Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Juggle.com Browser Hijack


  • This topic is locked This topic is locked
6 replies to this topic

#1 Greysloth

Greysloth

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 10 November 2010 - 08:44 AM

I've somehow managed to get a problem that is hijacking any browser I use. I end up a various sites that ere not where I was wanting to go. The most memorable is Juggle.com.

I'm running windows xp pro with 4 gigs.

I've run ad aware and spy-bot, and I have Norton Anti Virus. I had Norton installed prior to this issue, so it managed to sneak in.

Any help would be greatly appreciated.



DDS (Ver_10-11-08.01) - NTFSx86
Run by Sloth at 16:54:33.03 on 09/11/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1628 [GMT -5:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mirth\wrapper-windows-x86-32.exe
C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\vVX6000.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Java\jre6\launch4j-tmp\MirthServerManager.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS2008\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Sloth\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uStart Page = https://ckmhealthcare.webex.com/mw0306l/mywebex/default.do?siteurl=ckmhealthcare
uInternet Settings,ProxyOverride = *.local
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [NBAgent] "c:\program files\nero\nero backitup & burn\nero backitup\NBAgent.exe" /WinStart
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Mirth] c:\program files\mirth\MirthServerManager.exe
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [vptray] c:\program files\navnt\vptray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Edit with Altova X&MLSpy - c:\program files\altova\xmlspy2008\spy.htm
IE: {2222EF56-F49E-4d07-A14E-8D2B08766958} - c:\program files\altova\xmlspy2008\spy.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://z.qatest.pointclickcare.com/tools/smsx.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.health.gov.sk.ca/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1244588169234
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245340946699
DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} - hxxps://remote.kgh.on.ca/net6helper.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} - hxxps://ca.cdc.gov/vsimport.cab
DPF: {B57F9ACB-FD32-433E-8F30-515B2D8226F6} - hxxps://ca.cdc.gov/sdncode/sdnapp/common/chkperm.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ckmhealthcare.webex.com/client/T27LB/webex/ieatgpc.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://vpn.health.gov.sk.ca/CACHE/sdesktop/install/binaries/instweb.cab
TCP: {B1095B8D-C97C-463D-B379-3E7EA06F07B4} = 208.67.222.222,208.67.220.220
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau
mASetup: {BAFB867B-0BA0-4B37-A370-E4B4A02EC792} - c:\windows\system32\msiexec.exe /qn /fpu {BAFB867B-0BA0-4B37-A370-E4B4A02EC792}

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sloth\applic~1\mozilla\firefox\profiles\yjc154of.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\documents and settings\sloth\application data\mozilla\firefox\profiles\yjc154of.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\documents and settings\sloth\application data\mozilla\plugins\npatgpc.dll
FF - plugin: c:\documents and settings\sloth\application data\mozilla\plugins\npCtxCAO.dll
FF - plugin: c:\documents and settings\sloth\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\citrix\access gateway\npcagse.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-8 64288]
R1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [2010-11-8 12960]
R2 BlackfishSQL;BlackfishSQL;c:\program files\codegear\rad studio\6.0\bin\BSQLServer.exe [2008-8-29 65536]
R2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2009-8-10 78360]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s --> c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]
R2 Mirth;Mirth Server;c:\program files\mirth\wrapper-windows-x86-32.exe [2010-10-6 233984]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-5-30 218136]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 MSSQL$SQLEXPRESS2008;SQL Server (SQLEXPRESS2008);c:\program files\microsoft sql server\mssql10.sqlexpress2008\mssql\binn\sqlservr.exe [2008-8-15 40999448]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-8-16 592120]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2010-8-12 26137]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s --> c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s [?]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264]
R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVENG.sys [2010-11-8 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVEX15.sys [2010-11-8 1371184]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-4-17 115944]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-6-10 222976]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\act\act for windows\Act.Scheduler.exe [2008-7-31 81920]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.mssqlserver\reporting services\reportserver\bin\ReportingServicesService.exe [2008-5-30 1105944]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2010-8-12 155152]
S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]
S3 oad;Visibroker Activation Daemon;c:\progra~1\borland\vbroker\bin\oad.exe [2009-6-19 1781248]
S3 osagent;VisiBroker Smart Agent;c:\progra~1\borland\vbroker\bin\osagent.exe [2009-6-19 193536]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-6-26 2069504]
S4 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.mssqlserver\mssql\binn\fdlauncher.exe [2008-5-30 30744]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-8-15 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS2008;SQL Server Agent (SQLEXPRESS2008);c:\program files\microsoft sql server\mssql10.sqlexpress2008\mssql\binn\SQLAGENT.EXE [2008-8-15 369688]

=============== Created Last 30 ================

2010-11-09 02:43:24 388096 ----a-r- c:\docume~1\sloth\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-11-09 02:43:24 -------- d-----w- c:\program files\Trend Micro
2010-11-09 02:31:08 57696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-09 02:31:08 4032 ----a-w- c:\windows\system32\SYMEVNT1.DLL
2010-11-09 02:31:08 36864 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-09 02:31:08 120379 ----a-w- c:\windows\system32\SYMEVNT.386
2010-11-09 02:30:59 -------- d-----w- c:\windows\system32\CBA
2010-11-09 02:30:50 -------- d-----w- c:\program files\NavNT
2010-11-09 01:29:52 -------- d-----w- c:\program files\common files\BitDefender
2010-11-09 01:29:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-11-09 01:29:37 251536 ----a-w- c:\windows\system32\drivers\Trufos.sys
2010-11-09 01:29:35 289608 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-11-09 01:29:35 12960 ----a-w- c:\windows\system32\drivers\bdrawpr.sys
2010-11-08 23:19:00 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-08 14:41:37 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-08 14:41:35 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-08 14:36:21 -------- d-----w- c:\docume~1\sloth\locals~1\applic~1\Sunbelt Software
2010-11-08 14:36:02 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-08 14:35:40 -------- d-----w- c:\program files\Lavasoft
2010-11-08 03:59:20 -------- d-----w- c:\docume~1\sloth\applic~1\Malwarebytes
2010-11-08 03:59:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-08 03:59:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-08 03:59:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-08 03:59:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-03 05:04:41 -------- d-----w- c:\docume~1\sloth\locals~1\applic~1\Yahoo
2010-11-02 19:06:41 -------- d-----w- c:\program files\Cisco
2010-11-02 19:06:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Cisco
2010-11-02 14:41:30 -------- d-----w- c:\docume~1\sloth\locals~1\applic~1\Cisco
2010-11-02 14:41:29 -------- d-----w- c:\docume~1\sloth\applic~1\Cisco
2010-10-20 15:11:13 356439 ----a-w- c:\windows\system32\GDS32.DLL
2010-10-13 21:23:16 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 21:23:16 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 21:23:08 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 18:03:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Act
2010-10-12 18:00:20 88 --sh--r- c:\docume~1\alluse~1\applic~1\6BA8AD2BCD.sys
2010-10-12 18:00:19 952 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-10-12 18:00:11 -------- d-----w- c:\docume~1\sloth\applic~1\IsolatedStorage
2010-10-12 17:57:59 94208 ----a-w- c:\windows\system32\msvci70d.dll
2010-10-12 17:57:59 536576 ----a-w- c:\windows\system32\msvcr70d.dll
2010-10-12 17:57:56 733267 ----a-w- C:\ADChronopher.dll
2010-10-12 17:57:56 266327 ----a-w- C:\ADErrorHandling.dll
2010-10-12 17:56:31 -------- d-----w- c:\program files\common files\Protexis
2010-10-12 17:53:40 -------- d-----w- c:\docume~1\sloth\locals~1\applic~1\Xenocode
2010-10-12 17:44:20 -------- d-----w- c:\docume~1\sloth\applic~1\ACT
2010-10-12 17:44:01 -------- d-----w- c:\program files\ACT

==================== Find3M ====================

2010-11-02 17:14:55 1080 ----a-w- c:\windows\AUTOLNCH.REG
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 18:20:02 8952 ----a-w- c:\windows\system32\vpncategories.dll
2010-08-16 18:19:32 28920 ----a-w- c:\windows\system32\vpnevents.dll
2010-08-16 16:20:32 130808 ----a-w- c:\windows\system32\vpnweb.ocx
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 16:56:14.17 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 AM

Posted 10 November 2010 - 12:31 PM

Hello Greysloth ,

Posted Image


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Greysloth.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Greysloth

Greysloth
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 10 November 2010 - 05:03 PM

Hi Tea,

Thanks for your help thus far below is the log.txt that you requested.

ComboFix 10-11-09.03 - Sloth 10/11/2010 16:30:53.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.1715 [GMT -5:00]
Running from: c:\documents and settings\Sloth\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sloth\g2mdlhlpx.exe
c:\release archives\CKM Software\Encryption Software\_desktop.ini
c:\release archives\CKM Software\Encryption Software\OMH\_desktop.ini
c:\release archives\CKM Software\Encryption Software\OMH\HomeCare\_desktop.ini
c:\release archives\CKM Software\Encryption Software\OMH\HomeCare\Copy of SmplData\_desktop.ini
c:\release archives\CKM Software\Encryption Software\OMH\HomeCare\pccWeb\_desktop.ini
c:\release archives\CKM Software\Encryption Software\OMH\HomeCare\pccWeb\remote\_desktop.ini
c:\release archives\CKM Software\Encryption Software\OMH\HomeCare\pccWeb\remote\backups\_desktop.ini
c:\release archives\CKM Software\Encryption Software\OMH\HomeCare\SmplData\_desktop.ini
c:\release archives\CKM Software\Encryption Software\OMH\SmplData\_desktop.ini
c:\windows\AUTOLNCH.REG
c:\windows\system32\Cache
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-09 02:43 . 2010-11-09 02:43 388096 ----a-r- c:\documents and settings\Sloth\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-11-09 02:43 . 2010-11-09 02:43 -------- d-----w- c:\program files\Trend Micro
2010-11-09 02:31 . 2001-09-24 08:29 57696 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-09 02:31 . 2001-09-24 08:29 4032 ----a-w- c:\windows\system32\SYMEVNT1.DLL
2010-11-09 02:31 . 2001-09-24 08:29 36864 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-09 02:31 . 2001-09-24 08:29 120379 ----a-w- c:\windows\system32\SYMEVNT.386
2010-11-09 02:30 . 2010-11-09 02:31 -------- d-----w- c:\windows\system32\CBA
2010-11-09 02:30 . 2010-11-09 13:53 -------- d-----w- c:\program files\NavNT
2010-11-09 01:29 . 2010-11-09 01:29 -------- d-----w- c:\program files\Common Files\BitDefender
2010-11-09 01:29 . 2010-11-09 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2010-11-09 01:29 . 2010-06-18 16:57 251536 ----a-w- c:\windows\system32\drivers\Trufos.sys
2010-11-09 01:29 . 2010-07-05 22:12 289608 ----a-w- c:\windows\system32\drivers\bdfsfltr.sys
2010-11-09 01:29 . 2010-05-13 22:02 12960 ----a-w- c:\windows\system32\drivers\bdrawpr.sys
2010-11-08 23:19 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-08 14:41 . 2010-09-23 07:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-11-08 14:41 . 2010-11-08 14:41 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-11-08 14:36 . 2010-11-08 14:36 -------- d-----w- c:\documents and settings\Sloth\Local Settings\Application Data\Sunbelt Software
2010-11-08 14:36 . 2010-11-08 14:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}
2010-11-08 14:35 . 2010-11-08 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-11-08 14:35 . 2010-11-08 14:35 -------- d-----w- c:\program files\Lavasoft
2010-11-08 03:59 . 2010-11-08 03:59 -------- d-----w- c:\documents and settings\Sloth\Application Data\Malwarebytes
2010-11-08 03:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-08 03:59 . 2010-11-08 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-08 03:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-08 03:59 . 2010-11-08 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-05 05:39 . 2010-11-05 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2010-11-05 05:39 . 2010-11-05 05:39 -------- d-----w- c:\program files\TechSmith
2010-11-03 05:04 . 2010-11-03 05:04 -------- d-----w- c:\documents and settings\Sloth\Local Settings\Application Data\Yahoo
2010-11-02 19:06 . 2010-11-02 19:06 -------- d-----w- c:\program files\Cisco
2010-11-02 19:06 . 2010-11-02 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Cisco
2010-11-02 14:41 . 2010-11-02 19:07 -------- d-----w- c:\documents and settings\Sloth\Local Settings\Application Data\Cisco
2010-11-02 14:41 . 2010-11-02 14:41 -------- d-----w- c:\documents and settings\Sloth\Application Data\Cisco
2010-10-20 15:11 . 2006-01-17 05:05 356439 ----a-w- c:\windows\system32\GDS32.DLL
2010-10-13 21:23 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 21:23 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 21:23 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-12 18:03 . 2010-10-12 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Act
2010-10-12 18:00 . 2010-10-12 18:00 88 --sh--r- c:\documents and settings\All Users\Application Data\6BA8AD2BCD.sys
2010-10-12 18:00 . 2010-11-10 21:51 952 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-10-12 18:00 . 2010-10-12 18:00 -------- d-----w- c:\documents and settings\Sloth\Application Data\IsolatedStorage
2010-10-12 17:57 . 2003-08-28 18:08 536576 ----a-w- c:\windows\system32\msvcr70d.dll
2010-10-12 17:57 . 2003-08-28 18:06 94208 ----a-w- c:\windows\system32\msvci70d.dll
2010-10-12 17:57 . 2004-03-22 16:09 733267 ----a-w- C:\ADChronopher.dll
2010-10-12 17:57 . 2003-09-17 17:00 266327 ----a-w- C:\ADErrorHandling.dll
2010-10-12 17:56 . 2010-10-12 17:56 -------- d-----w- c:\program files\Common Files\Protexis
2010-10-12 17:53 . 2010-10-12 17:53 -------- d-----w- c:\documents and settings\Sloth\Local Settings\Application Data\Xenocode
2010-10-12 17:44 . 2010-10-12 17:44 -------- d-----w- c:\documents and settings\Sloth\Application Data\ACT
2010-10-12 17:44 . 2010-10-12 17:44 -------- d-----w- c:\program files\ACT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-04 00:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 00:56 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 20:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 20:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16 . 2004-08-04 00:56 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16 . 2004-08-03 22:59 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16 . 2004-08-04 00:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49 . 2004-08-03 22:59 369664 ----a-w- c:\windows\system32\html.iec
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2004-08-04 00:56 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-03 23:17 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 00:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 00:56 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-03 23:14 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-06-10 04:09 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 00:56 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 00:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 18:20 . 2010-08-16 18:20 8952 ----a-w- c:\windows\system32\vpncategories.dll
2010-08-16 18:19 . 2010-08-16 18:19 28920 ----a-w- c:\windows\system32\vpnevents.dll
2010-08-16 18:02 . 2010-08-16 18:02 19680 ----a-w- c:\windows\system32\drivers\vpnva.sys
2010-08-16 16:20 . 2010-08-16 16:20 130808 ----a-w- c:\windows\system32\vpnweb.ocx
2010-08-16 08:45 . 2004-08-04 00:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-06 17:06 . 2009-03-06 17:06 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-03-06 17:06 . 2009-03-06 17:06 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-03-06 17:07 . 2009-03-06 17:07 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-06-19 15:19 . 2009-06-19 15:19 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-26 328056]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25626408]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-04-17 394984]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-12-03 5244216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-04-10 29757440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-14 50472]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"VX6000"="c:\windows\vVX6000.exe" [2009-06-26 759296]
"NBAgent"="c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe" [2009-09-01 1086760]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Mirth"="c:\program files\Mirth\MirthServerManager.exe" [2010-01-15 126464]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-08-01 28672]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2008-08-01 393216]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Shortcut to IPACImportManager.exe.lnk - c:\ckmhealthcare\Source\Import Manager\IPACImportManager.exe [2009-6-25 982016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\CodeGear\\RAD Studio\\6.0\\bin\\webappdbg.exe"=
"c:\\Program Files\\XBMC\\XBMC.exe"=
"c:\\Program Files\\Nero\\Nero BackItUp & Burn\\Nero BackItUp\\BackItUp.exe"=
"c:\\Program Files\\Nero\\Nero BackItUp & Burn\\Nero BackItUp\\NBCore.exe"=
"c:\\Documents and Settings\\Sloth\\My Documents\\Downloads\\CitrixSAClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Citrix\\Access Gateway\\cag_plugin.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\Nortel Networks\\VPN\\Extranet.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\MirthServerManager.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\\Documents and Settings\\Sloth\\Local Settings\\Apps\\2.0\\MOCHHJLJ.D4G\\YLLZQ92B.97V\\curs..tion_eee711038731a406_0004.0000_1829574f2226d088\\CurseClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"6967:TCP"= 6967:TCP:League of Legends Launcher
"6967:UDP"= 6967:UDP:League of Legends Launcher
"58738:TCP"= 58738:TCP:Pando Media Booster
"58738:UDP"= 58738:UDP:Pando Media Booster

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [08/11/2010 9:41 AM 64288]
R1 BdRawPr;BdRawPr;c:\windows\system32\drivers\bdrawpr.sys [08/11/2010 8:29 PM 12960]
R2 BlackfishSQL;BlackfishSQL;c:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [29/08/2008 2:00 PM 65536]
R2 cag;Citrix cag plugin for Access Gateway;c:\program files\Common Files\Deterministic Networks\Common Files\cag.sys [10/08/2009 1:18 PM 78360]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [23/09/2010 2:46 AM 1375992]
R2 Mirth;Mirth Server;c:\program files\Mirth\wrapper-windows-x86-32.exe [06/10/2010 10:36 AM 233984]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [30/05/2008 1:36 PM 218136]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [27/05/2009 2:27 AM 29262680]
R2 MSSQL$SQLEXPRESS2008;SQL Server (SQLEXPRESS2008);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS2008\MSSQL\Binn\sqlservr.exe [15/08/2008 1:47 PM 40999448]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [16/08/2010 1:16 PM 592120]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [12/08/2010 3:02 PM 26137]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [23/09/2010 2:46 AM 15264]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [10/06/2009 8:33 AM 222976]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [31/07/2008 8:04 PM 81920]
S2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [30/05/2008 1:37 PM 1105944]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [12/08/2010 3:02 PM 155152]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
S3 oad;Visibroker Activation Daemon;c:\progra~1\Borland\vbroker\bin\oad.exe [19/06/2009 10:50 AM 1781248]
S3 osagent;VisiBroker Smart Agent;c:\progra~1\Borland\vbroker\bin\osagent.exe [19/06/2009 10:50 AM 193536]
S3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [26/06/2009 5:21 PM 2069504]
S4 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [30/05/2008 1:16 PM 30744]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [15/08/2008 1:47 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [10/07/2008 1:49 AM 242712]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/06/2009 2:04 AM 691696]
S4 SQLAgent$SQLEXPRESS2008;SQL Server Agent (SQLEXPRESS2008);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS2008\MSSQL\Binn\SQLAGENT.EXE [15/08/2008 1:47 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{BAFB867B-0BA0-4B37-A370-E4B4A02EC792}]
2008-04-21 07:26 95744 ----a-w- c:\windows\system32\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 14:41]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-746137067-839522115-1003Core.job
- c:\documents and settings\Sloth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-22 02:26]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-746137067-839522115-1003UA.job
- c:\documents and settings\Sloth\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-22 02:26]

2010-11-09 c:\windows\Tasks\Sloth NBAgent.job
- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe [2009-09-01 21:31]

2010-11-09 c:\windows\Tasks\Sloth.job
- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBCore.exe [2009-09-01 21:31]

2010-03-30 c:\windows\Tasks\Sloth2.job
- c:\program files\Nero\Nero BackItUp & Burn\Nero BackItUp\NBCore.exe [2009-09-01 21:31]
.
.
------- Supplementary Scan -------
.
uStart Page = https://ckmhealthcare.webex.com/mw0306l/mywebex/default.do?siteurl=ckmhealthcare
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Edit with Altova X&MLSpy - c:\program files\Altova\XMLSpy2008\spy.htm
TCP: {B1095B8D-C97C-463D-B379-3E7EA06F07B4} = 208.67.222.222,208.67.220.220
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.health.gov.sk.ca/CACHE/stc/1/binaries/vpnweb.cab
DPF: {B1D475FE-75CD-11D2-8301-0060B0B32E16} - hxxps://ca.cdc.gov/vsimport.cab
DPF: {B57F9ACB-FD32-433E-8F30-515B2D8226F6} - hxxps://ca.cdc.gov/sdncode/sdnapp/common/chkperm.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://vpn.health.gov.sk.ca/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\documents and settings\Sloth\Application Data\Mozilla\Firefox\Profiles\yjc154of.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\documents and settings\Sloth\Application Data\Mozilla\Firefox\Profiles\yjc154of.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\documents and settings\Sloth\Application Data\Mozilla\plugins\npatgpc.dll
FF - plugin: c:\documents and settings\Sloth\Application Data\Mozilla\plugins\npCtxCAO.dll
FF - plugin: c:\documents and settings\Sloth\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Citrix\Access Gateway\npcagse.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-nwiz - nwiz.exe
AddRemove-Astroburn Toolbar - c:\program files\Astroburn Toolbar\uninst.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-xhirshmdbo - c:\windows\system32\xhirshmdbo.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 16:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\||A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1880)
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3540)
c:\program files\TrueLaunchBar\tlb.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\java.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\NavNT\rtvscan.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\MsgSys.EXE
c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Java\jre6\launch4j-tmp\MirthServerManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-11-10 16:59:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 21:59

Pre-Run: 97,766,289,408 bytes free
Post-Run: 97,539,518,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 52C22ECD99C86A19696BDA81B4FE9A99

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 AM

Posted 10 November 2010 - 05:16 PM

Hi there,

Looks like you had a Bamital infection....how is it running after a reboot? It *should* be better. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Greysloth

Greysloth
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 11 November 2010 - 12:26 AM

Hi Tea,

I'm back in business, thanks for all your help. This thread can now be closed.

Greysloth

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 AM

Posted 11 November 2010 - 10:19 AM

Hello,

You're welcome. :)

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:47 AM

Posted 14 November 2010 - 01:24 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users