----a-w- c:\documents and settings\New User\Application Data\Facebook\uninstall.exe
2010-06-12 02:27 . 2010-06-12 02:27 -------- d-----w- c:\documents and settings\New User\Application Data\Facebook
2010-06-11 21:22 . 2010-05-05 22:56 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-06-09 10:45 . 2010-06-09 10:45 5591040 ----a-w- c:\documents and settings\New User\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-06-05 01:31 . 2010-06-05 01:34 720786 ----a-w- c:\windows\TestSaver.scr
2010-06-05 01:24 . 2010-06-05 01:24 -------- d-----w- c:\program files\InstantStorm
2010-05-30 21:49 . 2010-05-30 21:11 -------- d-----w- c:\program files\FXhome EffectsLab Pro
2010-05-30 21:17 . 2010-05-30 21:17 3753 ---h--w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONT298ROMV32.DAT
2010-05-23 03:36 . 2010-05-23 03:36 -------- d-----w- c:\documents and settings\New User\Application Data\Media Player Classic
2010-05-22 15:34 . 2009-09-23 22:50 -------- d-----w- c:\documents and settings\New User\Application Data\U3
2010-05-22 02:02 . 2010-05-22 02:02 503808 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-372c4556-n\msvcp71.dll
2010-05-22 02:02 . 2010-05-22 02:02 499712 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-372c4556-n\jmc.dll
2010-05-22 02:02 . 2010-05-22 02:02 348160 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-372c4556-n\msvcr71.dll
2010-05-22 02:02 . 2010-05-22 02:02 61440 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3dc74e74-n\decora-sse.dll
2010-05-22 02:02 . 2010-05-22 02:02 12800 ----a-w- c:\documents and settings\New User\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3dc74e74-n\decora-d3d.dll
2010-05-21 21:14 . 2010-03-21 04:12 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 00:11 . 2009-08-11 23:19 -------- d-----w- c:\documents and settings\New User\Application Data\vlc
2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-01 17:15 . 2009-08-08 12:41 104840 ----a-w- c:\documents and settings\New User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-01 01:42 . 2010-05-01 01:42 290816 ----a-w- c:\documents and settings\New User\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-05-01 01:42 . 2010-05-01 01:42 290816 ----a-w- c:\documents and settings\New User\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-05-01 01:42 . 2010-05-01 01:42 290816 ----a-w- c:\documents and settings\New User\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-05-01 01:42 . 2010-05-01 01:42 290816 ----a-w- c:\documents and settings\New User\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-04-24 08:22 . 2009-08-20 18:43 38784 ----a-w- c:\documents and settings\New User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-21 00:26 . 2010-04-21 00:26 185 ----a-w- c:\windows\winnit.reg
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-07-11_23.48.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-13 01:24 . 2010-07-13 01:24 16384 c:\windows\Temp\Perflib_Perfdata_ad8.dat
+ 2004-08-04 12:00 . 2010-07-13 01:29 68532 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-07-11 23:41 68532 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-07-13 01:29 435942 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-07-11 23:41 435942 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 73728]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2009-05-18 1694720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"librtexec"="javaw -jar" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 142360]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"CTAPR2"="c:\program files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe" [2007-01-16 57344]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"SPIRun"="SPIRun.dll" [2009-03-05 8704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-07-14 570664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"F5D8055v2"="c:\program files\Belkin\F5D8055\v2\Belkinwcui.exe" [2009-04-08 1662976]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-20 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-08-12 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-20 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-11 289576]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]
"BambooCore"="c:\program files\Bamboo Dock\BambooCore.exe" [2009-11-26 606296]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2009-05-18 1694720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\New User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi3"=xgusb.cpl
"midi4"=xgusb.cpl
"midi6"=xgusb.cpl

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\EpsonNet\\EpsonNet Config V3\\ENConfig.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/3/2010 8:57 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/3/2010 8:57 PM 17744]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [5/1/2010 9:59 AM 4497704]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [5/1/2010 9:59 AM 113448]
R2 X4HS32Ex;X4HS32Ex;c:\program files\Free Ride Games\X4HS32Ex.sys [10/1/2009 6:07 PM 53280]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [8/8/2009 5:30 AM 742936]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [8/8/2009 5:30 AM 1803136]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [5/1/2010 9:59 AM 16168]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2010 11:46 PM 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/8/2009 4:49 AM 1684736]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [8/12/2009 3:46 PM 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\MT6Licensing.exe [8/12/2009 8:12 PM 79360]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys --> c:\windows\system32\DRIVERS\ManyCam.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 06:46]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-07 06:46]

2010-07-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-07-13 c:\windows\Tasks\RegPowerClean.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2009-10-02 21:48]

2010-07-13 c:\windows\Tasks\RPCReminder.job
- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2009-10-02 21:34]
.
.
------- Supplementary Scan -------
.
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\New User\Application Data\Mozilla\Firefox\Profiles\xf00z5q0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\New User\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\New User\Local Settings\Application Data\Yahoo!\BrowserPlus\2.8.1\Plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\Free Ride Games\npExentCtl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Musicnotes\npmusicn.dll
FF - plugin: c:\program files\Musicnotes\NPSibelius.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-12 18:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SPIRun = Rundll32 SPIRun.dll,RunDLLEntry?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:fe,71,99,1e,bd,c7,a3,e1,c2,3c,cb,ea,91,83,cd,fe,09,67,81,7b,b3,
96,56,58,ad,a8,53,92,b4,19,17,4c,3a,99,4b,f6,9f,6b,e0,27,d8,86,98,13,c3,2c,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:fe,71,99,1e,bd,c7,a3,e1,c2,3c,cb,ea,91,83,cd,fe,09,67,81,7b,b3,
96,56,58,ad,a8,53,92,b4,19,17,4c,3a,99,4b,f6,9f,6b,e0,27,d8,86,98,13,c3,2c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-07-12 18:41:53
ComboFix-quarantined-files.txt 2010-07-13 01:41
ComboFix2.txt 2010-07-11 23:50

Pre-Run: 183,679,987,712 bytes free
Post-Run: 183,660,773,376 bytes free

- - End Of File - - 1D90FE40763A2F6BF1AB177E80995994
Upload was successful


C:\Documents and Settings\New User\Application Data\Sun\Java\Deployment\cache\6.0\15\318e4ecf-73e4ae15 probably a variant of Win32/Agent trojan deleted - quarantined
C:\Documents and Settings\New User\Application Data\Sun\Java\Deployment\cache\6.0\29\47c98add-3a646086 multiple threats deleted - quarantined
C:\Documents and Settings\New User\Application Data\Sun\Java\Deployment\cache\6.0\46\77b0d7ae-28eb3ddc multiple threats deleted - quarantined
C:\Documents and Settings\New User\Application Data\Sun\Java\Deployment\cache\6.0\53\2c1eb675-1c6fe4ca multiple threats deleted - quarantined
C:\System Volume Information\_restore{422CD53B-CB2F-45C2-B467-689ADA518577}\RP424\A0058299.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{422CD53B-CB2F-45C2-B467-689ADA518577}\RP424\A0058300.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{422CD53B-CB2F-45C2-B467-689ADA518577}\RP424\A0058301.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{422CD53B-CB2F-45C2-B467-689ADA518577}\RP425\A0063944.sys Win32/Olmarik.ZC trojan cleaned - quarantined


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4307

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/12/2010 7:27:27 PM
mbam-log-2010-07-12 (19-27-27).txt

Scan type: Quick scan
Objects scanned: 129077
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





DDS (Ver_10-03-17.01) - NTFSx86
Run by New User at 22:00:44.75 on Mon 07/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1422 [GMT -7:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WTouch\WTouchService.exe
svchost.exe
svchost.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Console Launcher\CTAPR2.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Belkin\F5D8055\v2\Belkinwcui.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Yahoo!\Common\YMailAdvisor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\javaw.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Bamboo Dock\BambooCore.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\New User\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [CTAPR2] "c:\program files\creative\sound blaster x-fi\console launcher\CTAPR2.exe" /r
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [F5D8055v2] c:\program files\belkin\f5d8055\v2\Belkinwcui.exe
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [librtexec] javaw -jar "c:\program files\java\jre6\lib\librtexec.jar"
mRun: [BambooCore] c:\program files\bamboo dock\BambooCore.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe /runonstartup"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\newuse~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\newuse~1\applic~1\mozilla\firefox\profiles\xf00z5q0.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\new user\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\new user\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll
FF - plugin: c:\program files\free ride games\npExentCtl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-3 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-3 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-5-1 4497704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-5-1 113448]
R2 X4HS32Ex;X4HS32Ex;c:\program files\free ride games\X4HS32Ex.sys [2009-10-1 53280]
R3 rt2870;Belkin N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\rt2870.sys [2009-8-8 713344]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [2009-8-8 742936]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [2009-8-8 1803136]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-5-1 16168]
RUnknown CFcatchme;CFcatchme; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-6 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-8 1684736]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-3 40384]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-8-12 79360]
S3 Creative Media Toolbox 6 Licensing Service;Creative Media Toolbox 6 Licensing Service;c:\program files\common files\creative labs shared\service\MT6Licensing.exe [2009-8-12 79360]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]

=============== Created Last 30 ================

2010-07-13 02:34:23 0 d-----w- c:\program files\ESET
2010-07-13 02:18:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-13 02:18:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-13 02:18:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 23:30:36 0 d-sha-r- C:\cmdcons
2010-07-11 21:31:04 98816 ----a-w- c:\windows\sed.exe
2010-07-11 21:31:04 77312 ----a-w- c:\windows\MBR.exe
2010-07-11 21:31:04 256512 ----a-w- c:\windows\PEV.exe
2010-07-11 21:31:04 161792 ----a-w- c:\windows\SWREG.exe
2010-07-09 19:01:35 0 ----a-w- c:\documents and settings\new user\defogger_reenable
2010-07-05 20:08:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 17:32:38 0 d-----w- c:\program files\Trend Micro
2010-07-04 03:56:56 38848 ----a-w- c:\windows\avastSS.scr
2010-07-04 03:56:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-02 03:28:01 2422 ----a-w- c:\windows\system32\wpa.bak
2010-07-02 02:50:28 0 d-----w- c:\docume~1\newuse~1\applic~1\Malwarebytes
2010-07-02 02:50:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-06-05 01:31:14 720786 ----a-w- c:\windows\TestSaver.scr
2010-05-21 21:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-06-25 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
2009-08-10 21:52:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080320090810\index.dat
2009-08-10 21:52:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081020090811\index.dat

============= FINISH: 22:00:58.15 ===============

Again, thank you very much.

Attached Files



#15 Scono

Scono
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 13 July 2010 - 12:11 AM

Google is not taking me to random links but the problem, at least when I knew I had it, comes and goes so I can't exactly tell at this time. Though I haven't experienced a problem since.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users