Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Redirection


  • This topic is locked This topic is locked
16 replies to this topic

#1 dazzltoni

dazzltoni

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 23 October 2010 - 01:58 AM

Hello all!! I've been having a problem with my google searches being redirected and it seems to be rather sporadic. I perform a google search for a specific topic. When I select a link of interest, a new firefox tab is generated with a irrelevant website to what I had selected. If you guys/gals could assist me in resolving this headbanging issue, I would be EXTREMELY appreciative!!! Here are the log files requested per the preparation guide. Thanks in advance!!!

DDS text file

DDS (Ver_10-10-21.02) - NTFSx86
Run by HY Blair at 7:18:12.85 on 23/10/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1167 [GMT 1:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\WinXP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.optionsxpress.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/ymj/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/ymj/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: pandasoftware.com\acs
Trusted Zone: pandasoftware.com\activescan
Trusted Zone: pandasoftware.com\www
Trusted Zone: pandasoftware.es\www
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {66BC78D5-AE49-40BA-86A7-A83C1003C03C} - rundll32 mmidkdae8.dll,laspi
IFEO: taskmgr.exe - "c:\documents and settings\winxp\desktop\PROCEXP.EXE"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\winxp\applic~1\mozilla\firefox\profiles\gexs7lyq.daz\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.elliottwave.com
FF - plugin: c:\documents and settings\winxp\application data\mozilla\firefox\profiles\gexs7lyq.daz\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\advanced system optimizer 3\ASO3DefragSrv.exe [2010-5-26 199400]
R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2010-1-19 85128]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [2003-3-5 15840]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-2-3 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2010-1-4 111312]
S1 SAVRTPEL;SAVRTPEL;\??\c:\program files\norton internet security\norton antivirus\savrtpel.sys --> c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [?]
S2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys --> c:\windows\system32\drivers\avgtdi.sys [?]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\sbserv.exe --> c:\progra~1\common~1\symant~1\script~1\SBServ.exe [?]
S3 ADASPROT;SYSTWEAKASO;c:\program files\advanced system optimizer 3\adasprot32.sys [2010-5-26 6656]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20060524.033\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20060524.033\NAVENG.Sys [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20060524.033\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20060524.033\NavEx15.Sys [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys --> c:\windows\system32\drivers\S3G700m.sys [?]
S3 SAVRT;SAVRT;\??\c:\program files\norton internet security\norton antivirus\savrt.sys --> c:\program files\norton internet security\norton antivirus\SAVRT.SYS [?]
S4 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]
S4 ccProxy;Symantec Network Proxy;"c:\program files\common files\symantec shared\ccproxy.exe" --> c:\program files\common files\symantec shared\ccProxy.exe [?]
S4 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccpwdsvc.exe" --> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
S4 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
S4 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]

=============== Created Last 30 ================


==================== Find3M ====================

2006-07-23 08:45:40 1923095 -c--a-w- c:\program files\WinRAR Crystal Edition 2006.exe
2006-07-23 08:45:40 1107227 -c--a-w- c:\program files\WinRAR 3.51 Corporate Edition.exe
2006-07-23 08:45:40 1039753 -c--a-w- c:\program files\Winrar 3.60 Beta 4 Enterprise Edition Oem.exe
2004-03-11 13:27:22 40960 -c--a-w- c:\program files\Uninstall_CDS.exe

============= FINISH: 7:19:47.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 23 October 2010 - 03:34 AM

:welcome: to Bleeping computer!

Step 1.
ComboFix:


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 dazzltoni

dazzltoni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 23 October 2010 - 07:30 AM

Thanks for the quick response. Here's a copy of the ComboFix.txt file as requested.

Attached Files



#4 dazzltoni

dazzltoni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 30 October 2010 - 12:11 AM

??? Any update???

#5 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 31 October 2010 - 03:31 AM

Sorry about the delay. There was a hiccup with my notifications.

Let's proceed.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Driver::
FXDRV
RenV::
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray .exe
c:\program files\Advanced System Optimizer 3\SystemProtector   .exe
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VERSIO~2 .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Creative\MediaSource\RemoteControl\RCMan .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
c:\windows\SiSUSBrg .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#6 dazzltoni

dazzltoni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 November 2010 - 03:49 AM

Here is the ComboFix.txt log file generated from the CFScript.txt provided.

Kind regards

Dazzltoni

Attached Files



#7 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 01 November 2010 - 04:34 AM

Here is the ComboFix.txt log file generated from the CFScript.txt provided.

Please don't attach logs, just copy and paste them in your reply unless I ask you to attach them.

A bit more to do.

Step 1.
Systemlook:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :file
    c:\program files\QuickTime\qttask  .exe
    c:\program files\QuickTime\qttask.exe
    :filefind
    qttask*.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Step 2.
MBAM:

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3.
Things I would like to see in your reply:

  • The content of Systemlook.txt from step 1.
  • The content of the log from MBAM in step 2.
  • Information on how your computer is running after those steps.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#8 dazzltoni

dazzltoni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 November 2010 - 07:47 AM

Here is the contents of the SystemLook log:

SystemLook 04.09.10 by jpshortstuff
Log created at 12:29 on 01/11/2010 by HY Blair
Administrator - Elevation successful

========== file ==========

c:\program files\QuickTime\qttask .exe - Unable to find/read file.

c:\program files\QuickTime\qttask.exe - File found and opened.
MD5: ED7A6D40B20DC34BE06F4AE196AE7D50
Created at 20:53 on 17/03/2010
Modified at 20:53 on 17/03/2010
Size: 421888 bytes
Attributes: --a----
FileDescription: QuickTime Task
FileVersion: 7.6.6 (1671)
ProductVersion: QuickTime 7.6.6 (1671)
OriginalFilename: QTTask.exe
InternalName: QuickTime Task
ProductName: QuickTime
CompanyName: Apple Inc.
LegalCopyright: Copyright Apple Inc. 1989-2010

========== filefind ==========

Searching for "qttask*.exe"
C:\Program Files\QuickTime\qttask.exe --a---- 421888 bytes [20:53 17/03/2010] [20:53 17/03/2010] ED7A6D40B20DC34BE06F4AE196AE7D50

-= EOF =-

Here are the contents of the Malwarebyte's log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5012

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

01/11/2010 12:40:15
mbam-log-2010-11-01 (12-40-15).txt

Scan type: Quick scan
Objects scanned: 147765
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MS Essentials (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

At the moment, the google search redirecting does not occur. I can select a link and the webpage comes up fine and dandy and no new tab pops up going
to some odd website.


#9 dazzltoni

dazzltoni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 November 2010 - 07:50 AM

Thank you for your assistance!!! Just curious, even if my computer is sitting idle with no applications running, I find it strange to hear my CPU chugging away for a few seconds about every 2 minutes. Any insight on what may cause that?

Kind regards,

Dazzltoni

#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 01 November 2010 - 08:18 AM

Just curious, even if my computer is sitting idle with no applications running, I find it strange to hear my CPU chugging away for a few seconds about every 2 minutes. Any insight on what may cause that?

Nope. I doubt that you can hear your CPU though. Maybe it's your hard drive you hear?

Let's fix a reg entry and do an online scan.

Step 1.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime"

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2.
Kaspersky Online Scanner:

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 22 .
  • Click the JDK 6 Update 22 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u22-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u22-windows-i586.exe and select "Run as an Administrator.")

Step 3.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • The content of the log from Kaspersky Online Scan in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 dazzltoni

dazzltoni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 03 November 2010 - 02:25 AM

OK, here is the content of the ComboFix.txt:

ComboFix 10-10-30.05 - HY Blair 02/11/2010 14:16:25.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1406 [GMT 0:00]
Running from: c:\documents and settings\WinXP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\WinXP\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((( Files Created from 2010-10-02 to 2010-11-02 )))))))))))))))))))))))))))))))
.

2010-10-23 12:00 . 2008-04-14 04:43 40840 -c--a-w- c:\windows\system32\dllcache\termdd.sys
2010-10-23 12:00 . 2008-04-14 04:43 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-10-14 07:52 . 2010-10-14 07:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-07-23 08:45 . 2006-07-23 08:45 1923095 -c--a-w- c:\program files\WinRAR Crystal Edition 2006.exe
2006-07-23 08:45 . 2006-07-23 08:45 1107227 -c--a-w- c:\program files\WinRAR 3.51 Corporate Edition.exe
2006-07-23 08:45 . 2006-07-23 08:45 1039753 -c--a-w- c:\program files\Winrar 3.60 Beta 4 Enterprise Edition Oem.exe
2004-03-11 13:27 . 2006-04-25 08:06 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2003-12-05 249856]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-03-18 1123360]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 6:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 6:41 PM 67656]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [5/26/2010 4:02 PM 199400]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [1/19/2010 6:32 PM 85128]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [3/5/2003 7:07 AM 15840]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2/3/2010 12:57 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [1/4/2010 6:41 PM 111312]
S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [5/26/2010 4:02 PM 6656]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 12:00 PM 14336]
S3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys --> c:\windows\system32\DRIVERS\S3G700m.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 890AE1BB
*Deregistered* - 890ae1bb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-11-01 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 04:42]

2010-11-01 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\dfrg.msc [2004-08-04 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optionsxpress.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: pandasoftware.com\acs
Trusted Zone: pandasoftware.com\activescan
Trusted Zone: pandasoftware.com\www
Trusted Zone: pandasoftware.es\www
FF - ProfilePath - c:\documents and settings\WinXP\Application Data\Mozilla\Firefox\Profiles\gexs7lyq.Daz\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.elliottwave.com
FF - plugin: c:\documents and settings\WinXP\Application Data\Mozilla\Firefox\Profiles\gexs7lyq.Daz\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-02 14:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-02 14:26:26
ComboFix-quarantined-files.txt 2010-11-02 14:26
ComboFix2.txt 2010-11-01 18:35
ComboFix3.txt 2010-11-01 08:44
ComboFix4.txt 2010-11-01 07:36
ComboFix5.txt 2010-11-02 14:15

Pre-Run: 87,400,525,824 bytes free
Post-Run: 87,385,628,672 bytes free

- - End Of File - - 9BDACC384A7E9D39BF7CCD49E2B9231E

And here is the content of the Kaspersky Online Scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 3, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 02, 2010 08:24:58
Records in database: 4202672
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 237331
Threats found: 4
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 15:21:21


File name / Threat / Threats count
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\1\197df581-2e22a5d2 Infected: Trojan-Downloader.Java.Agent.hx 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\1\197df581-361d0729 Infected: Trojan-Downloader.Java.Agent.hx 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\24\f40d558-2c102583 Infected: Trojan-Downloader.Java.Agent.hx 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\51\f2b0d73-3a76cf61 Infected: Trojan-Downloader.Java.Agent.ff 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\54\5fb21cb6-3686d7e5 Infected: Trojan-Downloader.JS.Agent.fns 1
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\54\5fb21cb6-3686d7e5 Infected: Exploit.Java.CVE-2010-0094.a 1

Selected area has been scanned.

Just as you stated, older versions of Java had some vunerabilities, and that's what Kaspersky scan found

#12 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 03 November 2010 - 05:49 AM

Just as you stated, older versions of Java had some vunerabilities, and that's what Kaspersky scan found

Let's clear the cache then.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


There are an entry that respawns in the ComboFix log.
Please ensure that ALL your security programs (BitDefender, Superantispyware or AdvancedSystemCare, ...) are disabled before you run this CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Driver::
890ae1bb
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime"


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by heir, 03 November 2010 - 05:52 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#13 dazzltoni

dazzltoni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 03 November 2010 - 09:02 AM

Here is the content for the CFScript log:

ComboFix 10-10-30.05 - HY Blair 03/11/2010 13:18:40.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1604 [GMT 0:00]
Running from: c:\documents and settings\WinXP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\WinXP\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_890AE1BB


((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))
.

2010-11-03 07:39 . 2010-11-03 07:49 -------- d-----w- c:\documents and settings\WinXP\Application Data\Paltalk
2010-11-03 07:39 . 2010-11-03 07:39 -------- d-----w- c:\windows\PaltalkScene
2010-11-03 07:39 . 2010-11-03 07:39 -------- d-----w- c:\program files\Paltalk Messenger
2010-11-02 14:50 . 2010-11-02 14:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-02 14:49 . 2010-11-02 14:49 -------- d-----w- c:\program files\Java
2010-10-23 12:00 . 2008-04-14 04:43 40840 -c--a-w- c:\windows\system32\dllcache\termdd.sys
2010-10-23 12:00 . 2008-04-14 04:43 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-10-14 07:52 . 2010-10-14 07:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-02 14:49 . 2010-06-02 14:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2006-07-23 08:45 . 2006-07-23 08:45 1923095 -c--a-w- c:\program files\WinRAR Crystal Edition 2006.exe
2006-07-23 08:45 . 2006-07-23 08:45 1107227 -c--a-w- c:\program files\WinRAR 3.51 Corporate Edition.exe
2006-07-23 08:45 . 2006-07-23 08:45 1039753 -c--a-w- c:\program files\Winrar 3.60 Beta 4 Enterprise Edition Oem.exe
2004-03-11 13:27 . 2006-04-25 08:06 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-10-23_12.20.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-03 13:49 . 2010-11-03 13:49 16384 c:\windows\temp\Perflib_Perfdata_684.dat
+ 2005-10-05 12:12 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
+ 2004-08-04 12:00 . 2010-10-31 13:26 86526 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-06-01 13:10 86526 c:\windows\system32\perfc009.dat
+ 2005-10-05 12:12 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 209632 c:\windows\system32\wuweb.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2005-10-05 12:12 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2004-08-04 12:00 . 2010-10-31 13:26 477602 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-06-01 13:10 477602 c:\windows\system32\perfh009.dat
- 2010-06-02 14:37 . 2010-06-02 14:37 153376 c:\windows\system32\javaws.exe
+ 2010-11-02 14:50 . 2010-11-02 14:49 153376 c:\windows\system32\javaws.exe
+ 2010-11-02 14:50 . 2010-11-02 14:49 145184 c:\windows\system32\javaw.exe
- 2010-06-02 14:37 . 2010-06-02 14:37 145184 c:\windows\system32\javaw.exe
- 2010-06-02 14:37 . 2010-06-02 14:37 145184 c:\windows\system32\java.exe
+ 2010-11-02 14:50 . 2010-11-02 14:49 145184 c:\windows\system32\java.exe
+ 2005-10-05 12:12 . 2009-08-06 18:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2005-10-05 12:12 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2005-10-05 12:29 . 2002-07-12 10:15 106496 c:\windows\SiSUSBrg.exe
+ 2010-11-03 07:39 . 2010-11-03 07:39 580096 c:\windows\PaltalkScene\uninstall.exe
+ 2010-11-02 14:50 . 2010-11-02 14:50 180224 c:\windows\Installer\54277.msi
+ 2010-11-02 14:49 . 2010-11-02 14:49 677376 c:\windows\Installer\54272.msi
+ 2005-10-05 12:12 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2005-10-05 12:12 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2003-12-05 249856]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-03-18 1123360]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 6:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 6:41 PM 67656]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [5/26/2010 4:02 PM 199400]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [1/19/2010 6:32 PM 85128]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [3/5/2003 7:07 AM 15840]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2/3/2010 12:57 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [1/4/2010 6:41 PM 111312]
S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [5/26/2010 4:02 PM 6656]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 12:00 PM 14336]
S3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys --> c:\windows\system32\DRIVERS\S3G700m.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-11-02 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 04:42]

2010-11-02 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\dfrg.msc [2004-08-04 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optionsxpress.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: pandasoftware.com\acs
Trusted Zone: pandasoftware.com\activescan
Trusted Zone: pandasoftware.com\www
Trusted Zone: pandasoftware.es\www
FF - ProfilePath - c:\documents and settings\WinXP\Application Data\Mozilla\Firefox\Profiles\gexs7lyq.Daz\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.elliottwave.com

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-03 13:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-03 13:53:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-03 13:53
ComboFix2.txt 2010-11-02 14:26
ComboFix3.txt 2010-11-01 18:35
ComboFix4.txt 2010-11-01 08:44
ComboFix5.txt 2010-11-03 13:11

Pre-Run: 87,199,748,096 bytes free
Post-Run: 87,304,110,080 bytes free

- - End Of File - - 0A62DCD6DD55D6834F6C3B94133EDBF7

Mind you all anti-virus and malware protection has been disabled

#14 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 03 November 2010 - 10:06 AM

There were a minor error in the script that I've corrected here

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\\program files\\QuickTime\\qttask.exe -atboottime"


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#15 dazzltoni

dazzltoni
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 06 November 2010 - 04:59 AM

Here is the log from the recent CFScript file:

ComboFix 10-10-30.05 - HY Blair 06/11/2010 9:51.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1309 [GMT 0:00]
Running from: c:\documents and settings\WinXP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\WinXP\Desktop\CFScript.txt
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2010-10-06 to 2010-11-06 )))))))))))))))))))))))))))))))
.

2010-11-05 17:05 . 2010-11-05 18:07 -------- d-----w- C:\MyMusic
2010-11-05 17:04 . 2010-11-05 17:13 -------- d-----w- c:\program files\1-Click YouTube To MP3 Converter
2010-11-05 11:15 . 2010-11-05 11:15 -------- d-----w- C:\bin
2010-11-05 11:13 . 2010-11-05 11:13 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-11-05 11:04 . 2006-03-03 21:03 69632 ----a-w- c:\windows\system32\HPZipm12.1
2010-11-05 11:04 . 2010-11-05 11:04 -------- d-----w- c:\windows\LastGood
2010-11-03 07:39 . 2010-11-03 07:49 -------- d-----w- c:\documents and settings\WinXP\Application Data\Paltalk
2010-11-03 07:39 . 2010-11-03 07:39 -------- d-----w- c:\windows\PaltalkScene
2010-11-03 07:39 . 2010-11-03 07:39 -------- d-----w- c:\program files\Paltalk Messenger
2010-11-02 14:50 . 2010-11-02 14:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-02 14:49 . 2010-11-02 14:49 -------- d-----w- c:\program files\Java
2010-10-23 12:00 . 2008-04-14 04:43 40840 -c--a-w- c:\windows\system32\dllcache\termdd.sys
2010-10-23 12:00 . 2008-04-14 04:43 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2010-10-14 07:52 . 2010-10-14 07:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-02 14:49 . 2010-06-02 14:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2006-07-23 08:45 . 2006-07-23 08:45 1923095 -c--a-w- c:\program files\WinRAR Crystal Edition 2006.exe
2006-07-23 08:45 . 2006-07-23 08:45 1107227 -c--a-w- c:\program files\WinRAR 3.51 Corporate Edition.exe
2006-07-23 08:45 . 2006-07-23 08:45 1039753 -c--a-w- c:\program files\Winrar 3.60 Beta 4 Enterprise Edition Oem.exe
2004-03-11 13:27 . 2006-04-25 08:06 40960 -c--a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-10-23_12.20.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-05 11:07 . 2010-11-05 11:07 82432 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
- 2006-12-18 10:52 . 2006-12-18 10:52 82432 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2010-11-05 10:44 . 2010-11-05 10:44 16384 c:\windows\temp\Perflib_Perfdata_688.dat
+ 2005-10-05 12:12 . 2009-08-06 18:24 35552 c:\windows\system32\wups.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 53472 c:\windows\system32\wuauclt.exe
- 2004-08-04 12:00 . 2010-06-01 13:10 86526 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-10-31 13:26 86526 c:\windows\system32\perfc009.dat
+ 2006-09-07 15:21 . 2010-11-05 11:27 38200 c:\windows\system32\GDIPFONTCACHEV1.DAT
+ 2005-10-05 12:12 . 2009-08-06 18:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2010-05-31 21:24 . 2010-11-05 11:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-31 21:24 . 2010-06-03 09:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-10-05 12:22 . 2010-11-05 11:05 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-10-05 12:22 . 2010-06-03 09:14 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-11-05 11:05 . 2010-11-05 11:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2009-08-06 18:24 96480 c:\windows\system32\cdm.dll
+ 2006-12-18 10:53 . 2010-11-05 11:09 65536 c:\windows\Installer\{DBC20735-34E6-4E97-A9E5-2066B66B243D}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
- 2006-12-18 10:53 . 2006-12-18 10:53 65536 c:\windows\Installer\{DBC20735-34E6-4E97-A9E5-2066B66B243D}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
+ 2010-11-05 11:08 . 2010-11-05 11:08 65536 c:\windows\Installer\{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}\ARPPRODUCTICON.exe
- 2006-12-18 10:53 . 2006-12-18 10:53 65536 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut27.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-12-18 10:53 . 2010-11-05 11:09 65536 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut27.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-12-18 10:53 . 2006-12-18 10:53 65536 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut25.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-12-18 10:53 . 2010-11-05 11:09 65536 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut25.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 65536 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut15_1.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 65536 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut15_1.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-02-19 03:28 . 2006-02-19 03:28 12288 c:\windows\Fonts\RandFont.dll
+ 2005-08-19 03:00 . 2005-08-19 03:00 2560 c:\windows\system32\drivers\cdralw2k.sys
+ 2005-08-19 03:00 . 2005-08-19 03:00 2432 c:\windows\system32\drivers\cdr4_xp.sys
- 2006-12-18 10:54 . 2006-12-18 10:54 4286 c:\windows\Installer\{B6286A44-7505-471A-A72B-04EC2DB2F442}\Shortcut_start.9FAB98ED_2143_4534_9750_7CD4ECEB9596.exe
+ 2006-12-18 10:54 . 2010-11-05 11:11 4286 c:\windows\Installer\{B6286A44-7505-471A-A72B-04EC2DB2F442}\Shortcut_start.9FAB98ED_2143_4534_9750_7CD4ECEB9596.exe
+ 2005-10-05 12:12 . 2009-08-06 18:24 209632 c:\windows\system32\wuweb.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 327896 c:\windows\system32\wucltui.dll
+ 2005-10-05 12:12 . 2009-08-06 18:23 575704 c:\windows\system32\wuapi.dll
+ 2005-09-29 15:05 . 2005-09-29 15:05 151552 c:\windows\system32\pxwma.dll
- 2004-08-04 12:00 . 2010-06-01 13:10 477602 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-10-31 13:26 477602 c:\windows\system32\perfh009.dat
- 2010-06-02 14:37 . 2010-06-02 14:37 153376 c:\windows\system32\javaws.exe
+ 2010-11-02 14:50 . 2010-11-02 14:49 153376 c:\windows\system32\javaws.exe
- 2010-06-02 14:37 . 2010-06-02 14:37 145184 c:\windows\system32\javaw.exe
+ 2010-11-02 14:50 . 2010-11-02 14:49 145184 c:\windows\system32\javaw.exe
- 2010-06-02 14:37 . 2010-06-02 14:37 145184 c:\windows\system32\java.exe
+ 2010-11-02 14:50 . 2010-11-02 14:49 145184 c:\windows\system32\java.exe
+ 2004-05-27 14:00 . 2004-05-27 14:00 118784 c:\windows\system32\HPODXPAT.DLL
+ 2005-10-05 12:12 . 2009-08-06 18:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2005-10-05 12:12 . 2009-08-06 18:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2005-10-05 12:12 . 2009-08-06 18:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2005-10-05 12:29 . 2002-07-12 10:15 106496 c:\windows\SiSUSBrg.exe
+ 2010-11-03 07:39 . 2010-11-03 07:39 580096 c:\windows\PaltalkScene\uninstall.exe
+ 2010-11-05 11:10 . 2010-11-05 11:10 344064 c:\windows\Installer\edf26.msi
+ 2010-11-05 11:10 . 2010-11-05 11:10 338944 c:\windows\Installer\edf21.msi
+ 2010-11-05 11:10 . 2010-11-05 11:10 557056 c:\windows\Installer\edf1c.msi
+ 2010-11-05 11:10 . 2010-11-05 11:10 325632 c:\windows\Installer\edf16.msi
+ 2010-11-05 11:10 . 2010-11-05 11:10 316416 c:\windows\Installer\edf11.msi
+ 2010-11-05 11:10 . 2010-11-05 11:10 467456 c:\windows\Installer\edf0c.msi
+ 2010-11-05 11:09 . 2010-11-05 11:09 488448 c:\windows\Installer\edefd.msi
+ 2010-11-05 11:09 . 2010-11-05 11:09 537088 c:\windows\Installer\edef7.msi
+ 2010-11-05 11:09 . 2010-11-05 11:09 121344 c:\windows\Installer\edec8.msi
+ 2010-11-05 11:09 . 2010-11-05 11:09 489472 c:\windows\Installer\edec3.msi
+ 2010-11-05 11:09 . 2010-11-05 11:09 667136 c:\windows\Installer\edebd.msi
+ 2010-11-05 11:08 . 2010-11-05 11:08 492032 c:\windows\Installer\ede88.msi
+ 2010-11-05 11:08 . 2010-11-05 11:08 121344 c:\windows\Installer\ede83.msi
+ 2010-11-05 11:08 . 2010-11-05 11:08 183296 c:\windows\Installer\ede7b.msi
+ 2010-11-05 11:07 . 2010-11-05 11:07 437248 c:\windows\Installer\ede73.msi
+ 2010-11-05 11:07 . 2010-11-05 11:07 202240 c:\windows\Installer\ede6b.msi
+ 2010-11-05 11:07 . 2010-11-05 11:07 795136 c:\windows\Installer\ede66.msi
+ 2010-11-05 11:07 . 2010-11-05 11:07 547840 c:\windows\Installer\ede3e.msi
+ 2010-11-05 11:07 . 2010-11-05 11:07 637952 c:\windows\Installer\ede2e.msi
+ 2010-11-05 11:06 . 2010-11-05 11:06 334848 c:\windows\Installer\ede1e.msi
+ 2010-11-05 10:26 . 2010-11-05 10:26 425984 c:\windows\Installer\59f189a.msi
+ 2010-11-02 14:50 . 2010-11-02 14:50 180224 c:\windows\Installer\54277.msi
+ 2010-11-02 14:49 . 2010-11-02 14:49 677376 c:\windows\Installer\54272.msi
+ 2010-11-05 11:17 . 2010-11-05 11:17 244224 c:\windows\Installer\1bf6b0.msi
+ 2010-11-05 11:17 . 2010-11-05 11:17 323072 c:\windows\Installer\1bf6a6.msi
+ 2010-11-05 11:16 . 2010-11-05 11:16 291328 c:\windows\Installer\1bf699.msi
+ 2010-11-05 11:15 . 2010-11-05 11:15 121344 c:\windows\Installer\1bf691.msi
+ 2010-11-05 11:15 . 2010-11-05 11:15 477696 c:\windows\Installer\1bf68c.msi
+ 2010-11-05 11:15 . 2010-11-05 11:15 121344 c:\windows\Installer\1bf684.msi
+ 2010-11-05 11:15 . 2010-11-05 11:15 121344 c:\windows\Installer\1bf67c.msi
+ 2010-11-05 11:13 . 2010-11-05 11:13 609280 c:\windows\Installer\197a4b.msi
+ 2010-11-05 11:13 . 2010-11-05 11:13 304128 c:\windows\Installer\19795e.msi
+ 2010-11-05 11:13 . 2010-11-05 11:13 304128 c:\windows\Installer\197958.msi
+ 2010-11-05 11:13 . 2010-11-05 11:13 310272 c:\windows\Installer\197952.msi
+ 2010-11-05 11:13 . 2010-11-05 11:13 390144 c:\windows\Installer\19794c.msi
+ 2010-11-05 11:13 . 2010-11-05 11:13 314368 c:\windows\Installer\197943.msi
+ 2010-11-05 11:12 . 2010-11-05 11:12 304128 c:\windows\Installer\19793e.msi
+ 2010-11-05 11:12 . 2010-11-05 11:12 314368 c:\windows\Installer\197938.msi
+ 2010-11-05 11:12 . 2010-11-05 11:12 303104 c:\windows\Installer\197933.msi
+ 2010-11-05 11:11 . 2010-11-05 11:11 479232 c:\windows\Installer\1978ff.msi
+ 2010-11-05 11:11 . 2010-11-05 11:11 121344 c:\windows\Installer\1978f7.msi
+ 2010-11-05 11:08 . 2010-11-05 11:08 643072 c:\windows\Installer\{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}\HPSUShortcut_BB85ED9CAFC943BDB8DC258C3C7DF72E.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut9.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut9.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut8.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut8.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut7.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut7.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-12-18 10:53 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut6.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-12-18 10:53 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut6.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut24.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut24.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut23.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut23.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut22.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut22.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut21.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut21.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut20.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut20.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut2.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut2.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut19.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut19.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut18.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut18.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut17.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut17.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut16.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut16.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut14.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut14.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut13.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut13.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut12.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut12.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut11.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut11.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut10.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut10.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-11-02 16:44 . 2006-12-18 10:53 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut1.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2006-11-02 16:44 . 2010-11-05 11:09 110592 c:\windows\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut1.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2006-12-18 10:40 . 2006-12-18 11:04 117092 c:\windows\hpoins11.dat
+ 2010-11-05 11:01 . 2010-11-05 11:26 117092 c:\windows\hpoins11.dat
+ 2010-11-05 11:07 . 2010-11-05 11:07 1230336 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
- 2006-12-18 10:52 . 2006-12-18 10:52 1230336 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\msxml4.dll
+ 2005-10-05 12:12 . 2009-08-06 18:23 1929952 c:\windows\system32\wuaueng.dll
+ 2005-12-09 13:47 . 2005-12-09 13:47 1645320 c:\windows\system32\gdiplus.dll
+ 2005-10-05 12:12 . 2009-08-06 18:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-11-05 11:09 . 2010-11-05 11:09 3155456 c:\windows\Installer\eded2.msi
+ 2010-11-05 11:08 . 2010-11-05 11:08 1241600 c:\windows\Installer\ede7e.msi
+ 2010-11-05 11:16 . 2010-11-05 11:16 1939968 c:\windows\Installer\1bf6a0.msi
+ 2010-11-05 11:15 . 2010-11-05 11:15 1152512 c:\windows\Installer\1bf676.msi
+ 2010-11-05 11:14 . 2010-11-05 11:14 3443712 c:\windows\Installer\1bf5d5.msi
+ 2010-11-05 11:13 . 2010-11-05 11:13 4443648 c:\windows\Installer\197963.msi
+ 2010-11-05 11:12 . 2010-11-05 11:12 1795584 c:\windows\Installer\197926.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2003-12-05 249856]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2008-08-15 378224]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-03-18 1123360]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 6:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 6:41 PM 67656]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [5/26/2010 4:02 PM 199400]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [1/19/2010 6:32 PM 85128]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [3/5/2003 7:07 AM 15840]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2/3/2010 12:57 PM 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [1/4/2010 6:41 PM 111312]
S3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [5/26/2010 4:02 PM 6656]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 12:00 PM 14336]
S3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys --> c:\windows\system32\DRIVERS\S3G700m.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 12BEB740
*NewlyCreated* - HP_PORT_RESOLVER
*NewlyCreated* - HP_STATUS_SERVER
*NewlyCreated* - PML_DRIVER_HPZ12
*Deregistered* - 12beb740

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-11-05 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 04:42]

2010-11-05 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\dfrg.msc [2004-08-04 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optionsxpress.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/ymj/*http://www.yahoo.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: pandasoftware.com\acs
Trusted Zone: pandasoftware.com\activescan
Trusted Zone: pandasoftware.com\www
Trusted Zone: pandasoftware.es\www
FF - ProfilePath - c:\documents and settings\WinXP\Application Data\Mozilla\Firefox\Profiles\gexs7lyq.Daz\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT329536&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Google.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.elliottwave.com
FF - plugin: c:\documents and settings\WinXP\Application Data\Mozilla\Firefox\Profiles\gexs7lyq.Daz\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-06 09:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-11-06 09:55:17
ComboFix-quarantined-files.txt 2010-11-06 09:55
ComboFix2.txt 2010-11-03 13:53
ComboFix3.txt 2010-11-02 14:26
ComboFix4.txt 2010-11-01 18:35
ComboFix5.txt 2010-11-06 09:44

Pre-Run: 86,800,850,944 bytes free
Post-Run: 86,785,007,616 bytes free

- - End Of File - - F463650FF2E2F388DA11E68E45D23B9B




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users