Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with "Fraud.Windows.ProtectionSuite" and "Microsoft.Windows.RedirectedHosts" needed for Vista PC


  • This topic is locked This topic is locked
21 replies to this topic

#1 zipxam

zipxam

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 17 July 2010 - 04:15 PM

The computer will load normally yet will use redirects when trying to use a seach engine. Ex: Google.com even said "your network has a highlevel of outbound activity, enter the catchpa so we know you're human" and I'm paraphrasing here.

Thanks in advance!


-----

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Max at 15:17:33.22 on Sat 07/17/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.159 [GMT -5:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton 360 *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Max\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M0FB9FHZ\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [CyberDefender Early Detection Center] "c:\users\max\appdata\local\cyberdefender internet security\antispyware\cdaseef0.exe" /minimize
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-19 242896]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-8-8 552448]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-19 216200]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-19 29584]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-5-19 308064]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-20 1153368]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-11-11 21504]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-19 38224]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-11-11 16896]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-11-19 19968]

=============== Created Last 30 ================

2010-07-16 23:02:29 250987522 ----a-w- c:\windows\MEMORY.DMP
2010-07-11 20:51:50 0 dc-h--w- c:\programdata\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-08 16:28:54 0 d-----w- c:\program files\Safe Returner
2010-07-07 15:30:05 0 d---a-w- c:\programdata\TEMP
2010-07-01 16:24:48 0 d-----w- c:\program files\iPod
2010-07-01 16:18:33 0 d-----w- c:\program files\Bonjour
2010-06-28 23:47:06 0 d-----w- c:\program files\MSECache
2010-06-28 15:46:51 0 d-sh--w- C:\found.000
2010-06-25 20:29:01 0 d-----w- C:\8afe85826306ce75b864d7
2010-06-24 16:41:19 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 16:41:19 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 16:41:19 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 16:41:19 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 16:41:18 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 16:07:03 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-23 16:07:03 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-21 17:11:32 0 d-----w- c:\windows\Spybot - Search & Destroy
2010-06-20 19:02:10 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-20 19:02:10 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-20 16:34:19 0 d-----w- c:\users\max\appdata\roaming\Malwarebytes

==================== Find3M ====================

2010-07-11 15:58:30 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-01 16:21:27 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-01 16:21:27 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-01 16:21:27 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-15 14:48:10 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-02 14:37:16 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-19 23:48:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-19 23:47:57 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-23 15:22:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 22:17:43 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-01-08 04:27:21 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-11-18 22:37:12 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-02-21 21:30:01 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 15:21:50.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:06:48 AM

Posted 23 July 2010 - 11:44 PM

Hello, zipxam.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.
We need to run Defogger
  1. Please download DeFogger to your desktop.
  2. Double click DeFogger to run the tool.
  3. The application window will appear
  4. Click the Disable button to disable your CD Emulation drivers
  5. Click Yes to continue
  6. A 'Finished!' message will appear
  7. Click OK
  8. DeFogger will now ask to reboot the machine - click OK
Note: If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until the end of the fix.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
We need to run an Anti-Rootkit (ARK) scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

If GMER crashes, hangs or blue-screens, do the following
  1. Please Download Rootkit Unhooker Save it to your desktop.
  2. Now double-click on RKUnhookerLE.exe to run it.
  3. Click the Report tab, then click Scan.
  4. Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  5. Wait till the scanner has finished and then click File, Save Report.
  6. Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
Note:You may get this warning. If so, please ignore it.
"Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?"


In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log/RKUnhooker log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 zipxam

zipxam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 26 July 2010 - 07:50 PM

Thank you for your help. Attached is the 'info' and 'log.'

I have run gmer twice and both reports are blank. I will try to re-run it again.. I think I did it wrong.

Give me until the weekend (5 days or so) to try to re-run it again... please keep the topic open.

Thanks!

-Zipxam

Logfile of random's system information tool 1.08 (written by random/random)
Run by Max at 2010-07-26 17:57:21
Microsoft® Windows Vistaâ„¢ Home Premium Service Pack 2
System drive C: has 180 GB (77%) free of 232 GB
Total RAM: 894 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:58:07 PM, on 7/26/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Max\Desktop\RSIT.exe
C:\Program Files\trend micro\Max.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Users\Max\AppData\Local\CyberDefender Internet Security\AntiSpyware\cdaseef0.exe" /minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7533 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1697937236-678893017-2631260783-1001Core.job
C:\Windows\tasks\Norton Internet Security - Run Full System Scan - Max.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-27 441408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9}]
Canon Easy-WebPrint EX BHO - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2009-11-25 202080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-06-02 1615200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll [2008-11-08 83800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-15 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-27 441408]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll [2008-11-08 83800]
{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - Canon Easy-WebPrint EX - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2009-11-25 1496408]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"hpsysdrv"=c:\hp\support\hpsysdrv.exe [2006-09-28 65536]
"KBD"=C:\HP\KBD\KBD.EXE [2005-02-02 61440]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2006-11-09 3784704]
"HP Software Update"=c:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
""= []
"NvSvc"=C:\Windows\system32\nvsvc.dll [2006-11-21 90191]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2006-11-21 7753728]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2006-11-21 81920]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-06-02 2065248]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2009-03-23 1983816]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2009-03-17 767312]
"IJNetworkScanUtility"=C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [2009-05-19 136544]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-06-15 141624]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"HPAdvisor"=C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe []
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2005-02-16 221184]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"CyberDefender Early Detection Center"=C:\Users\Max\AppData\Local\CyberDefender Internet Security\AntiSpyware\cdaseef0.exe /minimize []
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorUser"=2
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-07-26 17:57:21 ----D---- C:\rsit
2010-07-26 17:57:21 ----D---- C:\Program Files\trend micro
2010-07-11 15:51:50 ----HDC---- C:\ProgramData\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-08 11:28:54 ----D---- C:\Program Files\Safe Returner
2010-07-08 09:16:32 ----SHD---- C:\Config.Msi
2010-07-07 10:30:05 ----AD---- C:\ProgramData\TEMP
2010-07-01 11:24:48 ----D---- C:\Program Files\iPod
2010-07-01 11:18:33 ----D---- C:\Program Files\Bonjour
2010-06-28 18:47:06 ----D---- C:\Program Files\MSECache
2010-06-28 10:46:51 ----SHD---- C:\found.000

======List of files/folders modified in the last 1 months======

2010-07-26 17:57:21 ----RD---- C:\Program Files
2010-07-26 17:45:08 ----A---- C:\Windows\ntbtlog.txt
2010-07-17 16:16:21 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-07-17 15:06:37 ----D---- C:\Windows\system32\drivers\etc
2010-07-17 14:34:20 ----D---- C:\Windows\Temp
2010-07-16 18:16:45 ----D---- C:\Windows\Prefetch
2010-07-16 18:10:06 ----D---- C:\Windows\system32\drivers\Avg
2010-07-16 18:05:57 ----D---- C:\Windows\Microsoft.NET
2010-07-16 18:02:35 ----D---- C:\Windows\Minidump
2010-07-16 18:02:29 ----D---- C:\Windows
2010-07-11 15:51:50 ----HD---- C:\ProgramData
2010-07-11 14:51:26 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-07-11 14:31:43 ----D---- C:\Windows\Tasks
2010-07-11 10:39:32 ----SHD---- C:\System Volume Information
2010-07-11 10:37:37 ----D---- C:\Windows\Spybot - Search & Destroy
2010-07-10 23:44:20 ----D---- C:\Windows\system32\Tasks
2010-07-10 23:40:34 ----D---- C:\ProgramData\CanonIJPLM
2010-07-08 09:17:59 ----SHD---- C:\Windows\Installer
2010-07-07 14:35:19 ----D---- C:\Program Files\Common Files
2010-07-07 14:33:45 ----D---- C:\ProgramData\PC Tools
2010-07-07 14:33:43 ----D---- C:\Windows\system32\drivers
2010-07-07 10:32:39 ----D---- C:\Windows\winsxs
2010-07-01 12:26:34 ----D---- C:\Windows\system32\catroot
2010-07-01 11:25:26 ----D---- C:\Program Files\iTunes
2010-07-01 11:24:47 ----D---- C:\Program Files\Common Files\Apple
2010-07-01 11:21:27 ----D---- C:\Windows\inf
2010-07-01 11:21:07 ----D---- C:\Windows\system32\catroot2
2010-07-01 11:18:33 ----D---- C:\Windows\System32
2010-06-28 18:47:57 ----D---- C:\Program Files\Microsoft.NET
2010-06-28 18:47:56 ----D---- C:\Windows\system32\en-US
2010-06-28 18:47:52 ----RSD---- C:\Windows\assembly

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2006-07-24 36528]
R1 AvgTdiX;AVG Free Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2010-06-02 242896]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2010-01-11 26600]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista; C:\Windows\system32\DRIVERS\netr28u.sys [2007-08-15 552448]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-05-04 1065384]
R3 Ps2;PS2; C:\Windows\system32\DRIVERS\PS2.sys [2005-12-12 19072]
S0 TfFsMon;TfFsMon; C:\Windows\system32\drivers\TfFsMon.sys []
S0 TfSysMon;TfSysMon; C:\Windows\system32\drivers\TfSysMon.sys []
S1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2010-05-19 216200]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2010-06-02 29584]
S2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
S2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 8704]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DP;HSF_DP; C:\Windows\system32\DRIVERS\HSX_DP.sys [2008-05-08 980992]
S3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2008-05-08 266752]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2006-11-08 1647976]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2006-11-21 4454400]
S3 TfNetMon;TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys []
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2008-05-08 661504]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WSDPrintDevice;WSD Print Support via UMB; C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S3 WSDScan;WSD Scan Support via UMB; C:\Windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-06-10 144176]
S2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-05-19 308064]
S2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-05-18 345376]
S2 IJPLMSVC;Canon Inkjet Printer/Scanner/Fax Extended Survey Program; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2009-02-10 116104]
S2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 61440]
S2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-08-07 386560]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-06-15 540472]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 stllssvr;stllssvr; c:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-11-01 78752]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.08 2010-07-26 17:58:09

======Uninstall list======

-->"C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Crystal Maze\Uninstall.exe"
-->"C:\Program Files\HP Games\Diner Dash\Uninstall.exe"
-->"C:\Program Files\HP Games\Family Feud\Uninstall.exe"
-->"C:\Program Files\HP Games\FATE\Uninstall.exe"
-->"C:\Program Files\HP Games\Final Drive Nitro\Uninstall.exe"
-->"C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\JEOPARDY\Uninstall.exe"
-->"C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\LEGO Builder Bots\Uninstall.exe"
-->"C:\Program Files\HP Games\Mahjong Journey of Enlightenment\Uninstall.exe"
-->"C:\Program Files\HP Games\My HP Game Console\Uninstall.exe"
-->"C:\Program Files\HP Games\Ocean Express\Uninstall.exe"
-->"C:\Program Files\HP Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Golfer Pineapple Cup\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\HP Games\SCRABBLE\Uninstall.exe"
-->"C:\Program Files\HP Games\Slingo Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Super Granny\Uninstall.exe"
-->"C:\Program Files\HP Games\The Apprentice\Uninstall.exe"
-->"C:\Program Files\HP Games\Tornado Jockey\Uninstall.exe"
-->"C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
-->"C:\Program Files\HP Games\Wheel of Fortune\Uninstall.exe"
-->"C:\Program Files\HP Games\Zuma Deluxe\Uninstall.exe"
-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Acrobat.com-->msiexec /qb /x {F8131A35-47FD-27AD-116D-0E79AF5DE5EE}
Acrobat.com-->MsiExec.exe /I{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->MsiExec.exe /X{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}
Adobe Reader 9.3.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Apple Application Support-->MsiExec.exe /I{B2D328BE-45AD-4D92-96F9-2151490A203E}
Apple Mobile Device Support-->MsiExec.exe /I{85991ED2-010C-4930-96FA-52F43C2CE98A}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
Belkin F5D8053 N Wireless USB Adapter-->C:\Program Files\InstallShield Installation Information\{E6607F5B-50E7-4B54-81B7-F0600E3C8CF4}\setup.exe -runfromtemp -l0x0409
Bonjour-->MsiExec.exe /X{0CB9668D-F979-4F31-B8B8-67FE90F929F8}
Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91F1A0D6-23AD-49FE-8D4E-379485652214} /l1033
Canon Camera Window DS for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}
Canon Camera Window DVC for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{4C96958A-6562-4143-B820-FF4890D3B734}
Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{C7281207-4AA4-425E-B57A-0E9EF8445635}
Canon Easy-WebPrint EX-->"C:\Program Files\Canon\Easy-WebPrint EX\Maint.exe" /UninstallRemove C:\Program Files\Canon\Easy-WebPrint EX\uninst.ini
Canon IJ Network Scan Utility-->"C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSU.exe" /UninstallRemove C:\Program Files\Canon\Canon IJ Network Scan Utility\uninst.ini
Canon IJ Network Tool-->C:\Program Files\Canon\Canon IJ Network Tool\CNMNUU.exe
Canon Inkjet Printer/Scanner/Fax Extended Survey Program-->C:\Program Files\Canon\IJPLM\SETUP.EXE -R
Canon MovieEdit Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}
Canon MP Navigator EX 3.0-->"C:\Program Files\Canon\MP Navigator EX 3.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 3.0\uninst.ini
Canon MP560 series MP Drivers-->"C:\Windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP560_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP560_series
Canon MP560 series User Registration-->C:\Program Files\Canon\IJEREG\MP560 series\UNINST.EXE
Canon PhotoRecord-->MsiExec.exe /X{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}
Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{45EF4EE3-F591-4B74-A477-0CAE12934CE7}
Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{28291BD5-92D2-4685-82DC-CCA925C53CCA}
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe Uninst.ini uinstrsc.dll
Canon Utilities My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini uinstrsc.dll
Canon Utilities PhotoStitch 3.1-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{218BBBE3-FE63-4BB2-81A8-7435575A84FA}
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini uinstrsc.dll
Canon ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Citrix Presentation Server Client - Web Only-->MsiExec.exe /X{C49067A8-8212-4A82-A4D9-1519701644F0}
DivX-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Enhanced Multimedia Keyboard Solution-->C:\HP\KBD\Install.exe /u
Hardware Diagnostic Tools-->C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Hitman Pro 3.5-->"C:\Program Files\Hitman Pro 3.5\HitmanPro35[1].exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Connections (remove only)-->C:\Windows\HPCPCUninstall-6811507\HPBWSetup.exe -appid 6811507 -uninstall
HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Customer Feedback-->MsiExec.exe /I{9DBA770F-BF73-4D39-B1DF-6035D95268FC}
HP Easy Setup - Core-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}\setup.exe" -l0x9
HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9 -removeonly
HP Picasso Media Center Add-In-->MsiExec.exe /I{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}
HP Update-->MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
iTunes-->MsiExec.exe /I{7AB3A249-FB81-416B-917A-A2A10E74C503}
Java™ 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216020FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
MSN Toolbar-->MsiExec.exe /I{6710FE30-27F7-492B-A660-D31D4A898A43}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
muvee autoProducer 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B83A15A7-2BD5-4416-BC43-AF5F9A4B08A9}\setup.exe" -l0x9
My HP Games-->"C:\Program Files\HP Games\Uninstall.exe"
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
OcxSetup-->MsiExec.exe /I{C3DC29BC-A8CF-4578-9DFC-37F049C44771}
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Python 2.4.3-->MsiExec.exe /I{75E71ADD-042C-4F30-BFAC-A9EC42351313}
QuickTime-->MsiExec.exe /I{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Roxio Creator Audio-->MsiExec.exe /X{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9-->MsiExec.exe /X{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy-->MsiExec.exe /X{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /X{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive-->MsiExec.exe /X{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools-->MsiExec.exe /X{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3-->MsiExec.exe /X{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\UIU32m.exe -U -ITrx200Cz.INF
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Yahoo! Toolbar for Internet Explorer-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

======Hosts File======

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
67.212.189.115 www.google.com
67.212.189.115 google.com
67.212.189.115 google.com.au
67.212.189.115 www.google.com.au
67.212.189.115 google.be
67.212.189.115 www.google.be
67.212.189.115 google.com.br
67.212.189.115 www.google.com.br
67.212.189.115 google.ca
67.212.189.115 www.google.ca
67.212.189.115 google.ch
67.212.189.115 www.google.ch
67.212.189.115 google.de
67.212.189.115 www.google.de
67.212.189.115 google.dk
67.212.189.115 www.google.dk
67.212.189.115 google.fr
67.212.189.115 www.google.fr
67.212.189.115 google.ie
67.212.189.115 www.google.ie
67.212.189.115 google.it
67.212.189.115 www.google.it
67.212.189.115 google.co.jp
67.212.189.115 www.google.co.jp
67.212.189.115 google.nl
67.212.189.115 www.google.nl
67.212.189.115 google.no
67.212.189.115 www.google.no
67.212.189.115 google.co.nz
67.212.189.115 www.google.co.nz
67.212.189.115 google.pl
67.212.189.115 www.google.pl
67.212.189.115 google.se
67.212.189.115 www.google.se
67.212.189.115 google.co.uk
67.212.189.115 www.google.co.uk
67.212.189.115 google.co.za
67.212.189.115 www.google.co.za
67.212.189.115 www.google-analytics.com
67.212.189.115 www.bing.com
67.212.189.115 search.yahoo.com
67.212.189.115 www.search.yahoo.com
67.212.189.115 uk.search.yahoo.com
67.212.189.115 ca.search.yahoo.com
67.212.189.115 de.search.yahoo.com
67.212.189.115 fr.search.yahoo.com
67.212.189.115 au.search.yahoo.com


======Security center information======

AV: Norton 360
FW: Norton 360
AS: Spybot - Search and Destroy (disabled) (outdated)
AS: Windows Defender (disabled)
AS: Norton 360

======System event log======

Computer Name: Max-PC
Event Code: 137
Message: The default transaction resource manager on volume D: encountered a non-retryable error and could not start. The data contains the error code.
Record Number: 111904
Source Name: Ntfs
Time Written: 20091227170328.493289-000
Event Type: Error
User:

Computer Name: Max-PC
Event Code: 4001
Message: WLAN AutoConfig service has successfully stopped.

Record Number: 111892
Source Name: Microsoft-Windows-WLAN-AutoConfig
Time Written: 20091227102517.944800-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Max-PC
Event Code: 20
Message: Could not set the keyboard indicator lights.
Record Number: 111871
Source Name: i8042prt
Time Written: 20091227094959.253200-000
Event Type: Warning
User:

Computer Name: Max-PC
Event Code: 19
Message: Could not set the keyboard typematic rate and delay.
Record Number: 111870
Source Name: i8042prt
Time Written: 20091227094959.253200-000
Event Type: Warning
User:

Computer Name: Max-PC
Event Code: 17
Message: The device sent an incorrect response(s) following a keyboard reset.
Record Number: 111869
Source Name: i8042prt
Time Written: 20091227094959.253200-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Max-PC
Event Code: 1054
Message: Component error. hr=0x80049E00, [4, 3]

Record Number: 292
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090808164045.000000-000
Event Type: Warning
User:

Computer Name: Max-PC
Event Code: 1054
Message: Component error. hr=0x80049E00, [4, 3]

Record Number: 291
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090808164045.000000-000
Event Type: Warning
User:

Computer Name: Max-PC
Event Code: 1054
Message: Component error. hr=0x80049E00, [4, 3]

Record Number: 281
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090808161816.000000-000
Event Type: Warning
User:

Computer Name: Max-PC
Event Code: 1054
Message: Component error. hr=0x80049E00, [4, 3]

Record Number: 277
Source Name: Microsoft-Windows-Security-Licensing-SLC
Time Written: 20090808161815.000000-000
Event Type: Warning
User:

Computer Name: Max-PC
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 270
Source Name: Microsoft-Windows-Search
Time Written: 20090808181742.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: Max-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: MAX-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\en-US\Winrs.exe.mui
Handle ID: 0x18

Process Information:
Process ID: 0x10e4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 5517
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090830191344.244945-000
Event Type: Audit Success
User:

Computer Name: Max-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: MAX-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\en-US\autochk.exe.mui
Handle ID: 0x18

Process Information:
Process ID: 0x10e4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 5516
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090830191344.229345-000
Event Type: Audit Success
User:

Computer Name: Max-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: MAX-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\en-US\msprivs.dll.mui
Handle ID: 0x18

Process Information:
Process ID: 0x10e4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 5515
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090830191344.229345-000
Event Type: Audit Success
User:

Computer Name: Max-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: MAX-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\en-US\CertEnroll.dll.mui
Handle ID: 0x18

Process Information:
Process ID: 0x10e4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 5514
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090830191344.213745-000
Event Type: Audit Success
User:

Computer Name: Max-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
Security ID: S-1-5-18
Account Name: MAX-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\en-US\ias.dll.mui
Handle ID: 0x18

Process Information:
Process ID: 0x10e4
Process Name: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\poqexec.exe

Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 5513
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090830191344.182545-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OnlineServices"=Online Services
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\hp\bin\Python;c:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PCBRAND"=Pavilion
"PLATFORM"=HPD
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=4b02
"RoxioCentral"=c:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------

Attached Files

  • Attached File  info.txt   19.63KB   1 downloads
  • Attached File  log.txt   20.46KB   1 downloads

Edited by aommaster, 26 July 2010 - 09:28 PM.


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:06:48 AM

Posted 26 July 2010 - 09:31 PM

Hi!

Please copy and paste logs directly into your reply as they make it easier for me to read. I'll wait for the ARK log before we work on a fix smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 zipxam

zipxam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 01 August 2010 - 04:34 PM

Ran GMER. Here's all it gave me:

-----

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-01 16:31:36
Windows 6.0.6002 Service Pack 2
Running: 4zozzxn6.exe; Driver: C:\Users\Max\AppData\Local\Temp\ufldypow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!CreateWindowExW 75F61305 5 Bytes JMP 71AEDB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!DialogBoxParamW 75F810B0 5 Bytes JMP 71A154C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!DialogBoxIndirectParamW 75F82EF5 5 Bytes JMP 71BE480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!DialogBoxParamA 75F98152 5 Bytes JMP 71BE47AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!DialogBoxIndirectParamA 75F9847D 5 Bytes JMP 71BE4872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!MessageBoxIndirectA 75FAD4D9 5 Bytes JMP 71BE4741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!MessageBoxIndirectW 75FAD5D3 5 Bytes JMP 71BE46D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!MessageBoxExA 75FAD639 5 Bytes JMP 71BE4674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1500] USER32.dll!MessageBoxExW 75FAD65D 5 Bytes JMP 71BE4612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!SetWindowsHookExW 75F587AD 5 Bytes JMP 71AE9AC9 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!CallNextHookEx 75F58E3B 5 Bytes JMP 71ADD0ED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!UnhookWindowsHookEx 75F598DB 5 Bytes JMP 71A5467C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!CreateWindowExW 75F61305 5 Bytes JMP 71AEDB1C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!DialogBoxParamW 75F810B0 5 Bytes JMP 71A154C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!DialogBoxIndirectParamW 75F82EF5 5 Bytes JMP 71BE480F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!DialogBoxParamA 75F98152 5 Bytes JMP 71BE47AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!DialogBoxIndirectParamA 75F9847D 5 Bytes JMP 71BE4872 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!MessageBoxIndirectA 75FAD4D9 5 Bytes JMP 71BE4741 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!MessageBoxIndirectW 75FAD5D3 5 Bytes JMP 71BE46D6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!MessageBoxExA 75FAD639 5 Bytes JMP 71BE4674 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] USER32.dll!MessageBoxExW 75FAD65D 5 Bytes JMP 71BE4612 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] ole32.dll!OleLoadFromStream 76F41E12 5 Bytes JMP 71BE4B77 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1964] ole32.dll!CoCreateInstance 76F79EA6 5 Bytes JMP 71AEDB78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:06:48 AM

Posted 01 August 2010 - 05:24 PM

Hello, zipxam.
We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 zipxam

zipxam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 01 August 2010 - 07:02 PM

I have successfully run ComboFix. Although when I ran it, as you will see in the log below, it stated that I had Norton360 enabled. I couldn't find any Symnatec products under the Remove Programs section. I also went in and deleted every Symantec folder and Norton folder. I also went in the Registry and deleted everything with Symantec/Norton on it via the instructions here:

http://www.askdavetaylor.com/how_to_fully_...on_from_pc.html

I also downloaded Revo Uninstaller and it couldn't find any instance of Norton. After doing ALL of this ComboFix STILL stated that Norton360 was enabled. This is insane. Any other ideas?

I went ahead and ran the ComboFix and the log is below. It will be another week before I can try anything else. Thanks!


-----
ComboFix 10-07-31.04 - Max 08/01/2010 18:34:31.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.362 [GMT -5:00]
Running from: c:\users\Max\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton 360 *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-08-01 23:42 . 2010-08-01 23:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-01 23:42 . 2010-08-01 23:42 -------- d-----w- c:\users\Ann\AppData\Local\temp
2010-08-01 23:42 . 2010-08-01 23:42 -------- d-----w- c:\users\Max\AppData\Local\temp
2010-08-01 23:32 . 2010-08-01 23:32 -------- d-----w- C:\32788R22FWJFW
2010-07-26 23:03 . 2010-08-01 20:50 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys
2010-07-26 22:57 . 2010-07-26 22:58 -------- d-----w- C:\rsit
2010-07-26 22:57 . 2010-07-26 22:58 -------- d-----w- c:\program files\trend micro
2010-07-11 20:51 . 2010-07-11 20:51 -------- dc-h--w- c:\programdata\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 19:31 . 2010-07-11 19:31 -------- d-----w- c:\users\Ann\AppData\Local\Deployment
2010-07-11 19:31 . 2010-07-11 19:31 -------- d-----w- c:\users\Ann\AppData\Local\Apps
2010-07-11 17:16 . 2010-07-11 17:16 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-07-08 16:28 . 2010-07-08 16:28 -------- d-----w- c:\users\Ann\AppData\Roaming\SafeReturner
2010-07-08 16:28 . 2010-07-08 13:50 1507328 ----a-w- c:\users\Ann\AppData\Roaming\SafeReturner\SrScan.dll
2010-07-08 16:28 . 2010-07-08 16:35 -------- d-----w- c:\program files\Safe Returner
2010-07-07 04:17 . 2010-07-07 04:17 -------- d-----w- c:\users\Ann\AppData\Local\MigWiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 23:29 . 2010-08-01 23:29 -------- d-----w- c:\users\Max\AppData\Roaming\URSoft
2010-08-01 23:29 . 2010-08-01 23:29 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-08-01 23:12 . 2010-06-20 19:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-01 23:04 . 2010-08-01 23:04 -------- d-----w- c:\program files\VS Revo Group
2010-08-01 23:02 . 2009-09-11 16:48 -------- d-----w- c:\users\Max\AppData\Roaming\Tific
2010-08-01 22:53 . 2010-05-19 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 22:38 . 2010-05-19 23:45 -------- d-----w- c:\programdata\avg9
2010-07-11 22:05 . 2010-06-14 00:43 1356 ----a-w- c:\users\Ann\AppData\Local\d3d9caps.dat
2010-07-11 19:51 . 2010-06-20 19:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-11 15:58 . 2010-06-15 16:13 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-11 04:40 . 2010-05-09 03:55 -------- d-----w- c:\programdata\CanonIJPLM
2010-07-07 19:33 . 2010-05-27 16:48 -------- d-----w- c:\programdata\PC Tools
2010-07-01 16:25 . 2009-08-09 20:29 -------- d-----w- c:\program files\iTunes
2010-07-01 16:24 . 2010-07-01 16:24 -------- d-----w- c:\program files\iPod
2010-07-01 16:24 . 2009-08-09 20:22 -------- d-----w- c:\program files\Common Files\Apple
2010-07-01 16:18 . 2010-07-01 16:18 -------- d-----w- c:\program files\Bonjour
2010-07-01 16:14 . 2010-07-01 16:14 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-29 00:20 . 2010-06-29 00:00 79367 ----a-w- c:\users\Ann\AppData\Roaming\Google\Google Talk\uninstall.exe
2010-06-28 23:47 . 2009-08-08 22:35 -------- d-----w- c:\program files\Microsoft.NET
2010-06-28 23:47 . 2010-06-28 23:47 -------- d-----w- c:\program files\MSECache
2010-06-20 18:30 . 2010-06-20 18:21 680 ----a-w- c:\users\Max\AppData\Local\d3d9caps.dat
2010-06-20 16:34 . 2010-06-20 16:34 -------- d-----w- c:\users\Max\AppData\Roaming\Malwarebytes
2010-06-15 16:12 . 2010-06-15 16:12 -------- d-----w- c:\programdata\Hitman Pro
2010-06-15 16:12 . 2010-06-15 16:12 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-15 14:48 . 2010-06-15 14:48 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-15 14:40 . 2009-08-09 02:40 -------- d-----w- c:\program files\Java
2010-06-14 03:15 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-07 21:10 . 2010-06-07 21:10 -------- d--h--w- c:\programdata\CanonIJEPPEX
2010-06-05 22:44 . 2009-11-22 23:54 -------- d-----w- c:\program files\Canon
2010-06-05 22:40 . 2010-06-05 22:40 -------- d--h--w- c:\programdata\CanonIJSolutionMenu
2010-06-05 22:26 . 2010-06-05 22:26 -------- d--h--w- c:\programdata\CanonBJ
2010-06-05 22:19 . 2010-06-05 22:19 -------- d--h--w- c:\program files\CanonBJ
2010-06-05 22:12 . 2010-06-05 22:12 -------- d--h--w- c:\programdata\CanonIJMyPrinter
2010-05-27 04:36 . 2010-05-27 04:36 38480 ----a-r- c:\users\Max\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-1519701644F0}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
2010-05-27 04:36 . 2010-05-27 04:36 26192 ----a-r- c:\users\Max\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-1519701644F0}\Iconlights.ico.827545C6_7013_4DE1_8E6C_DAEE4C57F54A.exe
2010-05-27 04:36 . 2010-05-27 04:36 38480 ----a-r- c:\users\Max\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-1519701644F0}\Icon80951CEC.exe.C76E2E86_AE54_4AF5_997C_63EBB83C7651.exe
2010-05-27 04:36 . 2010-05-27 04:36 38480 ----a-r- c:\users\Max\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-1519701644F0}\ARPICON.80486C74_ABED_4227_AF5C_9B1791CFA89C.exe
2010-05-26 17:06 . 2010-06-12 04:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-12 04:00 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14 . 2010-05-02 01:45 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-19 19:15 . 2010-05-09 03:15 75 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
2010-05-19 17:53 . 2010-05-19 17:53 70 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
2010-05-19 17:42 . 2010-05-19 17:42 49 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\fan.drv
2010-05-19 03:20 . 2010-05-09 03:15 37 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
2010-05-19 03:04 . 2010-05-09 03:15 44 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\energy.exe
2010-05-19 02:52 . 2010-05-19 02:52 76 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys
2010-05-19 02:42 . 2010-05-19 02:42 75 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\hymt.sys
2010-05-19 02:16 . 2010-05-19 02:16 33 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\runddl.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-18 02:55 . 2010-05-10 16:37 19 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
2010-05-17 16:31 . 2010-05-09 21:06 28 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
2010-05-13 22:51 . 2010-05-13 22:51 18 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
2010-05-13 00:13 . 2010-05-13 00:13 42 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
2010-05-12 23:03 . 2010-02-10 17:49 546 ----a-w- c:\users\Ann\AppData\Roaming\wklnhst.dat
2010-05-12 22:33 . 2010-05-12 22:33 64 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\fan.dll
2010-05-12 14:55 . 2010-05-09 20:55 70 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\PE.exe
2010-05-11 14:23 . 2010-05-11 14:23 35 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
2010-05-09 17:35 . 2010-05-09 17:35 65 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.exe
2010-05-09 17:13 . 2010-05-09 17:13 68 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ppal.exe
2010-05-09 03:16 . 2010-05-09 03:16 53 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
2010-05-09 03:16 . 2010-05-09 03:16 43 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\FW.exe
2010-05-09 03:16 . 2010-05-09 03:16 27 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
2010-05-09 03:16 . 2010-05-09 03:16 20 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
2010-05-09 03:16 . 2010-05-09 03:15 66 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys
2010-05-09 03:16 . 2010-05-09 03:16 8 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
2010-05-09 03:15 . 2010-05-09 03:15 78 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\SM.sys
2010-05-09 03:15 . 2010-05-09 03:15 52 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\fix.dll
2010-05-09 03:15 . 2010-05-09 03:15 20 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
2010-05-09 03:15 . 2010-05-09 03:15 77 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\dudl.dll
2010-05-09 03:15 . 2010-05-09 03:15 15 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\hymt.drv
2010-05-04 05:59 . 2010-06-12 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-12 04:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-12 04:00 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-12 04:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-21 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-21 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-21 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2009-8-8 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:0a,6d,cc,42,b8,6b,ca,01

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 Normandy;Normandy SR2; [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-08-15 552448]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1697937236-678893017-2631260783-1001Core.job
- c:\users\Ann\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-11 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
HKCU-Run-CyberDefender Early Detection Center - c:\users\Max\AppData\Local\CyberDefender Internet Security\AntiSpyware\cdaseef0.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 18:42
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-01 18:46:06
ComboFix-quarantined-files.txt 2010-08-01 23:46

Pre-Run: 188,623,654,912 bytes free
Post-Run: 188,701,609,984 bytes free

- - End Of File - - F7189A0573C5A59B284AE9C325A5B64A




#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:06:48 AM

Posted 03 August 2010 - 03:10 AM

Hello, zipxam.
This should fix your norton entries. Also, what problems are you having with your system?
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    SecCenter::
    {E10A9785-9598-4754-B552-92431C1C35F8}
    {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
    {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"=-
    "GrpConv"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt
  • Fresh RSIT log.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 zipxam

zipxam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 05 August 2010 - 02:54 PM

See how these look:

Please help us improve HijackThis by reporting this error

Click 'Yes' to submit

Error Details:

An unexpected error has occurred at procedure: modMain_FixUNIXHostsFile()
Error #75 - Path/File access error

Windows version: Windows NT 6.00.1906
MSIE version: 8.0.6001.18928
HijackThis version: 2.0.4

----
Logfile of random's system information tool 1.08 (written by random/random)
Run by Max at 2010-08-05 14:47:36
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 179 GB (77%) free of 232 GB
Total RAM: 894 MB (31% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:47:56 PM, on 8/5/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Max\Desktop\RSIT.exe
C:\Program Files\trend micro\Max.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy-WebPrint EX BHO - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: HP Connections.lnk = C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5720 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1697937236-678893017-2631260783-1001Core.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-27 441408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3785D0AD-BFFF-47F6-BF5B-A587C162FED9}]
Canon Easy-WebPrint EX BHO - C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2009-11-25 202080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll [2008-11-08 83800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-06-15 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-27 441408]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll [2008-11-08 83800]
{759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - Canon Easy-WebPrint EX - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2009-11-25 1496408]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"hpsysdrv"=c:\hp\support\hpsysdrv.exe [2006-09-28 65536]
"KBD"=C:\HP\KBD\KBD.EXE [2005-02-02 61440]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2006-11-09 3784704]
"HP Software Update"=c:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2006-11-21 90191]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2006-11-21 7753728]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2006-11-21 81920]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2009-03-23 1983816]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2009-03-17 767312]
"IJNetworkScanUtility"=C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [2009-05-19 136544]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-06-15 141624]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
""= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [2005-02-16 221184]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
HP Connections.lnk - C:\Program Files\HP Connections\6811507\Program\HP Connections.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorUser"=2
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=0
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-08-05 14:43:24 ----D---- C:\Windows\temp
2010-08-05 14:43:23 ----A---- C:\ComboFix.txt
2010-08-05 14:42:54 ----SHD---- C:\$RECYCLE.BIN
2010-08-05 14:30:13 ----A---- C:\Windows\NIRCMD.exe
2010-08-05 14:29:46 ----A---- C:\Windows\SWXCACLS.exe
2010-08-05 14:29:45 ----D---- C:\32788R22FWJFW
2010-08-01 18:31:38 ----A---- C:\Windows\zip.exe
2010-08-01 18:31:38 ----A---- C:\Windows\SWSC.exe
2010-08-01 18:31:38 ----A---- C:\Windows\SWREG.exe
2010-08-01 18:31:38 ----A---- C:\Windows\sed.exe
2010-08-01 18:31:38 ----A---- C:\Windows\PEV.exe
2010-08-01 18:31:38 ----A---- C:\Windows\MBR.exe
2010-08-01 18:31:38 ----A---- C:\Windows\grep.exe
2010-08-01 18:31:27 ----D---- C:\Windows\ERDNT
2010-08-01 18:29:50 ----D---- C:\Users\Max\AppData\Roaming\URSoft
2010-08-01 18:29:47 ----D---- C:\Program Files\Your Uninstaller 2010
2010-08-01 18:18:58 ----A---- C:\Windows\ntbtlog.txt
2010-08-01 18:04:07 ----D---- C:\Program Files\VS Revo Group
2010-08-01 17:57:59 ----D---- C:\Qoobox
2010-07-26 18:03:21 ----A---- C:\Windows\system32\drivers\Normandy.sys
2010-07-26 17:57:21 ----D---- C:\rsit
2010-07-26 17:57:21 ----D---- C:\Program Files\trend micro
2010-07-11 15:51:50 ----HDC---- C:\ProgramData\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-08 11:28:54 ----D---- C:\Program Files\Safe Returner
2010-07-08 09:16:32 ----D---- C:\Config.Msi
2010-07-07 10:30:05 ----AD---- C:\ProgramData\TEMP

======List of files/folders modified in the last 1 months======

2010-08-05 14:43:25 ----D---- C:\Windows\system32\drivers
2010-08-05 14:43:24 ----D---- C:\Windows
2010-08-05 14:40:56 ----A---- C:\Windows\system.ini
2010-08-05 14:38:37 ----D---- C:\Windows\System32
2010-08-05 14:38:37 ----D---- C:\Windows\AppPatch
2010-08-05 14:38:37 ----D---- C:\Program Files\Common Files
2010-08-05 14:09:34 ----D---- C:\ProgramData\CanonIJPLM
2010-08-05 14:09:16 ----D---- C:\Windows\Prefetch
2010-08-05 13:56:06 ----SHD---- C:\System Volume Information
2010-08-05 13:55:39 ----D---- C:\Windows\system32\catroot
2010-08-05 13:55:35 ----D---- C:\Windows\winsxs
2010-08-05 13:48:52 ----D---- C:\Windows\Microsoft.NET
2010-08-01 18:45:30 ----D---- C:\Windows\Tasks
2010-08-01 18:29:47 ----RD---- C:\Program Files
2010-08-01 18:13:09 ----D---- C:\Windows\system32\catroot2
2010-08-01 18:12:30 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-08-01 18:12:29 ----D---- C:\Windows\Minidump
2010-08-01 18:02:22 ----D---- C:\Users\Max\AppData\Roaming\Tific
2010-08-01 17:53:01 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-08-01 17:38:40 ----D---- C:\ProgramData\avg9
2010-08-01 17:38:39 ----D---- C:\ProgramData
2010-07-17 15:06:37 ----D---- C:\Windows\system32\drivers\etc
2010-07-11 14:51:26 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-07-11 10:37:37 ----D---- C:\Windows\Spybot - Search & Destroy
2010-07-10 23:44:20 ----D---- C:\Windows\system32\Tasks
2010-07-08 09:17:59 ----SHD---- C:\Windows\Installer
2010-07-07 14:33:45 ----D---- C:\ProgramData\PC Tools

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [2006-07-24 36528]
R3 catchme;catchme; \??\C:\Users\Max\AppData\Local\Temp\catchme.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2010-01-11 26600]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista; C:\Windows\system32\DRIVERS\netr28u.sys [2007-08-15 552448]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-05-04 1065384]
R3 Ps2;PS2; C:\Windows\system32\DRIVERS\PS2.sys [2005-12-12 19072]
S0 TfFsMon;TfFsMon; C:\Windows\system32\drivers\TfFsMon.sys []
S0 TfSysMon;TfSysMon; C:\Windows\system32\drivers\TfSysMon.sys []
S2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
S2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 8704]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DP;HSF_DP; C:\Windows\system32\DRIVERS\HSX_DP.sys [2008-05-08 980992]
S3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2008-05-08 266752]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2006-11-08 1647976]
S3 mbr;mbr; \??\C:\Users\Max\AppData\Local\Temp\mbr.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 Normandy;Normandy SR2; C:\Windows\system32\drivers\Normandy.sys [2010-08-01 34560]
S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2006-11-21 4454400]
S3 TfNetMon;TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys []
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2008-05-08 661504]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WSDPrintDevice;WSD Print Support via UMB; C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S3 WSDScan;WSD Scan Support via UMB; C:\Windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-06-10 144176]
S2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-05-18 345376]
S2 IJPLMSVC;Canon Inkjet Printer/Scanner/Fax Extended Survey Program; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2009-02-10 116104]
S2 LightScribeService;LightScribeService Direct Disc Labeling Service; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 61440]
S2 SBSDWSCService;SBSD Security Center Service; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-08-07 386560]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-06-15 540472]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 stllssvr;stllssvr; c:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-11-01 78752]

-----------------EOF-----------------


#10 zipxam

zipxam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 05 August 2010 - 02:57 PM

I think it left out the ComboFix log, check it here:

ComboFix 10-08-05.01 - Max 08/05/2010 14:32:25.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.496 [GMT -5:00]
Running from: c:\users\Max\Desktop\ComboFix.exe
Command switches used :: c:\users\Max\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-05 19:40 . 2010-08-05 19:40 -------- d-----w- c:\users\Max\AppData\Local\temp
2010-08-05 19:40 . 2010-08-05 19:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-05 19:40 . 2010-08-05 19:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-05 19:40 . 2010-08-05 19:40 -------- d-----w- c:\users\Ann\AppData\Local\temp
2010-08-05 19:29 . 2010-08-05 19:30 -------- d-----w- C:\32788R22FWJFW
2010-08-01 23:29 . 2010-08-01 23:29 -------- d-----w- c:\users\Max\AppData\Roaming\URSoft
2010-08-01 23:29 . 2010-08-01 23:29 -------- d-----w- c:\program files\Your Uninstaller 2010
2010-08-01 23:04 . 2010-08-01 23:04 -------- d-----w- c:\program files\VS Revo Group
2010-07-26 23:03 . 2010-08-01 20:50 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys
2010-07-26 22:57 . 2010-07-26 22:58 -------- d-----w- C:\rsit
2010-07-26 22:57 . 2010-07-26 22:58 -------- d-----w- c:\program files\trend micro
2010-07-11 20:51 . 2010-07-11 20:51 -------- dc-h--w- c:\programdata\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-11 19:31 . 2010-07-11 19:31 -------- d-----w- c:\users\Ann\AppData\Local\Deployment
2010-07-11 19:31 . 2010-07-11 19:31 -------- d-----w- c:\users\Ann\AppData\Local\Apps
2010-07-11 17:16 . 2010-07-11 17:16 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-07-08 16:28 . 2010-07-08 16:28 -------- d-----w- c:\users\Ann\AppData\Roaming\SafeReturner
2010-07-08 16:28 . 2010-07-08 13:50 1507328 ----a-w- c:\users\Ann\AppData\Roaming\SafeReturner\SrScan.dll
2010-07-08 16:28 . 2010-07-08 16:35 -------- d-----w- c:\program files\Safe Returner
2010-07-07 04:17 . 2010-07-07 04:17 -------- d-----w- c:\users\Ann\AppData\Local\MigWiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 19:09 . 2010-05-09 03:55 -------- d-----w- c:\programdata\CanonIJPLM
2010-08-01 23:12 . 2010-06-20 19:02 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-01 23:02 . 2009-09-11 16:48 -------- d-----w- c:\users\Max\AppData\Roaming\Tific
2010-08-01 22:53 . 2010-05-19 23:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-01 22:38 . 2010-05-19 23:45 -------- d-----w- c:\programdata\avg9
2010-07-11 22:05 . 2010-06-14 00:43 1356 ----a-w- c:\users\Ann\AppData\Local\d3d9caps.dat
2010-07-11 19:51 . 2010-06-20 19:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-11 15:58 . 2010-06-15 16:13 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-07 19:33 . 2010-05-27 16:48 -------- d-----w- c:\programdata\PC Tools
2010-07-01 16:25 . 2009-08-09 20:29 -------- d-----w- c:\program files\iTunes
2010-07-01 16:24 . 2010-07-01 16:24 -------- d-----w- c:\program files\iPod
2010-07-01 16:24 . 2009-08-09 20:22 -------- d-----w- c:\program files\Common Files\Apple
2010-07-01 16:18 . 2010-07-01 16:18 -------- d-----w- c:\program files\Bonjour
2010-07-01 16:14 . 2010-07-01 16:14 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-29 00:20 . 2010-06-29 00:00 79367 ----a-w- c:\users\Ann\AppData\Roaming\Google\Google Talk\uninstall.exe
2010-06-28 23:47 . 2009-08-08 22:35 -------- d-----w- c:\program files\Microsoft.NET
2010-06-28 23:47 . 2010-06-28 23:47 -------- d-----w- c:\program files\MSECache
2010-06-20 18:30 . 2010-06-20 18:21 680 ----a-w- c:\users\Max\AppData\Local\d3d9caps.dat
2010-06-20 16:34 . 2010-06-20 16:34 -------- d-----w- c:\users\Max\AppData\Roaming\Malwarebytes
2010-06-15 16:12 . 2010-06-15 16:12 -------- d-----w- c:\programdata\Hitman Pro
2010-06-15 16:12 . 2010-06-15 16:12 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-15 14:48 . 2010-06-15 14:48 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-15 14:40 . 2009-08-09 02:40 -------- d-----w- c:\program files\Java
2010-06-14 03:15 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-07 21:10 . 2010-06-07 21:10 -------- d--h--w- c:\programdata\CanonIJEPPEX
2010-05-27 04:36 . 2010-05-27 04:36 38480 ----a-r- c:\users\Max\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-1519701644F0}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
2010-05-27 04:36 . 2010-05-27 04:36 26192 ----a-r- c:\users\Max\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-1519701644F0}\Iconlights.ico.827545C6_7013_4DE1_8E6C_DAEE4C57F54A.exe
2010-05-27 04:36 . 2010-05-27 04:36 38480 ----a-r- c:\users\Max\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-1519701644F0}\Icon80951CEC.exe.C76E2E86_AE54_4AF5_997C_63EBB83C7651.exe
2010-05-27 04:36 . 2010-05-27 04:36 38480 ----a-r- c:\users\Max\AppData\Roaming\Microsoft\Installer\{C49067A8-8212-4A82-A4D9-1519701644F0}\ARPICON.80486C74_ABED_4227_AF5C_9B1791CFA89C.exe
2010-05-26 17:06 . 2010-06-12 04:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-12 04:00 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14 . 2010-05-02 01:45 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-19 19:15 . 2010-05-09 03:15 75 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
2010-05-19 17:53 . 2010-05-19 17:53 70 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
2010-05-19 17:42 . 2010-05-19 17:42 49 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\fan.drv
2010-05-19 03:20 . 2010-05-09 03:15 37 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
2010-05-19 03:04 . 2010-05-09 03:15 44 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\energy.exe
2010-05-19 02:52 . 2010-05-19 02:52 76 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys
2010-05-19 02:42 . 2010-05-19 02:42 75 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\hymt.sys
2010-05-19 02:16 . 2010-05-19 02:16 33 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\runddl.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-18 02:55 . 2010-05-10 16:37 19 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
2010-05-17 16:31 . 2010-05-09 21:06 28 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
2010-05-13 22:51 . 2010-05-13 22:51 18 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
2010-05-13 00:13 . 2010-05-13 00:13 42 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
2010-05-12 23:03 . 2010-02-10 17:49 546 ----a-w- c:\users\Ann\AppData\Roaming\wklnhst.dat
2010-05-12 22:33 . 2010-05-12 22:33 64 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\fan.dll
2010-05-12 14:55 . 2010-05-09 20:55 70 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\PE.exe
2010-05-11 14:23 . 2010-05-11 14:23 35 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
2010-05-09 17:35 . 2010-05-09 17:35 65 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.exe
2010-05-09 17:13 . 2010-05-09 17:13 68 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ppal.exe
2010-05-09 03:16 . 2010-05-09 03:16 53 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
2010-05-09 03:16 . 2010-05-09 03:16 43 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\FW.exe
2010-05-09 03:16 . 2010-05-09 03:16 27 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
2010-05-09 03:16 . 2010-05-09 03:16 20 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
2010-05-09 03:16 . 2010-05-09 03:15 66 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys
2010-05-09 03:16 . 2010-05-09 03:16 8 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
2010-05-09 03:15 . 2010-05-09 03:15 78 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\SM.sys
2010-05-09 03:15 . 2010-05-09 03:15 52 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\fix.dll
2010-05-09 03:15 . 2010-05-09 03:15 20 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
2010-05-09 03:15 . 2010-05-09 03:15 77 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\dudl.dll
2010-05-09 03:15 . 2010-05-09 03:15 15 ----a-w- c:\users\Ann\AppData\Roaming\Microsoft\Windows\Recent\hymt.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-21 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-21 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-21 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2009-8-8 34520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:0a,6d,cc,42,b8,6b,ca,01

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 Normandy;Normandy SR2; [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-04-11 19968]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-08-15 552448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1697937236-678893017-2631260783-1001Core.job
- c:\users\Ann\AppData\Local\Google\Update\GoogleUpdate.exe [2010-07-11 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-05 14:40
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-05 14:43:22
ComboFix-quarantined-files.txt 2010-08-05 19:43
ComboFix2.txt 2010-08-01 23:46

Pre-Run: 187,854,049,280 bytes free
Post-Run: 187,795,988,480 bytes free

- - End Of File - - 430E53746CBA08D296A6E3D847266077


#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:06:48 AM

Posted 06 August 2010 - 12:36 AM

Hello, zipxam.
Have you run anything from the time we last ran a fix? I can see a large number of files that have been run.
We need to run a Jotti scan

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  1. Go to the Jotti website
  2. When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

    c:\windows\system32\drivers\Normandy.sys

  3. Please post back the results of the scan in your next post.
**Note:If Jotti is busy, try the same at Virustotal
**Note: No logs will be produced. You can either copy/paste the results into your reply, or you can state the infection found (if any) and the scanner that found it


NEXT:

We need to run an MBAM Scan
  1. Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
  2. Make sure you are connected to the Internet.
  3. Double-click on Download_mbam-setup.exe to install the application.
  4. When the installation begins, follow the prompts and do not make any changes to default settings.
  5. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  6. Then click Finish.
  7. Run MBAM and you will be asked to update the program before performing a scan.
    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  8. On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  9. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  10. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  11. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  12. Click OK to close the message box and continue with the removal process.
  13. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  14. Make sure that everything is checked, and click Remove Selected.
  15. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  16. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  17. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • Jotti Log(s)
  • MBAM Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:06:48 AM

Posted 08 August 2010 - 11:36 PM

Hello zipxam
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 zipxam

zipxam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 09 August 2010 - 09:32 AM

Yes, give me until later on this week to get back to that computer. It's not mine and it's a bit of a drive from where I live.

Also, the only thing I have run since we started is the registry to delete Symantec as I mentioned above and I am doing all of this under 'Safe Mode with Networking' so I have access to the forums here to see each step. Could this be interfering with the fixes?

Thanks!

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:06:48 AM

Posted 09 August 2010 - 10:34 AM

Hi!

Nope, that should be fine smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 zipxam

zipxam
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 12 August 2010 - 05:46 PM

Jotti found nothing.

Malwarebytes Log:


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4423

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18928

8/12/2010 5:22:37 PM
mbam-log-2010-08-12 (17-22-37).txt

Scan type: Quick scan
Objects scanned: 140979
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users