Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exploit Phoenix Exploit (type 1112)?


  • This topic is locked This topic is locked
64 replies to this topic

#1 lognom

lognom

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 02 August 2010 - 12:30 PM

Dear Sirs,
Last week the infection began by diverting my google or bing searches to websites other than those listed. For example, if I searched for "adjustable wrenches" and and I clicked on one of the companies listed as sellers, my computer would be directed to another website. When I ran scans with SuperAntiSpywar and Malwarebytes, both pulled up scads of infections which I then removed. But the next day, both programs would find many more. When I ran scans, AVG warnings (or what looked like legitimate AVG warnings) would sometimes pop up, mentioning infection by Exploit Phoenix Exploit (type 1112). Eventually the problem grew and the infection seized control of my computer such that I couldn't open any problems.
I took the computer to a shop and they seemed to have removed the problem, but today the misdirection of searches has begun again. Apparently, the shop didn't completely remove the problem. In addition, I again can't open up any programs in normal mode, but I can enter Safe Mode with Editing and open programs up.
I've posted my dds.txt below.

Regards

P.S.: I've edited this post to mention that I ran TDS Killer, but it didn't find anything.


DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Administrator at 9:07:13.50 on Mon 08/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.475 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\Virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - hpWebHelper Class
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1.you\applic~1\mozilla\firefox\profiles\8in56n7f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.hotmail.com
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\mozilla\firefox\profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\hp_administrator.your-4dacd0ea75\application data\mozilla\firefox\profiles\8in56n7f.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Adobe Flash Plugin: No Registry Reference - c:\program files\mozilla firefox\extensions\{1CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-14 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-14 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-14 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67656]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-9-29 14424]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
S4 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S4 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]

=============== Created Last 30 ================

2010-08-02 16:03:13 20 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\defogger_reenable
2010-07-31 20:42:36 42459072 ----a-w- c:\program files\AdbeRdr933_en_US.exe
2010-07-31 20:37:22 0 d-----w- c:\docume~1\hp_adm~1.you\applic~1\Windows Search
2010-07-31 19:50:08 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2010-07-31 19:41:25 268288 -c----w- c:\windows\system32\dllcache\httpext.dll
2010-07-31 19:36:23 2842624 -c----w- c:\windows\system32\dllcache\msi.dll
2010-07-31 19:32:29 57344 -c----w- c:\windows\system32\dllcache\uexfat.dll
2010-07-31 19:32:29 57344 ------w- c:\windows\system32\uexfat.dll
2010-07-31 19:32:29 278528 -c----w- c:\windows\system32\dllcache\ulib.dll
2010-07-31 19:32:29 133632 -c----w- c:\windows\system32\dllcache\exfat.sys
2010-07-31 19:32:29 133632 ------w- c:\windows\system32\drivers\exfat.sys
2010-07-31 19:28:18 330752 -c----w- c:\windows\system32\dllcache\ipnathlp.dll
2010-07-31 19:27:32 9696 -c----w- c:\windows\system32\dllcache\drvmain.sdb
2010-07-31 19:27:32 790846 -c----w- c:\windows\system32\dllcache\apph_sp.sdb
2010-07-31 19:23:01 92672 -c----w- c:\windows\system32\dllcache\policman.dll
2010-07-31 19:23:01 68096 -c----w- c:\windows\system32\dllcache\ntdsapi.dll
2010-07-31 19:23:01 199680 -c----w- c:\windows\system32\dllcache\gptext.dll
2010-07-31 19:23:01 175104 -c----w- c:\windows\system32\dllcache\w32time.dll
2010-07-31 19:23:01 113152 -c----w- c:\windows\system32\dllcache\dsuiext.dll
2010-07-31 19:23:00 68096 -c----w- c:\windows\system32\dllcache\adsmsext.dll
2010-07-31 19:23:00 407040 -c----w- c:\windows\system32\dllcache\netlogon.dll
2010-07-31 19:22:13 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2010-07-31 19:22:12 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-07-31 19:22:12 465920 ------w- c:\windows\system32\imapi2fs.dll
2010-07-31 19:22:12 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-07-31 19:22:12 317952 ------w- c:\windows\system32\imapi2.dll
2010-07-31 19:16:24 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
2010-07-31 19:16:24 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2010-07-31 17:46:35 0 d-----w- c:\program files\UPHClean
2010-07-31 17:40:15 0 d-----w- c:\program files\VS Revo Group
2010-07-31 17:39:31 0 d-----w- c:\program files\Defraggler
2010-07-31 07:59:37 0 d-----w- c:\windows\system32\winrm
2010-07-31 07:59:34 0 dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-07-31 07:55:24 0 d-----w- c:\program files\LSI SoftModem
2010-07-31 07:54:31 0 d-----w- c:\docume~1\hp_adm~1.you\applic~1\Windows Desktop Search
2010-07-31 07:53:58 0 d-----w- c:\program files\Windows Desktop Search
2010-07-31 07:53:03 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-31 07:53:03 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-31 07:53:03 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-31 07:50:02 726528 ------w- c:\windows\system32\SET16B.tmp
2010-07-31 06:20:38 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-31 06:20:38 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-31 06:20:38 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-31 06:20:37 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-31 06:20:37 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-31 06:20:36 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-31 06:20:35 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-31 06:20:18 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-31 04:09:26 0 d-----w- c:\windows\nview
2010-07-31 02:40:42 3903 ----a-w- c:\windows\system32\nvnrm.nvu
2010-07-31 02:40:42 176128 ----a-w- c:\windows\system32\nvunrm.exe
2010-07-31 02:40:42 101888 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2010-07-31 02:30:39 0 d-----w- c:\program files\Realtek
2010-07-31 02:30:32 1251944 ----a-w- c:\windows\RtlExUpd.dll
2010-07-31 02:20:29 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-31 02:20:26 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-31 02:20:26 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-07-31 02:20:26 0 ----a-w- c:\windows\system32\nvdrswr.lk
2010-07-31 02:19:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-31 02:18:57 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-31 02:18:50 0 d-----w- C:\NVIDIA
2010-07-31 00:14:55 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-07-31 00:14:55 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-07-31 00:13:27 19569 ----a-w- c:\windows\003486_.tmp
2010-07-30 23:41:23 0 d-----w- c:\program files\NVIDIA Corporation
2010-07-30 23:23:56 353792 -c----w- c:\windows\system32\dllcache\srv.sys
2010-07-30 23:23:52 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-30 23:22:58 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-07-30 23:21:59 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-30 23:19:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-30 23:15:35 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-07-30 23:15:26 604776 ----a-w- c:\windows\system32\nvuninst.exe
2010-07-30 23:15:24 0 d-----w- c:\program files\NVIDIA Corporation-nv26351
2010-07-30 23:03:36 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-07-30 22:52:18 701440 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-07-30 22:37:03 1374 ----a-w- c:\windows\system32\wpa.bak
2010-07-30 21:52:07 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-07-30 21:50:52 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-07-30 21:49:59 66082 -c--a-w- c:\windows\system32\dllcache\c_20285.nls
2010-07-30 21:48:57 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-30 21:48:02 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-07-30 21:47:56 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-07-30 21:47:56 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-07-30 21:47:56 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-07-30 21:47:56 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-07-30 21:47:56 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-07-30 21:47:38 0 d-----w- c:\program files\Online Services
2010-07-30 21:47:29 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-07-30 21:47:26 226816 -c--a-w- c:\windows\system32\dllcache\npdrmv2.dll
2010-07-30 21:47:26 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-07-30 21:47:26 10240 -c--a-w- c:\windows\system32\dllcache\npwmsdrm.dll
2010-07-30 21:47:25 4639 -c--a-w- c:\windows\system32\dllcache\mplayer2.exe
2010-07-30 21:47:25 364544 -c--a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-07-30 21:35:08 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-07-30 21:35:05 55296 ----a-w- c:\windows\system32\SET181.tmp
2010-07-30 21:35:05 23552 ----a-w- c:\windows\system32\SET184.tmp
2010-07-30 18:26:07 0 d-----w- c:\program files\WinMend
2010-07-30 07:37:59 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-30 07:01:43 0 ----a-w- c:\documents and settings\hp_administrator.your-4dacd0ea75\settings.dat
2010-07-30 04:52:07 0 d-sha-r- C:\cmdcons
2010-07-30 04:49:04 98816 ----a-w- c:\windows\sed.exe
2010-07-30 04:49:04 77312 ----a-w- c:\windows\MBR.exe
2010-07-30 04:49:04 256512 ----a-w- c:\windows\PEV.exe
2010-07-30 04:49:04 161792 ----a-w- c:\windows\SWREG.exe
2010-07-30 04:41:57 173 ----a-w- c:\windows\system32\MRT.INI
2010-07-30 04:37:58 929 ----a-r- c:\windows\system32\drivers\ativcaxx.vp
2010-07-30 04:37:58 58560 ----a-r- c:\windows\system32\drivers\ativckxx.vp
2010-07-30 04:37:58 31696 ----a-r- c:\windows\system32\drivers\ativvpxx.vp
2010-07-30 04:37:58 1114674 ----a-r- c:\windows\system32\drivers\ativcaxx.cpa
2010-07-27 13:52:37 3420304 ----a-w- c:\program files\ccsetup234.exe
2010-07-26 18:30:16 150 ----a-w- C:\zrpt.xml
2010-07-26 18:30:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-07-26 18:29:48 0 d-----w- c:\docume~1\hp_adm~1.you\applic~1\0F16770CB5F586F86B5862291F1DACB0
2010-07-15 16:41:54 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-08 02:36:36 0 d-----w- c:\program files\MSECache
2010-07-08 02:35:52 3248200 ----a-w- c:\program files\OutlookConnector.exe
2010-07-05 17:53:58 0 d-----w- c:\program files\common files\DivX Shared
2010-07-05 17:51:33 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-07-05 17:51:23 895256 ----a-w- c:\program files\DivXInstaller.exe
2010-07-04 16:29:32 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-07-04 16:28:45 0 d-----w- c:\documents and settings\all users\Microsoft
2010-07-04 16:18:46 0 d-----w- c:\program files\Microsoft Analysis Services
2010-07-04 16:08:46 0 d-----w- c:\program files\Office 2010

==================== Find3M ====================

2010-07-31 05:54:39 34764 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-15 16:41:55 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 16:41:11 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-09 22:38:00 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-09 22:38:00 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38:00 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-09 22:38:00 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-09 22:38:00 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-07 01:27:06 84584 ----a-w- c:\windows\SOUNDMAN.EXE
2010-07-07 01:27:00 1489512 ----a-w- c:\windows\RtlUpd.exe
2010-07-07 01:26:54 9721960 ----a-w- c:\windows\RTLCPL.EXE
2010-07-07 01:26:54 6088296 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-07-07 01:26:42 19556968 ----a-w- c:\windows\RTHDCPL.EXE
2010-07-07 01:26:36 2815592 ----a-w- c:\windows\ALCWZRD.EXE
2010-07-07 01:26:36 2180712 ----a-w- c:\windows\MicCal.exe
2010-07-07 01:26:30 64104 ----a-w- c:\windows\ALCMTR.EXE
2010-06-05 18:21:23 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-30 19:10:39 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-14 05:39:22 4938120 ----a-w- c:\program files\Silverlight.exe
2009-11-08 16:17:39 10381513 ----a-w- c:\program files\avidemux_2.5.1_win32.exe
2007-06-06 14:26:26 32 -csha-w- c:\windows\sminst\HPCD.SYS
2009-11-15 01:52:43 245760 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-11-18 23:51:02 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009110920091116\index.dat
2009-11-18 23:51:02 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009111820091119\index.dat

============= FINISH: 9:07:53.25 ===============

Attached Files


Edited by lognom, 02 August 2010 - 05:07 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 AM

Posted 09 August 2010 - 07:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 lognom

lognom
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 10 August 2010 - 01:45 AM

Hi Mole,
I'm still here.

Thanks,
Lloyd

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 AM

Posted 10 August 2010 - 05:28 PM

There are qute a few possibilities here so we need to work through each one. Please run the following tool

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 lognom

lognom
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 10 August 2010 - 05:44 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 103):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7A23000 \WINDOWS\system32\KDCOM.DLL
0xF7933000 \WINDOWS\system32\BOOTVID.dll
0xF74D4000 ACPI.sys
0xF7A25000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74C3000 pci.sys
0xF7523000 isapnp.sys
0xF7533000 ohci1394.sys
0xF7543000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7AEB000 pciide.sys
0xF77A3000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A27000 viaide.sys
0xF7A29000 intelide.sys
0xF7553000 MountMgr.sys
0xF74A4000 ftdisk.sys
0xF7A2B000 dmload.sys
0xF747E000 dmio.sys
0xF77AB000 PartMgr.sys
0xF7563000 VolSnap.sys
0xF73A9000 iaStor.sys
0xF7391000 atapi.sys
0xF734E000 ftsata2.sys
0xF7336000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7573000 disk.sys
0xF7583000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7316000 fltmgr.sys
0xF7304000 sr.sys
0xF7593000 bb-run.sys
0xF75A3000 PxHelp20.sys
0xF72ED000 KSecDD.sys
0xF7260000 Ntfs.sys
0xF7233000 NDIS.sys
0xF7219000 Mup.sys
0xF7803000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF71D5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF780B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF75D3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF75E3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF75F3000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF718A000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7162000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF79BB000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF7117000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF70E0000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xF7603000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF782B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A2F000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF783B000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF7843000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A33000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF7613000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79C7000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF70C9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7623000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7633000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7863000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF70B8000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7643000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7873000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7883000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7088000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7653000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A39000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF702A000 \SystemRoot\system32\DRIVERS\update.sys
0xF79EB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7663000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A3D000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7673000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7683000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF7A13000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C24000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A45000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78CB000 \SystemRoot\System32\drivers\vga.sys
0xF6F4E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF7A49000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78DB000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78EB000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A1F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF6F1B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF6EC2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF6E60000 \SystemRoot\System32\Drivers\avgtdix.sys
0xF6E3A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7903000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF6E12000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6DF0000 \SystemRoot\System32\drivers\afd.sys
0xF7693000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF6DC5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF6D55000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6D31000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF76C3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF6CF1000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A65000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7A1B000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77BB000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C2D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF6752000 \SystemRoot\system32\DRIVERS\srv.sys
0xF6533000 \??\C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\kwxyafod.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 16):
0 System Idle Process
4 System
496 C:\WINDOWS\system32\smss.exe
576 csrss.exe
600 C:\WINDOWS\system32\winlogon.exe
644 C:\WINDOWS\system32\services.exe
656 C:\WINDOWS\system32\lsass.exe
824 C:\WINDOWS\system32\svchost.exe
892 svchost.exe
1012 C:\WINDOWS\system32\svchost.exe
1044 svchost.exe
1176 svchost.exe
1492 C:\WINDOWS\explorer.exe
1312 C:\Program Files\Mozilla Firefox\firefox.exe
1888 C:\Program Files\Java\jre6\bin\java.exe
164 C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`5cfc7a00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGSP2004C, Rev: VM100-49

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 AM

Posted 10 August 2010 - 06:10 PM

The MBR has been rewritten.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:If you do not have a recovery disk then please burn one as shown here


Run MBRCheck.exe
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter 2 and press the Enter key
  • Now the program will ask you [b]"Enter the physical disk number to fix (0-99, -1 to cancel):"
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter the correct number for your operating system, and then press Enter.
  • when asked Do you want to fix the MRB code? type in YES and press enter
  • Restart your PC.
After you restart the PC
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Posted Image
m0le is a proud member of UNITE

#7 lognom

lognom
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 11 August 2010 - 09:06 AM

Mole,
There were two MBRCheck reports. I copied both below.

Thanks,
Lloyd


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 103):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7A23000 \WINDOWS\system32\KDCOM.DLL
0xF7933000 \WINDOWS\system32\BOOTVID.dll
0xF74D4000 ACPI.sys
0xF7A25000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74C3000 pci.sys
0xF7523000 isapnp.sys
0xF7533000 ohci1394.sys
0xF7543000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7AEB000 pciide.sys
0xF77A3000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A27000 viaide.sys
0xF7A29000 intelide.sys
0xF7553000 MountMgr.sys
0xF74A4000 ftdisk.sys
0xF7A2B000 dmload.sys
0xF747E000 dmio.sys
0xF77AB000 PartMgr.sys
0xF7563000 VolSnap.sys
0xF73A9000 iaStor.sys
0xF7391000 atapi.sys
0xF734E000 ftsata2.sys
0xF7336000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7573000 disk.sys
0xF7583000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7316000 fltmgr.sys
0xF7304000 sr.sys
0xF7593000 bb-run.sys
0xF75A3000 PxHelp20.sys
0xF72ED000 KSecDD.sys
0xF7260000 Ntfs.sys
0xF7233000 NDIS.sys
0xF7219000 Mup.sys
0xF7803000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF71D5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF780B000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF75D3000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF75E3000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF75F3000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF718A000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7162000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF79BB000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF7117000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF70E0000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xF7603000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF782B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A2F000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF783B000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF7843000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A33000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF7613000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF79C7000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF70C9000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7623000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7633000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7863000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF70B8000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7643000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7873000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7883000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7088000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7653000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A39000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF702A000 \SystemRoot\system32\DRIVERS\update.sys
0xF79EB000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7663000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A3D000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7673000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7683000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF7A13000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C24000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A45000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78CB000 \SystemRoot\System32\drivers\vga.sys
0xF6F4E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF7A49000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78DB000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78EB000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A1F000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF6F1B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF6EC2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF6E60000 \SystemRoot\System32\Drivers\avgtdix.sys
0xF6E3A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7903000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF6E12000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF6DF0000 \SystemRoot\System32\drivers\afd.sys
0xF7693000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF6DC5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF6D55000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6D31000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF76C3000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF6CF1000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A65000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7A1B000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77BB000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C2D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF6752000 \SystemRoot\system32\DRIVERS\srv.sys
0xF6533000 \??\C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\kwxyafod.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 16):
0 System Idle Process
4 System
496 C:\WINDOWS\system32\smss.exe
576 csrss.exe
600 C:\WINDOWS\system32\winlogon.exe
644 C:\WINDOWS\system32\services.exe
656 C:\WINDOWS\system32\lsass.exe
824 C:\WINDOWS\system32\svchost.exe
892 svchost.exe
1012 C:\WINDOWS\system32\svchost.exe
1044 svchost.exe
1176 svchost.exe
1492 C:\WINDOWS\explorer.exe
168 C:\Program Files\Mozilla Firefox\firefox.exe
568 C:\Program Files\Mozilla Firefox\plugin-container.exe
728 C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`5cfc7a00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGSP2004C, Rev: VM100-49

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 127):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF79F0000 \WINDOWS\system32\KDCOM.DLL
0xF7900000 \WINDOWS\system32\BOOTVID.dll
0xF73C1000 ACPI.sys
0xF79F2000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF73B0000 pci.sys
0xF74F0000 isapnp.sys
0xF7500000 ohci1394.sys
0xF7510000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7AB8000 pciide.sys
0xF7770000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF79F4000 viaide.sys
0xF79F6000 intelide.sys
0xF7520000 MountMgr.sys
0xF7391000 ftdisk.sys
0xF79F8000 dmload.sys
0xF736B000 dmio.sys
0xF7778000 PartMgr.sys
0xF7530000 VolSnap.sys
0xF7296000 iaStor.sys
0xF727E000 atapi.sys
0xF723B000 ftsata2.sys
0xF7223000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7540000 disk.sys
0xF7550000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7203000 fltmgr.sys
0xF71F1000 sr.sys
0xF7560000 bb-run.sys
0xF7570000 PxHelp20.sys
0xF71DA000 KSecDD.sys
0xF714D000 Ntfs.sys
0xF7120000 NDIS.sys
0xF7106000 Mup.sys
0xF7620000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF78B8000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xF6411000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF63FD000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF78C0000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF63D9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78C8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7630000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7640000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7650000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF63B6000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7660000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6299000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7A2E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF78D0000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6271000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF70C2000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF6226000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF61EF000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xF7670000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78D8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A30000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF78E0000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF78E8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A32000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF70BE000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xF7C0E000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7680000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6795000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF61D8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7690000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76A0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF61C7000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76B0000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF78F8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7788000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6197000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76C0000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A34000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6139000 \SystemRoot\system32\DRIVERS\update.sys
0xF6779000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76D0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76E0000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF76F0000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF350D000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF34E9000 \SystemRoot\system32\drivers\portcls.sys
0xF7720000 \SystemRoot\system32\drivers\drmk.sys
0xF612D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C3C000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A62000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7830000 \SystemRoot\System32\drivers\vga.sys
0xF7A64000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A66000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7838000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7840000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6129000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF348E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF3435000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF33FB000 \SystemRoot\System32\Drivers\avgtdix.sys
0xF33D5000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7750000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7760000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF33AD000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF338B000 \SystemRoot\System32\drivers\afd.sys
0xF6B92000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF32C9000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF7848000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF329E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF322E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6B72000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7850000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xF31FA000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF7868000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF31AE000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF6B12000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF3196000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AAE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF3B25000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77E0000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B91000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB7AA3000 \SystemRoot\system32\drivers\wdmaud.sys
0xB8590000 \SystemRoot\system32\drivers\sysaudio.sys
0xB7898000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB782F000 \SystemRoot\System32\Drivers\HTTP.sys
0xB8384000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB76C0000 \SystemRoot\system32\DRIVERS\srv.sys
0xB773F000 \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
672 C:\WINDOWS\system32\smss.exe
740 csrss.exe
764 C:\WINDOWS\system32\winlogon.exe
808 C:\WINDOWS\system32\services.exe
820 C:\WINDOWS\system32\lsass.exe
1000 C:\WINDOWS\system32\nvsvc32.exe
1020 C:\WINDOWS\system32\svchost.exe
1080 svchost.exe
1176 C:\WINDOWS\system32\svchost.exe
1236 svchost.exe
1316 svchost.exe
1392 C:\WINDOWS\system32\spoolsv.exe
1760 C:\WINDOWS\explorer.exe
1916 C:\WINDOWS\system32\rundll32.exe
1928 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
1936 C:\WINDOWS\system32\rundll32.exe
1968 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
1980 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
200 svchost.exe
260 C:\Program Files\LSI SoftModem\agrsmsvc.exe
296 C:\WINDOWS\ehome\ehrecvr.exe
316 C:\WINDOWS\ehome\ehSched.exe
480 svchost.exe
536 C:\Program Files\UPHClean\uphclean.exe
440 C:\WINDOWS\system32\searchindexer.exe
1592 mcrdsvc.exe
1732 C:\WINDOWS\system32\wuauclt.exe
2188 C:\WINDOWS\system32\dllhost.exe
2500 alg.exe
2960 C:\WINDOWS\system32\svchost.exe
3228 C:\Program Files\Mozilla Firefox\firefox.exe
3500 C:\Program Files\Mozilla Firefox\plugin-container.exe
3620 wmiprvse.exe
3860 C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002c`5cfc7a00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGSP2004C, Rev: VM100-49

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#8 lognom

lognom
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 11 August 2010 - 10:08 AM

Mole,
I just wanted to add that I can now use the computer in normal mode (I can open up programs that couldn't open up before, due to the malware), and Google redirect isn't happening any more (at least at the moment).

Lloyd


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 AM

Posted 11 August 2010 - 05:07 PM

That's good news but MBRCheck actually failed.


Please run Combofix so that we can attempt another MBR replacement.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 lognom

lognom
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 11 August 2010 - 05:46 PM

Mole,
I ran ComboFix without disabling my AVG-The program won't open. It claims it "can't find my license" (I assume this is the effect of my malware?). If you want I will remove AVG from my computer and run ComboFix again.
In any case, here's my log.

Lloyd








ComboFix 10-08-11.04 - HP_Administrator 08/11/2010 15:28:55.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.301 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000005_.tmp.dll

Infected copy of c:\windows\system32\drivers\viaide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OSPPSVC
-------\Service_osppsvc


((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-09 21:48 . 2010-08-09 21:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ
2010-08-07 20:36 . 2010-08-07 20:36 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-03 19:16 . 2010-08-03 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-08-03 05:46 . 2010-08-03 05:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-08-03 05:45 . 2010-08-03 05:45 452104 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.12\setup.exe
2010-08-01 02:36 . 2010-08-01 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-07-31 20:42 . 2010-07-31 20:46 42459072 ----a-w- c:\program files\AdbeRdr933_en_US.exe
2010-07-31 20:37 . 2010-07-31 20:37 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Windows Search
2010-07-31 19:50 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2010-07-31 19:41 . 2009-05-21 18:46 268288 -c----w- c:\windows\system32\dllcache\httpext.dll
2010-07-31 19:36 . 2009-04-01 08:55 2842624 -c----w- c:\windows\system32\dllcache\msi.dll
2010-07-31 19:32 . 2008-09-30 06:19 57344 -c----w- c:\windows\system32\dllcache\uexfat.dll
2010-07-31 19:32 . 2008-09-30 06:19 57344 ------w- c:\windows\system32\uexfat.dll
2010-07-31 19:32 . 2008-09-30 06:19 278528 -c----w- c:\windows\system32\dllcache\ulib.dll
2010-07-31 19:32 . 2008-09-29 10:21 133632 -c----w- c:\windows\system32\dllcache\exfat.sys
2010-07-31 19:32 . 2008-09-29 10:21 133632 ------w- c:\windows\system32\drivers\exfat.sys
2010-07-31 19:28 . 2008-04-21 18:44 330752 -c----w- c:\windows\system32\dllcache\ipnathlp.dll
2010-07-31 19:23 . 2008-04-17 04:50 175104 -c----w- c:\windows\system32\dllcache\w32time.dll
2010-07-31 19:23 . 2008-04-17 04:50 92672 -c----w- c:\windows\system32\dllcache\policman.dll
2010-07-31 19:23 . 2008-04-17 04:50 68096 -c----w- c:\windows\system32\dllcache\ntdsapi.dll
2010-07-31 19:23 . 2008-04-17 04:50 199680 -c----w- c:\windows\system32\dllcache\gptext.dll
2010-07-31 19:23 . 2008-04-17 04:50 113152 -c----w- c:\windows\system32\dllcache\dsuiext.dll
2010-07-31 19:23 . 2008-04-17 04:50 407040 -c----w- c:\windows\system32\dllcache\netlogon.dll
2010-07-31 19:23 . 2008-04-17 04:50 68096 -c----w- c:\windows\system32\dllcache\adsmsext.dll
2010-07-31 19:22 . 2008-05-02 10:49 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2010-07-31 19:22 . 2008-05-02 13:25 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-07-31 19:22 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2010-07-31 19:22 . 2008-05-02 13:25 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-07-31 19:22 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2010-07-31 19:16 . 2008-08-28 07:46 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
2010-07-31 19:16 . 2008-08-28 07:46 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2010-07-31 17:46 . 2010-07-31 17:46 -------- d-----w- c:\program files\UPHClean
2010-07-31 17:40 . 2010-07-31 17:40 -------- d-----w- c:\program files\VS Revo Group
2010-07-31 17:39 . 2010-07-31 17:39 -------- d-----w- c:\program files\Defraggler
2010-07-31 07:59 . 2010-07-31 07:59 -------- d-----w- c:\windows\system32\winrm
2010-07-31 07:59 . 2010-07-31 07:59 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-07-31 07:55 . 2010-07-31 07:55 -------- d-----w- c:\program files\LSI SoftModem
2010-07-31 07:54 . 2010-07-31 07:54 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\Identities
2010-07-31 07:54 . 2010-07-31 07:54 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Windows Desktop Search
2010-07-31 07:53 . 2010-07-31 17:43 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-31 07:53 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-31 07:53 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-31 07:53 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-31 06:20 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-31 06:20 . 2010-06-24 12:21 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-31 06:20 . 2010-06-24 12:21 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-31 06:20 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-31 06:20 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-31 06:20 . 2010-06-24 12:21 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-31 06:20 . 2010-06-25 00:51 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-31 06:20 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-31 04:14 . 2010-07-31 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-07-31 04:09 . 2010-07-31 04:12 -------- d-----w- c:\windows\nview
2010-07-31 02:40 . 2006-03-03 22:30 101888 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2010-07-31 02:40 . 2006-02-22 23:59 176128 ----a-w- c:\windows\system32\nvunrm.exe
2010-07-31 02:30 . 2010-07-31 02:30 -------- d-----w- c:\program files\Realtek
2010-07-31 02:30 . 2010-06-24 18:13 1251944 ----a-w- c:\windows\RtlExUpd.dll
2010-07-31 02:30 . 2010-07-31 02:30 -------- d-----w- c:\documents and settings\HP_ADM~1~YOU\LOCALS~1
2010-07-31 02:30 . 2010-07-31 02:30 -------- d-----w- c:\documents and settings\HP_ADM~1~YOU
2010-07-31 02:20 . 2010-07-31 02:20 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-31 02:20 . 2010-07-31 02:20 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-07-31 02:20 . 2010-07-31 02:20 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-31 02:19 . 2010-07-09 22:38 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-31 02:18 . 2010-07-09 22:38 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-31 02:18 . 2010-07-31 02:35 -------- d-----w- C:\NVIDIA
2010-07-31 00:14 . 2009-07-31 17:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-07-31 00:14 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-07-30 23:41 . 2010-07-31 02:24 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-30 23:23 . 2010-06-21 15:27 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-07-30 23:23 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-30 23:22 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-07-30 23:21 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-30 23:19 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-30 23:15 . 2010-07-30 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-07-30 23:15 . 2010-07-07 20:46 604776 ----a-w- c:\windows\system32\nvuninst.exe
2010-07-30 23:15 . 2010-07-30 23:36 -------- d-----w- c:\program files\NVIDIA Corporation-nv26351
2010-07-30 23:03 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-07-30 22:52 . 2008-04-14 05:04 701440 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-07-30 21:50 . 2004-08-04 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-07-30 21:49 . 2004-08-04 12:00 45568 -c--a-w- c:\windows\system32\dllcache\browscap.dll
2010-07-30 21:48 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-30 21:47 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-07-30 21:47 . 2008-04-14 00:12 226816 -c--a-w- c:\windows\system32\dllcache\npdrmv2.dll
2010-07-30 21:47 . 2008-04-14 00:12 10240 -c--a-w- c:\windows\system32\dllcache\npwmsdrm.dll
2010-07-30 21:47 . 2004-08-04 12:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-07-30 21:47 . 2008-04-14 00:12 4639 -c--a-w- c:\windows\system32\dllcache\mplayer2.exe
2010-07-30 21:47 . 2008-04-14 00:12 364544 -c--a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-07-30 21:35 . 2008-04-14 00:12 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-07-30 21:20 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-07-30 21:20 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-07-30 21:20 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-07-30 21:20 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-07-30 18:26 . 2010-07-31 19:10 -------- d-----w- c:\program files\WinMend
2010-07-30 18:02 . 2010-07-30 18:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-30 07:47 . 2010-07-30 07:51 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-30 07:37 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-30 07:01 . 2010-07-30 07:01 0 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\settings.dat
2010-07-28 20:49 . 2010-07-28 20:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-28 20:07 . 2010-07-28 20:07 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-28 20:07 . 2010-07-28 20:07 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-28 20:07 . 2010-07-28 20:07 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-28 20:05 . 2010-07-28 20:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-28 18:57 . 2010-08-08 16:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-07-28 18:54 . 2010-07-28 18:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-07-28 15:52 . 2010-07-28 15:55 63488 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-28 14:40 . 2010-07-28 14:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-26 18:30 . 2010-07-26 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-26 18:30 . 2010-07-26 20:43 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\hkkldupqy
2010-07-26 18:29 . 2010-07-26 20:05 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\0F16770CB5F586F86B5862291F1DACB0
2010-07-15 16:41 . 2010-07-15 16:41 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-13 06:52 . 2010-07-13 06:52 192736 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 22:19 . 2010-05-02 02:39 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-01 04:55 . 2009-11-16 03:27 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\vlc
2010-08-01 02:36 . 2006-07-31 23:23 90872 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-31 21:18 . 2009-09-13 03:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 08:00 . 2009-09-13 22:00 -------- d-----w- c:\program files\Microsoft.NET
2010-07-31 07:54 . 2009-11-15 20:08 34 ----a-w- c:\windows\system32\BD2140.DAT
2010-07-31 06:11 . 2009-09-13 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-31 05:54 . 2005-08-31 03:58 34764 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-31 02:30 . 2006-07-31 23:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-30 23:21 . 2006-07-31 22:52 -------- d-----w- c:\program files\Common Files\Java
2010-07-30 23:19 . 2006-07-31 22:52 -------- d-----w- c:\program files\Java
2010-07-28 15:55 . 2009-11-15 06:27 117760 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-28 15:52 . 2009-09-13 03:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-27 13:53 . 2009-09-13 04:26 -------- d-----w- c:\program files\CCleaner
2010-07-25 17:07 . 2009-11-15 01:33 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\BitTorrent
2010-07-25 00:34 . 2010-06-05 19:17 12553 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-07-24 19:05 . 2010-07-12 19:04 452104 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Real\Update\setup3.12\setup.exe
2010-07-19 02:07 . 2009-09-30 01:12 -------- d-----w- c:\program files\PeerBlock
2010-07-15 16:41 . 2009-11-15 03:19 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 16:41 . 2009-11-15 03:19 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-09 22:38 . 2009-09-27 23:12 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38 . 2009-09-27 23:12 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-09 22:38 . 2009-09-27 23:12 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-09 22:38 . 2009-09-27 23:12 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-09 22:38 . 2006-07-31 23:07 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-08 02:36 . 2010-07-08 02:36 -------- d-----w- c:\program files\MSECache
2010-07-08 02:36 . 2010-07-08 02:35 3248200 ----a-w- c:\program files\OutlookConnector.exe
2010-07-07 01:27 . 2006-07-31 23:04 84584 ----a-w- c:\windows\SOUNDMAN.EXE
2010-07-07 01:27 . 2006-07-31 23:04 1489512 ----a-w- c:\windows\RtlUpd.exe
2010-07-07 01:26 . 2006-07-31 23:04 9721960 ----a-w- c:\windows\RTLCPL.EXE
2010-07-07 01:26 . 2006-07-31 23:04 6088296 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-07-07 01:26 . 2006-07-31 23:04 19556968 ----a-w- c:\windows\RTHDCPL.EXE
2010-07-07 01:26 . 2006-07-31 23:04 2815592 ----a-w- c:\windows\ALCWZRD.EXE
2010-07-07 01:26 . 2006-07-31 23:04 2180712 ----a-w- c:\windows\MicCal.exe
2010-07-07 01:26 . 2006-07-31 23:04 64104 ----a-w- c:\windows\ALCMTR.EXE
2010-07-05 17:56 . 2010-07-05 17:56 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\DivX
2010-07-05 17:55 . 2010-07-05 17:55 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-05 17:54 . 2010-07-05 17:54 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-05 17:51 . 2010-07-05 17:51 895256 ----a-w- c:\program files\DivXInstaller.exe
2010-07-04 16:30 . 2009-11-15 04:48 -------- d-----w- c:\program files\MSBuild
2010-07-04 16:29 . 2010-07-04 16:29 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-07-04 16:28 . 2010-07-04 16:28 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-04 16:28 . 2009-11-15 03:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-04 16:18 . 2010-07-04 16:18 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-07-04 16:10 . 2010-07-04 16:08 -------- d-----w- c:\program files\Office 2010
2010-07-04 16:08 . 2010-07-04 16:08 -------- d-----w- c:\program files\7-Zip
2010-07-04 03:17 . 2009-12-01 21:56 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\dvdcss
2010-07-03 19:04 . 2010-07-03 19:04 439816 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Real\Update\setup3.10\setup.exe
2010-07-02 14:08 . 2010-06-05 18:07 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2010-07-02 14:08 . 2010-06-05 18:07 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2010-07-02 14:08 . 2010-06-05 18:07 791856 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2010-07-02 14:08 . 2010-06-05 18:07 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2010-07-02 14:08 . 2010-06-05 18:07 267568 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2010-07-02 14:08 . 2010-06-05 18:07 856880 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\dblgen11.dll
2010-07-02 14:08 . 2010-06-05 18:07 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2010-07-02 14:08 . 2010-06-05 18:07 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2010-07-02 14:08 . 2010-06-05 18:07 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2010-07-02 14:08 . 2010-06-05 18:07 2184496 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-07-02 14:08 . 2010-06-05 18:07 1372424 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-07-02 14:08 . 2010-06-05 18:07 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2010-07-01 23:34 . 2010-07-28 20:49 258016 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-07-01 22:48 . 2009-09-14 02:57 -------- d-----w- c:\program files\VideoLAN
2010-07-01 20:52 . 2010-07-05 14:52 1496064 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 20:51 . 2010-07-05 14:52 43008 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 20:51 . 2010-07-05 14:52 338944 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 20:51 . 2010-07-05 14:52 346112 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-30 12:23 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-10 04:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-10 13:05 . 2010-06-05 18:00 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-06-10 13:05 . 2010-06-05 18:00 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-06-05 18:21 . 2010-06-05 18:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-05 18:07 . 2010-06-05 18:07 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2010-06-05 18:07 . 2010-06-05 18:07 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-06-05 18:07 . 2010-06-05 18:07 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2010-06-05 17:59 . 2010-06-05 18:00 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-06-05 17:59 . 2010-06-05 18:00 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-06-02 15:29 . 2009-11-15 03:19 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-30 19:10 . 2010-05-30 19:07 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-05-24 22:58 . 2010-05-24 22:58 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-05-23 02:09 . 2010-05-23 02:09 503808 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c8abb51-n\msvcp71.dll
2010-05-23 02:09 . 2010-05-23 02:09 499712 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c8abb51-n\jmc.dll
2010-05-23 02:09 . 2010-05-23 02:09 348160 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c8abb51-n\msvcr71.dll
2010-05-23 02:09 . 2010-05-23 02:09 61440 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-459f8166-n\decora-sse.dll
2010-05-23 02:09 . 2010-05-23 02:09 12800 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-459f8166-n\decora-d3d.dll
2010-02-14 05:39 . 2010-02-14 05:38 4938120 ----a-w- c:\program files\Silverlight.exe
2009-11-08 16:17 . 2009-11-08 16:16 10381513 ----a-w- c:\program files\avidemux_2.5.1_win32.exe
2007-06-06 14:26 . 2009-09-12 02:34 32 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-02-28 09:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-31 180269]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-7-31 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-7-31 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2008-08-04 05:17 16309 ----a-r- c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-07-15 16:41 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 21:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 16:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 13:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-01-27 05:04 1337608 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-09 22:50 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-07-08 06:52 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare]
2008-05-31 16:11 202016 ----a-w- c:\program files\Qwest\Quickcare\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-07-07 01:26 19556968 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-07-31 23:16 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"SupportSoft RemoteAssist"=3 (0x3)
"sprtlisten"=2 (0x2)
"SeaPort"=2 (0x2)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"ose"=3 (0x3)
"nvsvc"=2 (0x2)
"Microsoft SharePoint Workspace Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"avg9wd"=2 (0x2)
"avg9emc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/14/2009 8:19 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/14/2009 8:19 PM 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/4/2009 2:50 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 67656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [9/29/2009 6:12 PM 14424]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 12872]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 9:41 AM 921952]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:41 AM 308136]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S4 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 1:02 PM 1213728]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/5/2010 11:21 AM 691696]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\User_Feed_Synchronization-{1802EC85-BABC-4C50-868A-89DCE319B496}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.hotmail.com
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\progra~1\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-LSI Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 15:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1204)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\nvwddi.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-08-11 15:41:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-11 22:41
ComboFix2.txt 2010-07-31 03:24
ComboFix3.txt 2010-07-30 06:24

Pre-Run: 57,037,328,384 bytes free
Post-Run: 57,042,518,016 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - 285AD0F8A4B41CC5E82676C8696FBB62


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 AM

Posted 11 August 2010 - 05:57 PM

Please uninstall AVG as we are going to run Combofix again. Just to let you know the TDL3 rootkit was removed during that run.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
Folder::
c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\hkkldupqy


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#12 lognom

lognom
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 11 August 2010 - 06:20 PM

Mole,
Here it is.


ComboFix 10-08-11.04 - HP_Administrator 08/11/2010 16:12:39.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.550 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\comfix.exe
Command switches used :: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\hkkldupqy

.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-09 21:48 . 2010-08-09 21:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPQ
2010-08-07 20:36 . 2010-08-07 20:36 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-08-03 19:16 . 2010-08-03 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-08-03 05:46 . 2010-08-03 05:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-08-03 05:45 . 2010-08-03 05:45 452104 ----a-w- c:\documents and settings\Administrator\Application Data\Real\Update\setup3.12\setup.exe
2010-08-01 02:36 . 2010-08-01 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2010-07-31 20:42 . 2010-07-31 20:46 42459072 ----a-w- c:\program files\AdbeRdr933_en_US.exe
2010-07-31 20:37 . 2010-07-31 20:37 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Windows Search
2010-07-31 19:50 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2010-07-31 19:41 . 2009-05-21 18:46 268288 -c----w- c:\windows\system32\dllcache\httpext.dll
2010-07-31 19:36 . 2009-04-01 08:55 2842624 -c----w- c:\windows\system32\dllcache\msi.dll
2010-07-31 19:32 . 2008-09-30 06:19 57344 -c----w- c:\windows\system32\dllcache\uexfat.dll
2010-07-31 19:32 . 2008-09-30 06:19 57344 ------w- c:\windows\system32\uexfat.dll
2010-07-31 19:32 . 2008-09-30 06:19 278528 -c----w- c:\windows\system32\dllcache\ulib.dll
2010-07-31 19:32 . 2008-09-29 10:21 133632 -c----w- c:\windows\system32\dllcache\exfat.sys
2010-07-31 19:32 . 2008-09-29 10:21 133632 ------w- c:\windows\system32\drivers\exfat.sys
2010-07-31 19:28 . 2008-04-21 18:44 330752 -c----w- c:\windows\system32\dllcache\ipnathlp.dll
2010-07-31 19:23 . 2008-04-17 04:50 175104 -c----w- c:\windows\system32\dllcache\w32time.dll
2010-07-31 19:23 . 2008-04-17 04:50 92672 -c----w- c:\windows\system32\dllcache\policman.dll
2010-07-31 19:23 . 2008-04-17 04:50 68096 -c----w- c:\windows\system32\dllcache\ntdsapi.dll
2010-07-31 19:23 . 2008-04-17 04:50 199680 -c----w- c:\windows\system32\dllcache\gptext.dll
2010-07-31 19:23 . 2008-04-17 04:50 113152 -c----w- c:\windows\system32\dllcache\dsuiext.dll
2010-07-31 19:23 . 2008-04-17 04:50 407040 -c----w- c:\windows\system32\dllcache\netlogon.dll
2010-07-31 19:23 . 2008-04-17 04:50 68096 -c----w- c:\windows\system32\dllcache\adsmsext.dll
2010-07-31 19:22 . 2008-05-02 10:49 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2010-07-31 19:22 . 2008-05-02 13:25 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-07-31 19:22 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2010-07-31 19:22 . 2008-05-02 13:25 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-07-31 19:22 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2010-07-31 19:16 . 2008-08-28 07:46 74752 -c----w- c:\windows\system32\dllcache\msw3prt.dll
2010-07-31 19:16 . 2008-08-28 07:46 104960 -c----w- c:\windows\system32\dllcache\win32spl.dll
2010-07-31 17:46 . 2010-07-31 17:46 -------- d-----w- c:\program files\UPHClean
2010-07-31 17:40 . 2010-07-31 17:40 -------- d-----w- c:\program files\VS Revo Group
2010-07-31 17:39 . 2010-07-31 17:39 -------- d-----w- c:\program files\Defraggler
2010-07-31 07:59 . 2010-07-31 07:59 -------- d-----w- c:\windows\system32\winrm
2010-07-31 07:59 . 2010-07-31 07:59 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-07-31 07:55 . 2010-07-31 07:55 -------- d-----w- c:\program files\LSI SoftModem
2010-07-31 07:54 . 2010-07-31 07:54 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Application Data\Identities
2010-07-31 07:54 . 2010-07-31 07:54 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Windows Desktop Search
2010-07-31 07:53 . 2010-07-31 17:43 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-31 07:53 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-31 07:53 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-31 07:53 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-31 06:20 . 2010-06-24 12:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-31 06:20 . 2010-06-24 12:21 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-31 06:20 . 2010-06-24 12:21 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-31 06:20 . 2010-06-24 12:21 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-31 06:20 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-31 06:20 . 2010-06-24 12:21 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-31 06:20 . 2010-06-25 00:51 11077120 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-31 06:20 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-31 04:14 . 2010-07-31 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-07-31 04:09 . 2010-07-31 04:12 -------- d-----w- c:\windows\nview
2010-07-31 02:40 . 2006-03-03 22:30 101888 ----a-w- c:\windows\system32\drivers\nvtcp.sys
2010-07-31 02:40 . 2006-02-22 23:59 176128 ----a-w- c:\windows\system32\nvunrm.exe
2010-07-31 02:30 . 2010-07-31 02:30 -------- d-----w- c:\program files\Realtek
2010-07-31 02:30 . 2010-06-24 18:13 1251944 ----a-w- c:\windows\RtlExUpd.dll
2010-07-31 02:30 . 2010-07-31 02:30 -------- d-----w- c:\documents and settings\HP_ADM~1~YOU\LOCALS~1
2010-07-31 02:30 . 2010-07-31 02:30 -------- d-----w- c:\documents and settings\HP_ADM~1~YOU
2010-07-31 02:20 . 2010-07-31 02:20 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-31 02:20 . 2010-07-31 02:20 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-07-31 02:20 . 2010-07-31 02:20 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-31 02:19 . 2010-07-09 22:38 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-31 02:18 . 2010-07-09 22:38 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-31 02:18 . 2010-07-31 02:35 -------- d-----w- C:\NVIDIA
2010-07-31 00:14 . 2009-07-31 17:05 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2010-07-31 00:14 . 2008-04-13 17:27 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2010-07-30 23:41 . 2010-07-31 02:24 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-30 23:23 . 2010-06-21 15:27 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2010-07-30 23:23 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-30 23:22 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-07-30 23:21 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-30 23:19 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-30 23:15 . 2010-07-30 23:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-07-30 23:15 . 2010-07-07 20:46 604776 ----a-w- c:\windows\system32\nvuninst.exe
2010-07-30 23:15 . 2010-07-30 23:36 -------- d-----w- c:\program files\NVIDIA Corporation-nv26351
2010-07-30 23:03 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-07-30 22:52 . 2008-04-14 05:04 701440 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-07-30 21:50 . 2004-08-04 12:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-07-30 21:49 . 2004-08-04 12:00 45568 -c--a-w- c:\windows\system32\dllcache\browscap.dll
2010-07-30 21:48 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-30 21:47 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-07-30 21:47 . 2008-04-14 00:12 226816 -c--a-w- c:\windows\system32\dllcache\npdrmv2.dll
2010-07-30 21:47 . 2008-04-14 00:12 10240 -c--a-w- c:\windows\system32\dllcache\npwmsdrm.dll
2010-07-30 21:47 . 2004-08-04 12:00 221184 -c--a-w- c:\windows\system32\dllcache\wmpns.dll
2010-07-30 21:47 . 2008-04-14 00:12 4639 -c--a-w- c:\windows\system32\dllcache\mplayer2.exe
2010-07-30 21:47 . 2008-04-14 00:12 364544 -c--a-w- c:\windows\system32\dllcache\npdsplay.dll
2010-07-30 21:35 . 2008-04-14 00:12 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-07-30 21:20 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-07-30 21:20 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-07-30 21:20 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-07-30 21:20 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-07-30 18:26 . 2010-07-31 19:10 -------- d-----w- c:\program files\WinMend
2010-07-30 18:02 . 2010-07-30 18:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-30 07:47 . 2010-07-30 07:51 -------- d-----w- c:\program files\Windows Live Safety Center
2010-07-30 07:37 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-30 07:01 . 2010-07-30 07:01 0 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\settings.dat
2010-07-28 20:49 . 2010-07-28 20:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-28 20:07 . 2010-07-28 20:07 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-28 20:07 . 2010-07-28 20:07 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-28 20:07 . 2010-07-28 20:07 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-28 20:05 . 2010-07-28 20:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-28 18:57 . 2010-08-08 16:19 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-07-28 18:54 . 2010-07-28 18:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2010-07-28 15:52 . 2010-07-28 15:55 63488 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-28 14:40 . 2010-07-28 14:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-26 18:30 . 2010-07-26 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-07-26 18:29 . 2010-07-26 20:05 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\0F16770CB5F586F86B5862291F1DACB0
2010-07-13 06:52 . 2010-07-13 06:52 192736 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 23:04 . 2009-10-29 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-10 22:19 . 2010-05-02 02:39 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-01 04:55 . 2009-11-16 03:27 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\vlc
2010-08-01 02:36 . 2006-07-31 23:23 90872 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-31 21:18 . 2009-09-13 03:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-31 08:00 . 2009-09-13 22:00 -------- d-----w- c:\program files\Microsoft.NET
2010-07-31 07:54 . 2009-11-15 20:08 34 ----a-w- c:\windows\system32\BD2140.DAT
2010-07-31 06:11 . 2009-09-13 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-31 05:54 . 2005-08-31 03:58 34764 ----a-w- c:\windows\system32\emptyregdb.dat
2010-07-31 02:30 . 2006-07-31 23:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-30 23:21 . 2006-07-31 22:52 -------- d-----w- c:\program files\Common Files\Java
2010-07-30 23:19 . 2006-07-31 22:52 -------- d-----w- c:\program files\Java
2010-07-28 15:55 . 2009-11-15 06:27 117760 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-28 15:52 . 2009-09-13 03:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-27 13:53 . 2009-09-13 04:26 -------- d-----w- c:\program files\CCleaner
2010-07-25 17:07 . 2009-11-15 01:33 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\BitTorrent
2010-07-25 00:34 . 2010-06-05 19:17 12553 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\qbbackup.sys
2010-07-24 19:05 . 2010-07-12 19:04 452104 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Real\Update\setup3.12\setup.exe
2010-07-19 02:07 . 2009-09-30 01:12 -------- d-----w- c:\program files\PeerBlock
2010-07-09 22:38 . 2009-09-27 23:12 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38 . 2009-09-27 23:12 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-09 22:38 . 2009-09-27 23:12 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-09 22:38 . 2009-09-27 23:12 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-09 22:38 . 2006-07-31 23:07 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-08 02:36 . 2010-07-08 02:36 -------- d-----w- c:\program files\MSECache
2010-07-08 02:36 . 2010-07-08 02:35 3248200 ----a-w- c:\program files\OutlookConnector.exe
2010-07-07 01:27 . 2006-07-31 23:04 84584 ----a-w- c:\windows\SOUNDMAN.EXE
2010-07-07 01:27 . 2006-07-31 23:04 1489512 ----a-w- c:\windows\RtlUpd.exe
2010-07-07 01:26 . 2006-07-31 23:04 9721960 ----a-w- c:\windows\RTLCPL.EXE
2010-07-07 01:26 . 2006-07-31 23:04 6088296 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-07-07 01:26 . 2006-07-31 23:04 19556968 ----a-w- c:\windows\RTHDCPL.EXE
2010-07-07 01:26 . 2006-07-31 23:04 2815592 ----a-w- c:\windows\ALCWZRD.EXE
2010-07-07 01:26 . 2006-07-31 23:04 2180712 ----a-w- c:\windows\MicCal.exe
2010-07-07 01:26 . 2006-07-31 23:04 64104 ----a-w- c:\windows\ALCMTR.EXE
2010-07-05 17:56 . 2010-07-05 17:56 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\DivX
2010-07-05 17:55 . 2010-07-05 17:55 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-05 17:54 . 2010-07-05 17:54 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-05 17:51 . 2010-07-05 17:51 895256 ----a-w- c:\program files\DivXInstaller.exe
2010-07-04 16:30 . 2009-11-15 04:48 -------- d-----w- c:\program files\MSBuild
2010-07-04 16:29 . 2010-07-04 16:29 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-07-04 16:28 . 2010-07-04 16:28 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-04 16:28 . 2009-11-15 03:16 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-04 16:18 . 2010-07-04 16:18 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-07-04 16:10 . 2010-07-04 16:08 -------- d-----w- c:\program files\Office 2010
2010-07-04 16:08 . 2010-07-04 16:08 -------- d-----w- c:\program files\7-Zip
2010-07-04 03:17 . 2009-12-01 21:56 -------- d-----w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\dvdcss
2010-07-03 19:04 . 2010-07-03 19:04 439816 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Real\Update\setup3.10\setup.exe
2010-07-02 14:08 . 2010-06-05 18:07 496944 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2010-07-02 14:08 . 2010-06-05 18:07 296240 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2010-07-02 14:08 . 2010-06-05 18:07 791856 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2010-07-02 14:08 . 2010-06-05 18:07 423216 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2010-07-02 14:08 . 2010-06-05 18:07 267568 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2010-07-02 14:08 . 2010-06-05 18:07 856880 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\dblgen11.dll
2010-07-02 14:08 . 2010-06-05 18:07 763184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2010-07-02 14:08 . 2010-06-05 18:07 570672 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2010-07-02 14:08 . 2010-06-05 18:07 398640 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2010-07-02 14:08 . 2010-06-05 18:07 2184496 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-07-02 14:08 . 2010-06-05 18:07 1372424 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-07-02 14:08 . 2010-06-05 18:07 1152304 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2010-07-01 23:34 . 2010-07-28 20:49 258016 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-07-01 22:48 . 2009-09-14 02:57 -------- d-----w- c:\program files\VideoLAN
2010-07-01 20:52 . 2010-07-05 14:52 1496064 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-01 20:51 . 2010-07-05 14:52 43008 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-01 20:51 . 2010-07-05 14:52 338944 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-01 20:51 . 2010-07-05 14:52 346112 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-30 12:23 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-10 04:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-10 13:05 . 2010-06-05 18:00 975136 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch2.exe
2010-06-10 13:05 . 2010-06-05 18:00 44832 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2010-06-05 18:21 . 2010-06-05 18:21 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-05 18:07 . 2010-06-05 18:07 34056 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\Interop.QBInstanceFinder.dll
2010-06-05 18:07 . 2010-06-05 18:07 211720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-06-05 18:07 . 2010-06-05 18:07 192512 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\SyncMgr\OCD\ICSharpCode.SharpZipLib.dll
2010-06-05 17:59 . 2010-06-05 18:00 499712 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2010-06-05 17:59 . 2010-06-05 18:00 348160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2010-05-30 19:10 . 2010-05-30 19:07 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-05-24 22:58 . 2010-05-24 22:58 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-05-23 02:09 . 2010-05-23 02:09 503808 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c8abb51-n\msvcp71.dll
2010-05-23 02:09 . 2010-05-23 02:09 499712 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c8abb51-n\jmc.dll
2010-05-23 02:09 . 2010-05-23 02:09 348160 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5c8abb51-n\msvcr71.dll
2010-05-23 02:09 . 2010-05-23 02:09 61440 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-459f8166-n\decora-sse.dll
2010-05-23 02:09 . 2010-05-23 02:09 12800 ----a-w- c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-459f8166-n\decora-d3d.dll
2010-02-14 05:39 . 2010-02-14 05:38 4938120 ----a-w- c:\program files\Silverlight.exe
2009-11-08 16:17 . 2009-11-08 16:16 10381513 ----a-w- c:\program files\avidemux_2.5.1_win32.exe
2007-06-06 14:26 . 2009-09-12 02:34 32 -csha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-02-28 09:20 561552 ----a-w- c:\progra~1\MICROS~2\Office14\URLREDIR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-05-09 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-31 180269]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-7-31 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-7-31 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2008-08-04 05:17 16309 ----a-r- c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 21:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 16:05 90112 ----a-w- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 13:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2010-01-27 05:04 1337608 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-05-09 22:50 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-07-08 06:52 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickCare]
2008-05-31 16:11 202016 ----a-w- c:\program files\Qwest\Quickcare\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-07-07 01:26 19556968 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-07-31 23:16 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"SupportSoft RemoteAssist"=3 (0x3)
"sprtlisten"=2 (0x2)
"SeaPort"=2 (0x2)
"QBFCService"=3 (0x3)
"QBCFMonitorService"=2 (0x2)
"ose"=3 (0x3)
"nvsvc"=2 (0x2)
"Microsoft SharePoint Workspace Audit Service"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"avg9wd"=2 (0x2)
"avg9emc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [9/4/2009 2:50 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 67656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [9/29/2009 6:12 PM 14424]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 12872]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S4 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 1:02 PM 1213728]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/5/2010 11:21 AM 691696]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\User_Feed_Synchronization-{1802EC85-BABC-4C50-868A-89DCE319B496}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.hotmail.com
FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\HP_Administrator.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\8in56n7f.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\progra~1\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 16:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3172)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\nvwddi.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-11 16:18:43
ComboFix-quarantined-files.txt 2010-08-11 23:18
ComboFix2.txt 2010-08-11 22:41
ComboFix3.txt 2010-07-31 03:24
ComboFix4.txt 2010-07-30 06:24

Pre-Run: 57,121,353,728 bytes free
Post-Run: 57,115,754,496 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - DC02A02255F936A72DCE13168779DF28


#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 AM

Posted 11 August 2010 - 06:27 PM

Good, that's looking fine.


Run ATF to clear out the cookies/temp files/cache.

Please download ATF Cleaner by Atribune.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NB: If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

This could also be Clear Recent History or similar

Then close Firefox and then reopen it.



Please run ESET's online scanner to pick off the infected files, etc.
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#14 lognom

lognom
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 12 August 2010 - 09:37 AM

C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Quickbooks_2010_CA_US_&_2008_UK_+_Activator_V1.01\Quickbooks_Keygen-LZ0.rar probably a variant of Win32/Agent.NMQNGTA trojan deleted - quarantined



Mole,
Just in case, I deleted that version of Quickbooks from my computer.

Edited by lognom, 12 August 2010 - 09:55 AM.


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:03 AM

Posted 12 August 2010 - 04:15 PM

Deleting it is a good precaution. That ESET entry was the way the malware got in, an infected copy of Quickbooks.

How is the PC running now, lognom?
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users