Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

removing mebroot/torpig


  • Please log in to reply
8 replies to this topic

#1 1legchevy

1legchevy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 30 December 2010 - 02:11 AM

Hi, A few weeks ago while online a window popped up with a scam type virus message. I did not click on the message and immediately shut off my computer. The virus was still able to infect my computer. I had two anti virus/spyware/malware programs running on my computer at the time. I was able to get the computer to work again, through a long drawn out process of trying many different anti virus software programs and running spy bot,malware remover etc. I thought the computer was clean. However, Qwest who provides my wireless service has sent repeated emails that my computer is infected with mebroot and sending out something to the internet. I have run malware bytes, spybot, superantivirus remover, spyware doctor, vipre, hijack this etc.. and cannot find the problem. Please help.

I have followed the instructions located in another forum on bleepingcomputer.com 'Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help'. The DDS text files is:


DDS (Ver_10-12-12.02) - NTFSx86
Run by camie at 22:56:30.04 on Wed 12/29/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.335 [GMT -7:00]

AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\PROGRA~1\IObitBar\toolbar\1.bin\i0brmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\camie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\camie\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Documents and Settings\camie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\camie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\camie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\camie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\camie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\camie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\camie\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uURLSearchHooks: N/A: {7757cbcc-0975-4b79-a519-90b142ca3a23} - c:\program files\iobitbar\toolbar\1.bin\i0SrcAs.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Toolbar BHO: {efa17361-cdc0-4927-9afc-baad1f96b2ae} - c:\program files\iobitbar\toolbar\1.bin\i0bar.dll
TB: IObit Toolbar: {efa17369-cdc0-4927-9afc-baad1f96b2ae} - c:\program files\iobitbar\toolbar\1.bin\i0bar.dll
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\camie\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] c:\program files\dell photo aio printer 926\memcard.exe
mRun: [IObitBar Browser Plugin Loader] c:\progra~1\iobitbar\toolbar\1.bin\i0brmon.exe
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Farm%20Frenzy/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947}
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-25 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-25 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-25 243024]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-4-2 56808]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-4-2 89192]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 sosnf32;sosnf32;c:\windows\system32\drivers\sosnf32.sys [2009-12-25 47488]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-9-12 312152]
S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 CCOMSVC;Communication Services;c:\windows\ccomsvc.exe /startedbyscm:50f0c285-40e273a9-gpsservicesvc --> c:\windows\CComSvc.exe [?]
S2 IObitBarService;IObit Toolbar Service;c:\progra~1\iobitbar\toolbar\1.bin\i0barsvc.exe [2010-7-26 28766]
S2 SOSNFFSV;SOSNF Filter Service;c:\program files\sos\sosnf\sosnffsv.exe /startedbyscm:50f0c285-40e273a9-gpsservicesvc --> c:\program files\sos\sosnf\sosnffsv.exe [?]
S2 SOSNFLSV;SOSNF Logging Service;c:\program files\sos\sosnf\sosnflsv.exe /startedbyscm:50f0c285-40e273a9-gpsservicesvc --> c:\program files\sos\sosnf\sosnflsv.exe [?]
S2 sosnfusv;SOSNF Update Service;c:\program files\sos\sosnf\sosnfusv.exe /startedbyscm:9ea6b2b7-40e274a8-gpsservicesvc --> c:\program files\sos\sosnf\sosnfusv.exe [?]
S3 BW2NDIS5;BW2NDIS5; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-8-30 38224]
S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\qscnusb.sys [2010-1-2 103552]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-23 1174664]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-5-18 206608]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-5-18 206608]
S3 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys --> c:\windows\system32\drivers\vad.sys [?]
S4 APPSTREAM;APPSTREAM; [x]
S4 REGHOOK;REGHOOK; [x]
S4 VSPD;VSPD; [x]

=============== Created Last 30 ================

2010-12-29 00:09:08 54016 ----a-w- c:\windows\system32\drivers\wdque.sys
2010-12-27 00:43:37 -------- d-----w- c:\program files\Exterminate It!
2010-12-26 23:01:17 -------- d-----w- c:\docume~1\camie\applic~1\SUPERAntiSpyware.com
2010-12-26 23:01:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-26 23:01:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-26 19:20:50 1338880 ----a-w- c:\program files\common files\microsoft shared\dao\shdocvw.dll
2010-12-26 19:20:50 132880 ----a-w- c:\windows\system32\MSINET.OCX
2010-12-26 19:20:49 570128 ----a-w- c:\program files\common files\microsoft shared\dao\DAO350.DLL
2010-12-26 19:20:49 3584 ----a-w- c:\program files\common files\microsoft shared\dao\comcat.dll
2010-12-26 02:11:59 -------- d-----w- c:\docume~1\camie\locals~1\applic~1\PackageAware
2010-12-26 01:42:05 -------- d-----w- C:\ComboFix
2010-12-22 20:08:56 107 ----a-w- c:\docume~1\camie\applic~1\netstat.bat
2010-12-22 06:11:31 388096 ----a-r- c:\docume~1\camie\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-22 00:37:25 -------- d-----w- c:\docume~1\camie\applic~1\Sunbelt
2010-12-22 00:27:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-12-22 00:11:12 -------- d-----w- c:\program files\Sunbelt Software
2010-12-21 22:38:39 -------- d-----w- c:\program files\VS Revo Group
2010-12-21 17:07:00 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-21 17:06:46 -------- d-----w- c:\docume~1\camie\applic~1\PC Tools
2010-12-21 06:26:39 -------- d-----w- C:\Rbackup
2010-12-21 04:35:47 -------- d-----w- c:\program files\Perfect Uninstaller
2010-12-21 00:36:36 -------- d-----w- c:\windows\system32\syncdb
2010-12-20 22:50:35 -------- d-----w- c:\program files\Trend Micro
2010-12-20 05:26:48 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin8.dll
2010-12-20 05:26:48 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-12-20 05:26:48 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-20 05:26:48 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-20 05:26:48 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-20 05:26:48 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-12-20 05:26:48 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-12-20 05:26:48 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-12-20 05:18:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-20 05:03:03 -------- d-----w- c:\docume~1\camie\locals~1\applic~1\Secunia PSI
2010-12-20 05:02:27 -------- d-----w- c:\program files\Secunia
2010-12-20 04:58:42 -------- d-----w- c:\program files\common files\PC Tools
2010-12-20 04:52:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-12-20 04:51:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-12-17 04:02:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\mMiLo06101
2010-12-17 04:02:22 -------- d-----w- c:\docume~1\camie\applic~1\oktq2vmw3bescdkajhhfcmjjnje3uru2
2010-12-10 18:05:21 -------- d-----w- c:\docume~1\alluse~1\applic~1\espionServerData
2010-12-10 16:34:48 -------- d-----w- c:\documents and settings\camie\ContentWatch
2010-12-10 06:15:49 40960 ----a-w- c:\windows\system32\SPORDER.EXE

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-08 08:20:24 89088 -c--a-w- c:\windows\MBR.exe
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2007-01-12 23:15:09 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 22:58:41.81 ===============


I have the attach.txt file and the GMER file but cannot figure out how to attach them to this message..
Thanks for any assistance!

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:19 AM

Posted 30 December 2010 - 07:19 PM

Hello 1legchevy ,

Posted Image

Well, I don't know about Mebroot, but you definitely have a problem with System Tool.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to chevy.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 1legchevy

1legchevy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 30 December 2010 - 08:57 PM

Hi, Thanks for your quick response. I have run the ComboFix. Here is the file:






ComboFix 10-12-30.01 - camie 12/30/2010 18:35:17.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.431 [GMT -7:00]
Running from: c:\documents and settings\camie\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))
.

2010-12-29 00:09 . 2010-12-29 00:09 54016 ----a-w- c:\windows\system32\drivers\wdque.sys
2010-12-27 00:43 . 2010-12-27 01:19 -------- d-----w- c:\program files\Exterminate It!
2010-12-26 23:01 . 2010-12-26 23:01 -------- d-----w- c:\documents and settings\camie\Application Data\SUPERAntiSpyware.com
2010-12-26 23:01 . 2010-12-26 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-26 23:01 . 2010-12-31 01:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-26 19:20 . 2004-03-09 20:00 132880 ----a-w- c:\windows\system32\MSINET.OCX
2010-12-26 19:20 . 2001-10-04 20:16 1338880 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\shdocvw.dll
2010-12-26 19:20 . 2001-10-04 21:13 3584 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\comcat.dll
2010-12-26 19:20 . 1999-06-11 06:34 570128 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\DAO350.DLL
2010-12-26 02:11 . 2010-12-26 02:11 -------- d-----w- c:\documents and settings\camie\Local Settings\Application Data\PackageAware
2010-12-26 01:09 . 2010-12-26 01:09 -------- d-----w- c:\documents and settings\Administrator.D16QFJ71\Local Settings\Application Data\PowerDVD
2010-12-26 01:09 . 2010-12-26 01:09 -------- d-----w- c:\documents and settings\Administrator.D16QFJ71\Application Data\CyberLink
2010-12-26 00:57 . 2010-12-26 00:57 -------- d-sh--w- c:\documents and settings\Administrator.D16QFJ71\IECompatCache
2010-12-22 20:08 . 2010-12-22 20:08 107 ----a-w- c:\documents and settings\camie\Application Data\netstat.bat
2010-12-22 06:11 . 2010-12-22 06:11 388096 ----a-r- c:\documents and settings\camie\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-22 00:37 . 2010-12-22 00:37 -------- d-----w- c:\documents and settings\camie\Application Data\Sunbelt
2010-12-22 00:11 . 2010-12-22 00:11 -------- d-----w- c:\program files\Sunbelt Software
2010-12-21 22:38 . 2010-12-22 00:03 -------- d-----w- c:\program files\VS Revo Group
2010-12-21 17:07 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-21 17:06 . 2010-12-21 17:06 -------- d-----w- c:\documents and settings\camie\Application Data\PC Tools
2010-12-21 06:26 . 2010-12-21 06:26 -------- d-----w- C:\Rbackup
2010-12-21 04:35 . 2010-12-22 00:02 -------- d-----w- c:\program files\Perfect Uninstaller
2010-12-21 00:36 . 2010-12-21 00:36 -------- d-----w- c:\windows\system32\syncdb
2010-12-20 22:50 . 2010-12-22 06:11 -------- d-----w- c:\program files\Trend Micro
2010-12-20 21:10 . 2010-12-20 21:10 -------- d-----w- c:\documents and settings\Administrator.D16QFJ71\Local Settings\Application Data\Adobe
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin8.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-12-20 05:18 . 2010-12-20 05:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-20 05:03 . 2010-12-20 05:03 -------- d-----w- c:\documents and settings\camie\Local Settings\Application Data\Secunia PSI
2010-12-20 05:02 . 2010-12-20 05:02 -------- d-----w- c:\program files\Secunia
2010-12-20 04:58 . 2010-12-21 17:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-20 04:52 . 2010-12-21 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-12-20 04:51 . 2010-12-20 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-12-20 01:05 . 2010-12-20 01:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-12-17 05:17 . 2010-12-17 05:17 -------- d-----w- c:\documents and settings\Administrator.D16QFJ71\Application Data\Malwarebytes
2010-12-17 04:02 . 2010-12-22 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\mMiLo06101
2010-12-17 04:02 . 2010-12-22 20:03 -------- d-----w- c:\documents and settings\camie\Application Data\oktq2vmw3bescdkajhhfcmjjnje3uru2
2010-12-10 18:05 . 2010-12-10 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\espionServerData
2010-12-10 16:34 . 2010-12-10 16:34 -------- d-----w- c:\documents and settings\camie\ContentWatch
2010-12-10 06:15 . 2006-09-06 17:00 40960 ----a-w- c:\windows\system32\SPORDER.EXE
2010-12-05 07:02 . 2010-12-05 07:02 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 01:09 . 2010-08-30 17:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2010-08-30 17:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 10:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 10:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2007-01-12 23:15 . 2007-01-12 23:15 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-12-25_07.53.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-05-16 22:23 . 2010-12-25 05:50 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-05-16 22:23 . 2010-12-26 20:57 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-12-20 01:05 . 2010-12-26 01:34 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2010-12-20 01:05 . 2010-12-21 22:34 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
+ 2010-12-26 01:34 . 2010-12-26 20:57 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2010-12-24 00:18 . 2010-12-25 05:50 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 40960 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 40960 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut14_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut14_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 49152 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-05-11 23:36 . 2010-12-26 19:42 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
- 2005-05-11 23:36 . 2005-05-11 23:36 65536 c:\windows\Installer\{F543B12A-13F5-487E-9314-F7D25E1BBE3E}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
+ 2005-03-21 18:00 . 2005-03-21 18:00 4096 c:\windows\SYSTEM32\sabprocenum.sys
+ 2009-05-14 22:41 . 2009-05-14 22:41 380144 c:\windows\Downloaded Program Files\sabspx.dll
+ 2008-03-21 01:06 . 2008-03-21 01:06 1480232 c:\windows\SYSTEM32\LegitCheckControl.dll
- 2006-04-10 19:00 . 2008-03-21 00:06 1480232 c:\windows\SYSTEM32\LegitCheckControl.dll
- 2005-05-17 22:24 . 2010-12-15 07:55 37366216 c:\windows\SYSTEM32\MRT.exe
+ 2005-05-17 22:24 . 2010-12-09 04:34 37366216 c:\windows\SYSTEM32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7757CBCC-0975-4b79-A519-90B142CA3A23}"= "c:\program files\IObitBar\toolbar\1.bin\i0SrcAs.dll" [2010-07-26 49152]

[HKEY_CLASSES_ROOT\clsid\{7757cbcc-0975-4b79-a519-90b142ca3a23}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE}]
2010-07-26 23:47 638976 -c--a-w- c:\program files\IObitBar\toolbar\1.bin\i0bar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EFA17369-CDC0-4927-9AFC-BAAD1F96B2AE}"= "c:\program files\IObitBar\toolbar\1.bin\i0bar.dll" [2010-07-26 638976]

[HKEY_CLASSES_ROOT\clsid\{efa17369-cdc0-4927-9afc-baad1f96b2ae}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-08-10 2349776]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]
"Google Update"="c:\documents and settings\camie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-12-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-06-21 1851392]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"IObitBar Browser Plugin Loader"="c:\progra~1\IObitBar\toolbar\1.bin\i0brmon.exe" [2010-07-26 20480]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7449:TCP"= 7449:TCP:Services
"7450:TCP"= 7450:TCP:Services
"8616:TCP"= 8616:TCP:Services
"8617:TCP"= 8617:TCP:Services
"2883:TCP"= 2883:TCP:Services
"4266:TCP"= 4266:TCP:Services
"6758:TCP"= 6758:TCP:Services
"6759:TCP"= 6759:TCP:Services
"8445:TCP"= 8445:TCP:Services
"8446:TCP"= 8446:TCP:Services

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [3/25/2010 9:46 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/25/2010 9:46 PM 243024]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [4/2/2009 4:02 PM 56808]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [4/2/2009 4:02 PM 89192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R1 sosnf32;sosnf32;c:\windows\SYSTEM32\DRIVERS\sosnf32.sys [12/25/2009 7:13 PM 47488]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 CCOMSVC;Communication Services;c:\windows\CComSvc.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc --> c:\windows\CComSvc.exe [?]
S2 IObitBarService;IObit Toolbar Service;c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe [7/26/2010 4:47 PM 28766]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [9/12/2010 10:29 PM 312152]
S2 SOSNFFSV;SOSNF Filter Service;c:\program files\SOS\SOSNF\sosnffsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc --> c:\program files\SOS\SOSNF\sosnffsv.exe [?]
S2 SOSNFLSV;SOSNF Logging Service;c:\program files\SOS\SOSNF\sosnflsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc --> c:\program files\SOS\SOSNF\sosnflsv.exe [?]
S2 sosnfusv;SOSNF Update Service;c:\program files\SOS\SOSNF\sosnfusv.exe /startedbyscm:9EA6B2B7-40E274A8-gpsServiceSvc --> c:\program files\SOS\SOSNF\sosnfusv.exe [?]
S3 BW2NDIS5;BW2NDIS5; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [8/30/2010 10:35 AM 38224]
S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\SYSTEM32\DRIVERS\qscnusb.sys [1/2/2010 11:08 AM 103552]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [5/18/2010 2:39 PM 206608]
S3 TMPassthruMP;TMPassthruMP;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [5/18/2010 2:39 PM 206608]
S3 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys --> c:\windows\system32\drivers\vad.sys [?]
S4 APPSTREAM;APPSTREAM; [x]
S4 REGHOOK;REGHOOK; [x]
S4 VSPD;VSPD; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXTDQPOW
*Deregistered* - pxtdqpow
.
Contents of the 'Scheduled Tasks' folder

2010-12-30 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2010-11-04 17:25]

2010-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1535902579-3631629891-1952589925-1006Core.job
- c:\documents and settings\camie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-27 01:10]

2010-12-20 c:\windows\Tasks\IObit Security 360 Updater.job
- c:\program files\IObit\IObit Security 360\is360updater.exe [2010-09-13 16:36]

2010-12-31 c:\windows\Tasks\User_Feed_Synchronization-{71752509-8934-4F7E-BD7A-B62858E5E881}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 18:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CCOMSVC]
"ImagePath"="c:\windows\CComSvc.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SOSNFFSV]
"ImagePath"="c:\program files\SOS\SOSNF\sosnffsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SOSNFLSV]
"ImagePath"="c:\program files\SOS\SOSNF\sosnflsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sosnfusv]
"ImagePath"="c:\program files\SOS\SOSNF\sosnfusv.exe /startedbyscm:9EA6B2B7-40E274A8-gpsServiceSvc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\camie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\camie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\camie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
.
Completion time: 2010-12-30 18:50:11
ComboFix-quarantined-files.txt 2010-12-31 01:49
ComboFix2.txt 2010-12-26 01:55
ComboFix3.txt 2010-12-25 07:56
ComboFix4.txt 2010-12-23 21:05
ComboFix5.txt 2010-12-31 01:28

Pre-Run: 1,146,249,216 bytes free
Post-Run: 1,121,382,400 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 5AECA3671CF7FE0371E765F5212B52EE


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:19 AM

Posted 30 December 2010 - 10:19 PM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\documents and settings\All Users\Application Data\mMiLo06101
c:\documents and settings\camie\Application Data\oktq2vmw3bescdkajhhfcmjjnje3uru2


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 1legchevy

1legchevy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 31 December 2010 - 01:55 AM

Here is the copy of the Combo fix log file:

Computer seems to be running fine but Qwest is still sending notices about the mebroot/torpig virus coming from our computer.


ComboFix 10-12-30.01 - camie 12/30/2010 23:18:45.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.405 [GMT -7:00]
Running from: c:\documents and settings\camie\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\camie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\mMiLo06101
c:\documents and settings\All Users\Application Data\mMiLo06101\mMiLo06101
c:\documents and settings\camie\Application Data\oktq2vmw3bescdkajhhfcmjjnje3uru2

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))
.

2010-12-29 00:09 . 2010-12-29 00:09 54016 ----a-w- c:\windows\system32\drivers\wdque.sys
2010-12-27 00:43 . 2010-12-27 01:19 -------- d-----w- c:\program files\Exterminate It!
2010-12-26 23:01 . 2010-12-26 23:01 -------- d-----w- c:\documents and settings\camie\Application Data\SUPERAntiSpyware.com
2010-12-26 23:01 . 2010-12-26 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-26 23:01 . 2010-12-31 01:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-12-26 19:20 . 2004-03-09 20:00 132880 ----a-w- c:\windows\system32\MSINET.OCX
2010-12-26 19:20 . 2001-10-04 20:16 1338880 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\shdocvw.dll
2010-12-26 19:20 . 2001-10-04 21:13 3584 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\comcat.dll
2010-12-26 19:20 . 1999-06-11 06:34 570128 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\DAO350.DLL
2010-12-26 02:11 . 2010-12-26 02:11 -------- d-----w- c:\documents and settings\camie\Local Settings\Application Data\PackageAware
2010-12-26 01:09 . 2010-12-26 01:09 -------- d-----w- c:\documents and settings\Administrator.D16QFJ71\Local Settings\Application Data\PowerDVD
2010-12-26 01:09 . 2010-12-26 01:09 -------- d-----w- c:\documents and settings\Administrator.D16QFJ71\Application Data\CyberLink
2010-12-26 00:57 . 2010-12-26 00:57 -------- d-sh--w- c:\documents and settings\Administrator.D16QFJ71\IECompatCache
2010-12-22 20:08 . 2010-12-22 20:08 107 ----a-w- c:\documents and settings\camie\Application Data\netstat.bat
2010-12-22 06:11 . 2010-12-22 06:11 388096 ----a-r- c:\documents and settings\camie\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-22 00:37 . 2010-12-22 00:37 -------- d-----w- c:\documents and settings\camie\Application Data\Sunbelt
2010-12-22 00:11 . 2010-12-22 00:11 -------- d-----w- c:\program files\Sunbelt Software
2010-12-21 22:38 . 2010-12-22 00:03 -------- d-----w- c:\program files\VS Revo Group
2010-12-21 17:07 . 2010-11-25 17:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-12-21 17:06 . 2010-12-21 17:06 -------- d-----w- c:\documents and settings\camie\Application Data\PC Tools
2010-12-21 06:26 . 2010-12-21 06:26 -------- d-----w- C:\Rbackup
2010-12-21 04:35 . 2010-12-22 00:02 -------- d-----w- c:\program files\Perfect Uninstaller
2010-12-21 00:36 . 2010-12-21 00:36 -------- d-----w- c:\windows\system32\syncdb
2010-12-20 22:50 . 2010-12-22 06:11 -------- d-----w- c:\program files\Trend Micro
2010-12-20 21:10 . 2010-12-20 21:10 -------- d-----w- c:\documents and settings\Administrator.D16QFJ71\Local Settings\Application Data\Adobe
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin8.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-12-20 05:26 . 2010-12-20 05:26 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-12-20 05:18 . 2010-12-20 05:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-20 05:03 . 2010-12-20 05:03 -------- d-----w- c:\documents and settings\camie\Local Settings\Application Data\Secunia PSI
2010-12-20 05:02 . 2010-12-20 05:02 -------- d-----w- c:\program files\Secunia
2010-12-20 04:58 . 2010-12-21 17:12 -------- d-----w- c:\program files\Common Files\PC Tools
2010-12-20 04:52 . 2010-12-21 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-12-20 04:51 . 2010-12-20 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-12-20 01:05 . 2010-12-20 01:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-12-17 05:17 . 2010-12-17 05:17 -------- d-----w- c:\documents and settings\Administrator.D16QFJ71\Application Data\Malwarebytes
2010-12-10 18:05 . 2010-12-10 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\espionServerData
2010-12-10 16:34 . 2010-12-10 16:34 -------- d-----w- c:\documents and settings\camie\ContentWatch
2010-12-10 06:15 . 2006-09-06 17:00 40960 ----a-w- c:\windows\system32\SPORDER.EXE
2010-12-05 07:02 . 2010-12-05 07:02 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 01:09 . 2010-08-30 17:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 01:08 . 2010-08-30 17:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2004-08-04 10:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2004-08-04 10:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 10:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 10:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2007-01-12 23:15 . 2007-01-12 23:15 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7757CBCC-0975-4b79-A519-90B142CA3A23}"= "c:\program files\IObitBar\toolbar\1.bin\i0SrcAs.dll" [2010-07-26 49152]

[HKEY_CLASSES_ROOT\clsid\{7757cbcc-0975-4b79-a519-90b142ca3a23}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE}]
2010-07-26 23:47 638976 -c--a-w- c:\program files\IObitBar\toolbar\1.bin\i0bar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EFA17369-CDC0-4927-9AFC-BAAD1F96B2AE}"= "c:\program files\IObitBar\toolbar\1.bin\i0bar.dll" [2010-07-26 638976]

[HKEY_CLASSES_ROOT\clsid\{efa17369-cdc0-4927-9afc-baad1f96b2ae}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-08-10 2349776]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-14 2424560]
"Google Update"="c:\documents and settings\camie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-12-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-06-21 1851392]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-03 304008]
"IObitBar Browser Plugin Loader"="c:\progra~1\IObitBar\toolbar\1.bin\i0brmon.exe" [2010-07-26 20480]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7449:TCP"= 7449:TCP:Services
"7450:TCP"= 7450:TCP:Services
"8616:TCP"= 8616:TCP:Services
"8617:TCP"= 8617:TCP:Services
"2883:TCP"= 2883:TCP:Services
"4266:TCP"= 4266:TCP:Services
"6758:TCP"= 6758:TCP:Services
"6759:TCP"= 6759:TCP:Services
"8445:TCP"= 8445:TCP:Services
"8446:TCP"= 8446:TCP:Services

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [3/25/2010 9:46 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [3/25/2010 9:46 PM 243024]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [4/2/2009 4:02 PM 56808]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [4/2/2009 4:02 PM 89192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R1 sosnf32;sosnf32;c:\windows\SYSTEM32\DRIVERS\sosnf32.sys [12/25/2009 7:13 PM 47488]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 CCOMSVC;Communication Services;c:\windows\CComSvc.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc --> c:\windows\CComSvc.exe [?]
S2 IObitBarService;IObit Toolbar Service;c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe [7/26/2010 4:47 PM 28766]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [9/12/2010 10:29 PM 312152]
S2 SOSNFFSV;SOSNF Filter Service;c:\program files\SOS\SOSNF\sosnffsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc --> c:\program files\SOS\SOSNF\sosnffsv.exe [?]
S2 SOSNFLSV;SOSNF Logging Service;c:\program files\SOS\SOSNF\sosnflsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc --> c:\program files\SOS\SOSNF\sosnflsv.exe [?]
S2 sosnfusv;SOSNF Update Service;c:\program files\SOS\SOSNF\sosnfusv.exe /startedbyscm:9EA6B2B7-40E274A8-gpsServiceSvc --> c:\program files\SOS\SOSNF\sosnfusv.exe [?]
S3 BW2NDIS5;BW2NDIS5; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [8/30/2010 10:35 AM 38224]
S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;c:\windows\SYSTEM32\DRIVERS\qscnusb.sys [1/2/2010 11:08 AM 103552]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [5/18/2010 2:39 PM 206608]
S3 TMPassthruMP;TMPassthruMP;c:\windows\SYSTEM32\DRIVERS\TMPassthru.sys [5/18/2010 2:39 PM 206608]
S3 VAD_DEV;Virtual Audio Service;c:\windows\system32\drivers\vad.sys --> c:\windows\system32\drivers\vad.sys [?]
S4 APPSTREAM;APPSTREAM; [x]
S4 REGHOOK;REGHOOK; [x]
S4 VSPD;VSPD; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXTDQPOW
*Deregistered* - pxtdqpow
.
Contents of the 'Scheduled Tasks' folder

2010-12-31 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2010-11-04 17:25]

2010-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1535902579-3631629891-1952589925-1006Core.job
- c:\documents and settings\camie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-27 01:10]

2010-12-20 c:\windows\Tasks\IObit Security 360 Updater.job
- c:\program files\IObit\IObit Security 360\is360updater.exe [2010-09-13 16:36]

2010-12-31 c:\windows\Tasks\User_Feed_Synchronization-{71752509-8934-4F7E-BD7A-B62858E5E881}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-30 23:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\CCOMSVC]
"ImagePath"="c:\windows\CComSvc.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SOSNFFSV]
"ImagePath"="c:\program files\SOS\SOSNF\sosnffsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SOSNFLSV]
"ImagePath"="c:\program files\SOS\SOSNF\sosnflsv.exe /startedbyscm:50F0C285-40E273A9-gpsServiceSvc"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\sosnfusv]
"ImagePath"="c:\program files\SOS\SOSNF\sosnfusv.exe /startedbyscm:9EA6B2B7-40E274A8-gpsServiceSvc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\camie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\camie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\camie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
.
Completion time: 2010-12-30 23:35:03
ComboFix-quarantined-files.txt 2010-12-31 06:34
ComboFix2.txt 2010-12-31 01:50
ComboFix3.txt 2010-12-26 01:55
ComboFix4.txt 2010-12-25 07:56
ComboFix5.txt 2010-12-31 06:17

Pre-Run: 1,150,287,872 bytes free
Post-Run: 1,134,481,408 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 99F249B81FDBB349CA2E6FB046852B3A

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:19 AM

Posted 31 December 2010 - 11:21 AM

Hello,

I see both Symantec and AVG in the report.....it says AVG is out of date. What are you using for an AntiVirus?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 1legchevy

1legchevy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 31 December 2010 - 01:23 PM

I am using superantispyware, spybot S&D, malware bytes and iobit security right now. AVG has not caught either one of our two big viruses and it had conflicts with programs I tried to run at the same time to clean/protect the computer when we got the most recent invasion. It has been removed. I have tried many other programs so that is probably what you are seeing that are out of date. Many of the anti virus programs take up too much memory and the computer can barely run. We have had this computer since 2004, we had symantec a long time ago.

#8 1legchevy

1legchevy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 01 January 2011 - 07:59 PM

This is the information we are being sent by Qwest regarding the computer problem:

The Qwest Security Services team has been notified by a third party of bot traffic<br style="line-height: 17px; ">> originating from your account.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> The traffic is in violation of Qwest's Acceptable Use Policy, and Qwest is notifying<br style="line-height: 17px; ">> you of this issue with a warning. The Qwest Acceptable Use Policy and the High<br style="line-height: 17px; ">> Speed Internet Subscriber Agreement provides that Qwest may suspend or terminate<br style="line-height: 17px; ">> your service for violation of the AUP and/or Subscriber Agreement. Please be<br style="line-height: 17px; ">> advised that if this violation continues, or in the event that additional violations<br style="line-height: 17px; ">> occur, Qwest may take further action, including the suspension or termination<br style="line-height: 17px; ">> of your Service. Please note that if you use the Internet for Voice over IP services<br style="line-height: 17px; ">> (VoIP) to support Internet based calling, you will not be able to make any incoming<br style="line-height: 17px; ">> or outgoing calls, including 9-1-1 calls, from your service address unless you have<br style="line-height: 17px; ">> Internet service. Also, disconnection of a bundled service may result in loss of<br style="line-height: 17px; ">> your bundle discount.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> The bot traffic reported to us is based on IRC and HTTP botnet monitoring. The<br style="line-height: 17px; ">> Malware Type has been identified as Mebroot and/or Torpig.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> Mebroot - Master Boot Record infector and downloader. To date, usually downloads<br style="line-height: 17px; ">> Torpig, and is sometimes referred to as the same malware.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> Torpig - Also known as Sinowal, often downloaded with Mebroot and lumped together<br style="line-height: 17px; ">> with it, steals identifying information, financial information, etc. from victim's computers,<br style="line-height: 17px; ">> uses HTTP to report in and receive commands.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> Microsoft Malicious Software Removal Tool (MSRT) is reported to detect and remove<br style="line-height: 17px; ">> Torpig infections, and is available at:<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> http://www.microsoft.com/security/malwareremove/default.mspx<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> or on our site:<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> http://www.qwest.net/MSRT<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> Mebroot and Torpig can often go undetected by the top AV Software tools.<br style="line-height: 17px; ">> Researching Mebroot and Torpig in your favorite search engine may provide<br style="line-height: 17px; ">> further guidance.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> In addition, Qwest recommends your system software is kept up to date,<br style="line-height: 17px; ">> and that you install antivirus software and scan your hard disk(s)<br style="line-height: 17px; ">> to remove all viruses, trojans or other software which allows remote<br style="line-height: 17px; ">> control of your systems.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> Qwest also recommends checking to be sure that you are not running<br style="line-height: 17px; ">> an open proxy or an open relay. More information on open relays can<br style="line-height: 17px; ">> can be found at: http://www.mail-abuse.com/an_sec3rdparty.html<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> If you believe you have an open proxy, check the documentation for<br style="line-height: 17px; ">> your proxy server or firewall for information on how best to secure it.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> If you have additional questions that Qwest Internet Solutions may<br style="line-height: 17px; ">> address, please contact Technical Support at 1-888-777-9569.<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> <br style="line-height: 17px; ">> The date, time (GMT) and IP addresses identified in our investigation<br style="line-height: 17px; ">> are as follows:<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> Date IP Additional Info<br style="line-height: 17px; ">> =================== =============== =======================================================<br style="line-height: 17px; ">> 2010-12-29 00:53:26 209.181.74.13 infection => 'torpig', port => '25893', cc => 91.19.52.123 , cc_port => '80', type => 'tcp', agent => '2C411CA3760EABFA', url => '91.19.52.123', count => '1', sourceSummary => 'Drone Report: NEW STYLE'<br style="line-height: 17px; ">> 2010-12-29 18:55:22 209.181.74.13 infection => 'torpig', port => '26006', cc => 91.19.57.53 , cc_port => '80', type => 'tcp', agent => '2C411CA3760EABFA', url => '91.19.57.53', count => '1', sourceSummary => 'Drone Report: NEW STYLE'<br style="line-height: 17px; ">> 2010-12-30 04:15:43 209.181.74.13 infection => 'torpig', port => '61200', cc => 91.19.57.53 , cc_port => '80', type => 'tcp', agent => '2C411CA3760EABFA', url => '91.19.57.53', count => '1', sourceSummary => 'Drone Report: NEW STYLE'<br style="line-height: 17px; ">> 2010-12-29 00:53:26 209.181.74.13 infection => 'torpig', port => '25893', cc => 91.19.52.123 , cc_port => '80', type => 'tcp', agent => '2C411CA3760EABFA', url => '91.19.52.123', count => '1', sourceSummary => 'Drone Report: NEW STYLE'<br style="line-height: 17px; ">> 2010-12-29 18:55:22 209.181.74.13 infection => 'torpig', port => '26006', cc => 91.19.57.53 , cc_port => '80', type => 'tcp', agent => '2C411CA3760EABFA', url => '91.19.57.53', count => '1', sourceSummary => 'Drone Report: NEW STYLE'<br style="line-height: 17px; ">> 2010-12-30 04:15:43 209.181.74.13 infection => 'torpig', port => '61200', cc => 91.19.57.53 , cc_port => '80', type => 'tcp', agent => '2C411CA3760EABFA', url => '91.19.57.53', count => '1', sourceSummary => 'Drone Report: NEW STYLE'<br style="line-height: 17px; ">> 2010-12-31 02:36:07 63.231.75.8 infection => 'bots', subtype => 'torpig', detail => 'srcport 61311 destaddr 91.19.57.156'<br style="line-height: 17px; ">> 2010-12-31 02:36:40 63.231.75.8 infection => 'bots', subtype => 'torpig', detail => 'srcport 61312 destaddr 91.19.57.156'<br style="line-height: 17px; ">> <br style="line-height: 17px; ">> <br style="line-height: 17px; ">> <br style="line-height: 17px; ">> Regards,<br style="line-height: 17px; ">> --<br style="line-height: 17px; ">> Qwest Internet Solutions sysop@qwest.net,abuse@qwest.net






I desperately need to get this off of my computer before our service is stopped/shut off.


Thanks!

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:19 AM

Posted 01 January 2011 - 08:07 PM

Well, the info is right from the ISP....and the safest thing would be a complete reformat ans fresh install. Even if this is removed I cannot promise you a secure system. Thing is, there are no more infected files in these logs, so I don't know what it is your ISP wants removed to put you in the clear.

Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. You'll get a confirmation that the flush was successful.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users