Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tracur.A / Dursg.E malware and various files added to my startup xxxxxxwow.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 don242

don242

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 12 January 2011 - 10:43 AM

Windows 7, 64 bit.
Virus checker discovers Tracur.A and Dursg.E trojan every time I restart computer. The virus checker says it successfully cleans the computer. Plus I am often asked to install a program that is always named something that ends in wow.exe (e.g. dxgiwow.exe, muifonsetupwow.exe, fmswow.exe, etc.). When I go to msconfig and check the startup, they are shown there. If I deselect them and restart, there are new ones there. The files are located in C:/Windows.

Edit: Have also just noticed that my browser opens a new unrelated tab every so often when I click on a link. The link can be anything, even on this forum when I viewed a topic, a new tab to something would open.

Your help would be greatly appreciated.


DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by D at 10:27:14.21 on 12/01/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.3033.1569 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\windows\nlslexicons0026wow.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe
C:\Program Files (x86)\Allway Sync\Bin\syncappw.exe
C:\Windows\SyncHostpswow.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\OEM13Mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\realplayer\Update\realsched.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Windows\SyncHostpswow.exe
C:\Windows\NlsLexicons0026wow.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\mswinext.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10k_ActiveX.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchFilterHost.exe
C:\Users\D\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://ca.my.yahoo.com/
uSearch Bar =
uURLSearchHooks: H - No File
uURLSearchHooks: FCToolbarURLSearchHook Class: {96fa205d-3071-4e54-a1d2-6a773dde09f6} - C:\Program Files (x86)\AIR MILES TOOLBAR\Helper.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: {07239042-7f42-43e8-8dbd-585f022044fe} - C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-032.dll
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - C:\PROGRA~2\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: 60e56f76: {267a5683-080c-99bb-4dbb-81f08c6f57d8} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer

\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: 60e56f76: {43425f5c-aaf6-7454-6a7b-a28b5f263d24} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - No File
BHO: 60e56f76: {612a8550-7e75-5141-4a53-0c5452474f70} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Freecause Toolbar BHO: {8dae31d7-464c-47f0-af2b-e6f8eabe2898} - C:\Program Files (x86)\AIR MILES TOOLBAR\Toolbar.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live

\WindowsLiveLogin.dll
BHO: 60e56f76: {917f8785-2e9a-6815-8d35-a219ab84fe71} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: 60e56f76: {949eb289-c5b2-18f5-c8db-ead40417a2a8} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: 60e56f76: {9fc31370-1b36-0bd9-24f9-896039c0676f} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: 60e56f76: {acb8a596-847a-23b5-0840-91a0a181e3a9} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
BHO: 60e56f76: {c15aa3a3-d2db-2a8d-d969-4f8a024fc014} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll
BHO: 60e56f76: {d5d79626-814d-6e3d-5d01-f2f5181fe861} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: 60e56f76: {f646c5db-8a7e-f52a-c52e-16ebf1bc77e3} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
TB: AIR MILES TOOLBAR: {a893b09e-7d3b-486c-96d9-1a4a232a1feb} - C:\Program Files (x86)\AIR MILES TOOLBAR\Toolbar.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar

\Platform\6.0.2156.0\npwinext.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - C:\PROGRA~2\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Google Update] "C:\Users\D\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Xmarks] C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe -q
uRun: [Allway Sync] "C:\Program Files (x86)\Allway Sync\Bin\syncappw.exe" -m
uRun: [SyncHostpswow.exe] C:\Windows\SyncHostpswow.exe
uRun: [NlsLexicons0026wow.exe] C:\Windows\NlsLexicons0026wow.exe
mRun: [OEM13Mon.exe] C:\Windows\OEM13Mon.exe
mRun: [DELL Webcam Manager] "C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun: [RTHDBPL] C:\Users\D\AppData\Roaming\SysWin\lsass.exe
mRun: [synchostpswow.exe] c:\windows\synchostpswow.exe
mRun: [nlslexicons0026wow.exe] c:\windows\nlslexicons0026wow.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
Trusted Zone: npsp.com\calcium
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://calcium.npsp.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://calcium.npsp.com/+CSCOL+/cscopf.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live

\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {A893B09E-7D3B-486C-96D9-1A4A232A1FEB} - No File
mRun-x64: [Apoint] C:\Program Files\DellTPad\Apoint.exe
mRun-x64: [fssui] "C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe" -autorun
mRun-x64: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
mRun-x64: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
IE-X64: {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\
FF - prefs.js: browser.search.selectedEngine - BearShare Web Search
FF - prefs.js: browser.startup.homepage - hxxp://ca.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
FF - prefs.js: network.proxy.type - 0
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\D\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Users\D\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
FF - Ext: Hide Caption: {002349F5-59AB-4fdc-8329-BF4248243C95} - %profile%\extensions\{002349F5-59AB-4fdc-8329-BF4248243C95}
FF - Ext: Favicon Picker 3: {446c03e0-2c35-11db-a98b-0800200c9a67} - %profile%\extensions\{446c03e0-2c35-11db-a98b-0800200c9a67}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-3-25 173984]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-8-21 48480]
R2 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-1 399032]
R3 O2MDGRDR;O2MDGRDR;C:\Windows\System32\drivers\o2mdgx64.sys [2009-1-8 62368]
R3 O2SDGRDR;O2SDGRDR;C:\Windows\System32\drivers\o2sdgx64.sys [2009-1-8 49056]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;C:\Windows\System32\drivers\OEM13Vfx.sys [2007-3-5 12288]
R3 OEM13Vid;Creative Camera OEM013 Driver;C:\Windows\System32\drivers\OEM13Vid.sys [2008-5-28 267296]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-6-23 344680]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S2 AxInstSV32;ActiveX Installer (AxInstSV) ;c:\windows\system32\mstime32.exe --> c:\windows\system32\mstime32.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18

138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-8 135664]
S2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe --> C:\Program Files (x86)\TomTom HOME

2\TomTomHOMEService.exe [?]
S3 AllShare;SAMSUNG AllShare Service;C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2010-7-16 6638080]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-3-25 40832]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-25 1255736]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2010-9-24 306416]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

=============== Created Last 30 ================

2011-01-12 15:09:50 484352 --sh--w- C:\Windows\NlsLexicons0026wow.exe
2011-01-12 15:02:57 484352 --sh--w- C:\Windows\dxgiwow.exe
2011-01-12 14:52:55 8199504 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\{8ACAC56D-26B5-4EEA-AE48-

5230641BAA48}\mpengine.dll
2011-01-12 14:42:39 484352 --sh--w- C:\Windows\XpsRasterServicewow.exe
2011-01-12 14:36:42 484352 --sh--w- C:\Windows\fmswow.exe
2011-01-12 12:32:18 720896 ----a-w- C:\Windows\System32\odbc32.dll
2011-01-12 12:32:18 573440 ----a-w- C:\Windows\SysWow64\odbc32.dll
2011-01-12 12:32:18 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2011-01-12 12:32:17 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2011-01-12 12:32:17 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2011-01-12 12:32:17 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2011-01-12 12:32:17 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2011-01-12 12:32:17 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2011-01-12 12:32:17 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2011-01-12 12:32:17 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2011-01-04 16:39:52 479744 --sh--w- C:\Windows\dpnathlpwow.exe
2011-01-04 14:53:56 479744 --sh--w- C:\Windows\NlsData0414wow.exe
2011-01-03 20:57:12 485376 --sh--w- C:\Windows\SyncHostpswow.exe
2011-01-03 20:57:10 -------- d-sh--w- C:\PROGRA~3\735146F1F2D7DFDC818DFB41E22169E1
2011-01-02 14:48:34 -------- d-----w- C:\Users\D\AppData\Roaming\Sync App Settings
2011-01-02 14:47:53 -------- d-----w- C:\PROGRA~3\Sync App Settings
2011-01-02 14:47:35 -------- d-----w- C:\Program Files (x86)\Allway Sync
2011-01-02 14:18:36 1348096 ----a-r- C:\Windows\SysWow64\mstime32.exe
2011-01-02 14:18:36 1348096 ----a-r- C:\PROGRA~3\elsTrans32.exe
2011-01-02 13:43:11 -------- d-----w- C:\PROGRA~3\GoodSync
2011-01-02 13:43:05 -------- d-----w- C:\Users\D\AppData\Roaming\GoodSync
2011-01-02 13:42:59 -------- d-----w- C:\Program Files\Siber Systems
2011-01-02 13:36:09 -------- d-sh--w- C:\PROGRA~3\SysWoW32
2011-01-02 13:35:54 203776 --sh--w- C:\PROGRA~3\unrar.exe
2011-01-02 13:35:54 -------- d-----w- C:\PROGRA~3\581195844
2011-01-02 13:34:37 258560 ----a-w- C:\PROGRA~3\api-ms-win-core-memory-l1-1-032.dll
2011-01-02 13:34:37 -------- d-sh--w- C:\Users\D\AppData\Roaming\SysWin
2011-01-02 13:34:31 179200 ----a-w- C:\Windows\SysWow64\elsTrans32.exe
2011-01-02 13:34:27 407040 ----a-w- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-032.dll
2011-01-01 17:42:51 -------- d--h--w- C:\.syncless
2010-12-31 19:43:55 -------- d-----w- C:\Users\D\AppData\Roaming\MioNetApplet
2010-12-31 19:11:41 -------- d-----w- C:\PROGRA~3\MemeoCommon
2010-12-31 19:10:38 -------- d-----w- C:\Users\D\AppData\Roaming\WD
2010-12-31 19:04:06 -------- d-----w- C:\Program Files\Common Files\eSellerate
2010-12-31 18:56:15 -------- d-----w- C:\Program Files (x86)\Western Digital
2010-12-31 18:54:50 20992 ----a-w- C:\Windows\jestertb.dll
2010-12-28 18:21:02 -------- d-----w- C:\Program Files (x86)\BitTorrent
2010-12-28 18:20:22 -------- d-----w- C:\Users\D\AppData\Roaming\BitTorrent
2010-12-27 13:27:55 11776 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nprjplug.dll
2010-12-27 13:27:36 -------- d-----w- C:\Program Files (x86)\Common Files\xing shared
2010-12-27 13:27:18 151776 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppl3260.dll
2010-12-27 13:27:08 100352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-27 13:26:54 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2010-12-27 13:26:54 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2010-12-26 17:14:34 -------- d-----w- C:\Users\D\AppData\Roaming\FrostWire
2010-12-26 17:11:21 -------- d-----w- C:\Program Files (x86)\FrostWire
2010-12-18 15:40:40 -------- d-----w- C:\Users\D\AppData\Roaming\MusicNet
2010-12-18 15:38:29 -------- d-----w- C:\Users\D\AppData\Local\BearShare
2010-12-18 15:36:32 -------- d-----w- C:\Users\D\AppData\Local\PackageAware
2010-12-18 15:24:49 -------- d-----w- C:\Users\D\AppData\Roaming\Azureus

==================== Find3M ====================

2010-11-12 23:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-11-01 18:37:05 27640 ----a-w- C:\Windows\System32\drivers\vpnva64.sys
2010-11-01 18:37:05 24760 ----a-w- C:\Windows\SysWow64\vpnevents.dll
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-19 20:51:33 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-16 05:23:13 112000 ----a-w- C:\Windows\System32\consent.exe
2010-10-16 05:19:41 395776 ----a-w- C:\Windows\System32\webio.dll
2010-10-16 04:36:10 314368 ----a-w- C:\Windows\SysWow64\webio.dll

============= FINISH: 10:30:14.75 ===============

Edited by don242, 12 January 2011 - 12:36 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 13 January 2011 - 01:15 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

After that, please run DDS again and post the new log here..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 don242

don242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 13 January 2011 - 09:31 AM

No new randomwow.exe files were created in my startup. I still see the old ones that I deselected in my startup (obviously the wrong approach on my part). Hopefully there is a way to clear them from that list so they don't somehow get checked again? Thanks so much for this.

The malware log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5511

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

13/01/2011 9:14:36 AM
mbam-log-2011-01-13 (09-14-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 372749
Time elapsed: 1 hour(s), 32 minute(s), 45 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 22

Memory Processes Infected:
c:\Windows\nlslexicons0026wow.exe (Trojan.Tracur.S) -> 2744 -> Unloaded process successfully.
c:\Windows\nlslexicons0026wow.exe (Trojan.Tracur.S) -> 3516 -> Unloaded process successfully.
c:\Windows\synchostpswow.exe (Trojan.Tracur.S) -> 3504 -> Unloaded process successfully.
c:\Windows\synchostpswow.exe (Trojan.Tracur.S) -> 3600 -> Unloaded process successfully.

Memory Modules Infected:
c:\programdata\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.S) -> Delete on reboot.
c:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.S) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{267A5683-080C-99BB-4DBB-81F08C6F57D8} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{267A5683-080C-99BB-4DBB-81F08C6F57D8} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{267A5683-080C-99BB-4DBB-81F08C6F57D8} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07239042-7F42-43E8-8DBD-585F022044Fe} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07239042-7F42-43E8-8DBD-585F022044FE} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07239042-7F42-43E8-8DBD-585F022044FE} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07239042-7F42-43E8-8DBD-585F022044FE} (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AxInstSV32 (Trojan.Tracur.S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlslexicons0026wow.exe (Trojan.Tracur.S) -> Value: nlslexicons0026wow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NlsLexicons0026wow.exe (Trojan.Tracur.S) -> Value: NlsLexicons0026wow.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\synchostpswow.exe (Trojan.Tracur.S) -> Value: synchostpswow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SyncHostpswow.exe (Trojan.Tracur.S) -> Value: SyncHostpswow.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RTHDBPL (Trojan.Tracur.S) -> Value: RTHDBPL -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur.S) -> Bad: (C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll) Good: () -> Quarantined and deleted successfully.

Folders Infected:
c:\programdata\581195844 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\Users\D\AppData\Roaming\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\nlslexicons0026wow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\synchostpswow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\programdata\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Users\D\AppData\Roaming\SysWin\lsass.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\mstime32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\$Recycle.Bin\s-1-5-21-4237552581-2108679205-1672937622-1001\$RJ0N7EU.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\programdata\elstrans32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\dpnathlpwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\dxgiwow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\fmswow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\nlsdata0414wow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\xpsrasterservicewow.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\api-ms-win-core-memory-l1-1-032.dll (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\elstrans32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\404A.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\elstrans32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\mstime32.exe (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\404A.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\Temp\1EE7.tmp (Trojan.Tracur.S) -> Quarantined and deleted successfully.
c:\Windows\System32\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.

The DDS log:


DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by D at 9:24:36.18 on 13/01/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.3033.1566 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Allway Sync\Bin\syncappw.exe
C:\Windows\OEM13Mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Real\realplayer\Update\realsched.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\D\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://ca.my.yahoo.com/
uSearch Bar =
uURLSearchHooks: H - No File
uURLSearchHooks: FCToolbarURLSearchHook Class: {96fa205d-3071-4e54-a1d2-6a773dde09f6} - C:\Program Files (x86)\AIR MILES TOOLBAR\Helper.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - C:\PROGRA~2\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer

\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: 60e56f76: {43425f5c-aaf6-7454-6a7b-a28b5f263d24} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - No File
BHO: 60e56f76: {612a8550-7e75-5141-4a53-0c5452474f70} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Freecause Toolbar BHO: {8dae31d7-464c-47f0-af2b-e6f8eabe2898} - C:\Program Files (x86)\AIR MILES TOOLBAR\Toolbar.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live

\WindowsLiveLogin.dll
BHO: 60e56f76: {917f8785-2e9a-6815-8d35-a219ab84fe71} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: 60e56f76: {949eb289-c5b2-18f5-c8db-ead40417a2a8} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: 60e56f76: {9fc31370-1b36-0bd9-24f9-896039c0676f} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: 60e56f76: {acb8a596-847a-23b5-0840-91a0a181e3a9} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
BHO: 60e56f76: {c15aa3a3-d2db-2a8d-d969-4f8a024fc014} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll
BHO: 60e56f76: {d5d79626-814d-6e3d-5d01-f2f5181fe861} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: 60e56f76: {f646c5db-8a7e-f52a-c52e-16ebf1bc77e3} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
TB: AIR MILES TOOLBAR: {a893b09e-7d3b-486c-96d9-1a4a232a1feb} - C:\Program Files (x86)\AIR MILES TOOLBAR\Toolbar.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar

\Platform\6.0.2156.0\npwinext.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - C:\PROGRA~2\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Google Update] "C:\Users\D\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Xmarks] C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe -q
uRun: [Allway Sync] "C:\Program Files (x86)\Allway Sync\Bin\syncappw.exe" -m
mRun: [OEM13Mon.exe] C:\Windows\OEM13Mon.exe
mRun: [DELL Webcam Manager] "C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
Trusted Zone: npsp.com\calcium
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://calcium.npsp.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://calcium.npsp.com/+CSCOL+/cscopf.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live

\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {A893B09E-7D3B-486C-96D9-1A4A232A1FEB} - No File
mRun-x64: [Apoint] C:\Program Files\DellTPad\Apoint.exe
mRun-x64: [fssui] "C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe" -autorun
mRun-x64: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
mRun-x64: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
IE-X64: {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\
FF - prefs.js: browser.search.selectedEngine - BearShare Web Search
FF - prefs.js: browser.startup.homepage - hxxp://ca.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\D\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Users\D\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
FF - Ext: Hide Caption: {002349F5-59AB-4fdc-8329-BF4248243C95} - %profile%\extensions\{002349F5-59AB-4fdc-8329-BF4248243C95}
FF - Ext: Favicon Picker 3: {446c03e0-2c35-11db-a98b-0800200c9a67} - %profile%\extensions\{446c03e0-2c35-11db-a98b-0800200c9a67}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-3-25 173984]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-8-21 48480]
R2 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-1 399032]
R3 O2MDGRDR;O2MDGRDR;C:\Windows\System32\drivers\o2mdgx64.sys [2009-1-8 62368]
R3 O2SDGRDR;O2SDGRDR;C:\Windows\System32\drivers\o2sdgx64.sys [2009-1-8 49056]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;C:\Windows\System32\drivers\OEM13Vfx.sys [2007-3-5 12288]
R3 OEM13Vid;Creative Camera OEM013 Driver;C:\Windows\System32\drivers\OEM13Vid.sys [2008-5-28 267296]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-6-23 344680]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18

138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-8 135664]
S2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe --> C:\Program Files (x86)\TomTom HOME

2\TomTomHOMEService.exe [?]
S3 AllShare;SAMSUNG AllShare Service;C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2010-7-16 6638080]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-3-25 40832]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-25 1255736]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2010-9-24 306416]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

=============== Created Last 30 ================

2011-01-13 12:34:35 -------- d-----w- C:\Users\D\AppData\Roaming\Malwarebytes
2011-01-13 12:34:23 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-13 12:34:22 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-13 12:34:18 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-13 12:34:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-01-12 21:54:20 8199504 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\{0A20492D-DDCC-44EB-8558-

A0FA993F3B4C}\mpengine.dll
2011-01-12 12:32:18 720896 ----a-w- C:\Windows\System32\odbc32.dll
2011-01-12 12:32:18 573440 ----a-w- C:\Windows\SysWow64\odbc32.dll
2011-01-12 12:32:18 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2011-01-12 12:32:17 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2011-01-12 12:32:17 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2011-01-12 12:32:17 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2011-01-12 12:32:17 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2011-01-12 12:32:17 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2011-01-12 12:32:17 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2011-01-12 12:32:17 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2011-01-03 20:57:10 -------- d-sh--w- C:\PROGRA~3\735146F1F2D7DFDC818DFB41E22169E1
2011-01-02 14:48:34 -------- d-----w- C:\Users\D\AppData\Roaming\Sync App Settings
2011-01-02 14:47:53 -------- d-----w- C:\PROGRA~3\Sync App Settings
2011-01-02 14:47:35 -------- d-----w- C:\Program Files (x86)\Allway Sync
2011-01-02 13:43:11 -------- d-----w- C:\PROGRA~3\GoodSync
2011-01-02 13:43:05 -------- d-----w- C:\Users\D\AppData\Roaming\GoodSync
2011-01-02 13:42:59 -------- d-----w- C:\Program Files\Siber Systems
2011-01-02 13:36:09 -------- d-sh--w- C:\PROGRA~3\SysWoW32
2011-01-02 13:35:54 203776 --sh--w- C:\PROGRA~3\unrar.exe
2011-01-01 17:42:51 -------- d--h--w- C:\.syncless
2010-12-31 19:43:55 -------- d-----w- C:\Users\D\AppData\Roaming\MioNetApplet
2010-12-31 19:11:41 -------- d-----w- C:\PROGRA~3\MemeoCommon
2010-12-31 19:10:38 -------- d-----w- C:\Users\D\AppData\Roaming\WD
2010-12-31 19:04:06 -------- d-----w- C:\Program Files\Common Files\eSellerate
2010-12-31 18:56:15 -------- d-----w- C:\Program Files (x86)\Western Digital
2010-12-31 18:54:50 20992 ----a-w- C:\Windows\jestertb.dll
2010-12-28 18:21:02 -------- d-----w- C:\Program Files (x86)\BitTorrent
2010-12-28 18:20:22 -------- d-----w- C:\Users\D\AppData\Roaming\BitTorrent
2010-12-27 13:27:55 11776 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nprjplug.dll
2010-12-27 13:27:36 -------- d-----w- C:\Program Files (x86)\Common Files\xing shared
2010-12-27 13:27:18 151776 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppl3260.dll
2010-12-27 13:27:08 100352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-27 13:26:54 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2010-12-27 13:26:54 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2010-12-26 17:14:34 -------- d-----w- C:\Users\D\AppData\Roaming\FrostWire
2010-12-26 17:11:21 -------- d-----w- C:\Program Files (x86)\FrostWire
2010-12-18 15:40:40 -------- d-----w- C:\Users\D\AppData\Roaming\MusicNet
2010-12-18 15:38:29 -------- d-----w- C:\Users\D\AppData\Local\BearShare
2010-12-18 15:36:32 -------- d-----w- C:\Users\D\AppData\Local\PackageAware
2010-12-18 15:24:49 -------- d-----w- C:\Users\D\AppData\Roaming\Azureus

==================== Find3M ====================

2010-11-12 23:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-11-01 18:37:05 27640 ----a-w- C:\Windows\System32\drivers\vpnva64.sys
2010-11-01 18:37:05 24760 ----a-w- C:\Windows\SysWow64\vpnevents.dll
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-19 20:51:33 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-16 05:23:13 112000 ----a-w- C:\Windows\System32\consent.exe
2010-10-16 05:19:41 395776 ----a-w- C:\Windows\System32\webio.dll
2010-10-16 04:36:10 314368 ----a-w- C:\Windows\SysWow64\webio.dll

============= FINISH: 9:26:26.93 ===============

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 13 January 2011 - 07:08 PM

I still see the old ones that I deselected in my startup (obviously the wrong approach on my part). Hopefully there is a way to clear them from that list so they don't somehow get checked again?


Ok, can you re-select them back and re-run Malwarebytes' again? then tell me if Malwarebytes' detects and removes them :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 don242

don242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 13 January 2011 - 11:54 PM

Ok. Reselected the programs and ran the maleware program again. It did find something to clean in the registry but it did not remove the entries to the start-up. It seems the original scan with the Malware program removed the actual randonwow.exe files that were deselected as I do not see the files in the C:\Windows directory where they were before and the original log indicates cleaned. Not sure how to remove the entries from the start-up though.

Malware log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5511

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

13/01/2011 11:38:33 PM
mbam-log-2011-01-13 (23-38-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 372943
Time elapsed: 1 hour(s), 30 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nlsdata0414wow.exe (Trojan.TracurW.Gen) -> Value: nlsdata0414wow.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dpnathlpwow.exe (Trojan.TracurW.Gen) -> Value: dpnathlpwow.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDS log:

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by D at 23:39:45.41 on 13/01/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.3033.1537 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DRIVERS\o2flash.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe
C:\Program Files\Siber Systems\GoodSync\GoodSync.exe
C:\Windows\OEM13Mon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\realplayer\Update\realsched.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\D\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://ca.my.yahoo.com/
uSearch Bar =
uURLSearchHooks: H - No File
uURLSearchHooks: FCToolbarURLSearchHook Class: {96fa205d-3071-4e54-a1d2-6a773dde09f6} - C:\Program Files (x86)\AIR MILES TOOLBAR\Helper.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - C:\PROGRA~2\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: 60e56f76: {43425f5c-aaf6-7454-6a7b-a28b5f263d24} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - No File
BHO: 60e56f76: {612a8550-7e75-5141-4a53-0c5452474f70} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Freecause Toolbar BHO: {8dae31d7-464c-47f0-af2b-e6f8eabe2898} - C:\Program Files (x86)\AIR MILES TOOLBAR\Toolbar.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: 60e56f76: {917f8785-2e9a-6815-8d35-a219ab84fe71} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: 60e56f76: {949eb289-c5b2-18f5-c8db-ead40417a2a8} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: 60e56f76: {9fc31370-1b36-0bd9-24f9-896039c0676f} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: 60e56f76: {acb8a596-847a-23b5-0840-91a0a181e3a9} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
BHO: 60e56f76: {c15aa3a3-d2db-2a8d-d969-4f8a024fc014} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll
BHO: 60e56f76: {d5d79626-814d-6e3d-5d01-f2f5181fe861} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: 60e56f76: {f646c5db-8a7e-f52a-c52e-16ebf1bc77e3} - C:\ProgramData\api-ms-win-core-memory-l1-1-032.dll
TB: AIR MILES TOOLBAR: {a893b09e-7d3b-486c-96d9-1a4a232a1feb} - C:\Program Files (x86)\AIR MILES TOOLBAR\Toolbar.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - C:\PROGRA~2\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Google Update] "C:\Users\D\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Xmarks] C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe -q
uRun: [GoodSync] "C:\Program Files\Siber Systems\GoodSync\GoodSync.exe" /min
uRun: [xpsrasterservicewow.exe] C:\Windows\XpsRasterServicewow.exe
uRun: [fmswow.exe] C:\Windows\fmswow.exe
uRun: [dxgiwow.exe] C:\Windows\dxgiwow.exe
mRun: [OEM13Mon.exe] C:\Windows\OEM13Mon.exe
mRun: [DELL Webcam Manager] "C:\Program Files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" /s
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
mRun: [muifontsetupwow.exe] c:\windows\muifontsetupwow.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
Trusted Zone: npsp.com\calcium
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://calcium.npsp.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://calcium.npsp.com/+CSCOL+/cscopf.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg64.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {A893B09E-7D3B-486C-96D9-1A4A232A1FEB} - No File
mRun-x64: [Apoint] C:\Program Files\DellTPad\Apoint.exe
mRun-x64: [fssui] "C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe" -autorun
mRun-x64: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
mRun-x64: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
IE-X64: {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files (x86)\Xmarks\IE Extension\xmarkssync.exe

================= FIREFOX ===================

FF - ProfilePath - C:\Users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\
FF - prefs.js: browser.search.selectedEngine - BearShare Web Search
FF - prefs.js: browser.startup.homepage - hxxp://ca.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2156.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\D\AppData\Local\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: C:\Users\D\AppData\Roaming\Mozilla\plugins\np-mswmp.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
FF - Ext: Hide Caption: {002349F5-59AB-4fdc-8329-BF4248243C95} - %profile%\extensions\{002349F5-59AB-4fdc-8329-BF4248243C95}
FF - Ext: Favicon Picker 3: {446c03e0-2c35-11db-a98b-0800200c9a67} - %profile%\extensions\{446c03e0-2c35-11db-a98b-0800200c9a67}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2010-3-25 173984]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-8-21 48480]
R2 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-1 399032]
R3 O2MDGRDR;O2MDGRDR;C:\Windows\System32\drivers\o2mdgx64.sys [2009-1-8 62368]
R3 O2SDGRDR;O2SDGRDR;C:\Windows\System32\drivers\o2sdgx64.sys [2009-1-8 49056]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;C:\Windows\System32\drivers\OEM13Vfx.sys [2007-3-5 12288]
R3 OEM13Vid;Creative Camera OEM013 Driver;C:\Windows\System32\drivers\OEM13Vid.sys [2008-5-28 267296]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-6-23 344680]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-8 135664]
S2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe --> C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [?]
S3 AllShare;SAMSUNG AllShare Service;C:\Program Files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2010-7-16 6638080]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\System32\drivers\MpNWMon.sys [2010-3-25 40832]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-2-25 1255736]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2010-9-24 306416]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

=============== Created Last 30 ================

2011-01-13 21:57:41 8199504 ----a-w- C:\PROGRA~3\Microsoft\Microsoft Antimalware\Definition Updates\{37B11FA0-B3CA-4214-B33B-AB0F79614AD7}\mpengine.dll
2011-01-13 18:54:55 641536 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2011-01-13 18:54:55 552960 ----a-w- C:\Windows\System32\msdri.dll
2011-01-13 18:54:54 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2011-01-13 18:54:54 288256 ----a-w- C:\Windows\System32\MSNP.ax
2011-01-13 18:54:54 258560 ----a-w- C:\Windows\System32\mpg2splt.ax
2011-01-13 18:54:54 204288 ----a-w- C:\Windows\SysWow64\MSNP.ax
2011-01-13 18:54:53 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2011-01-13 18:54:46 1736608 ----a-w- C:\Windows\System32\ntdll.dll
2011-01-13 18:54:46 1289528 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-01-13 18:54:45 7680 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-01-13 18:54:45 7680 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-01-13 12:34:35 -------- d-----w- C:\Users\D\AppData\Roaming\Malwarebytes
2011-01-13 12:34:23 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-13 12:34:22 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-01-13 12:34:18 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-01-13 12:34:17 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-01-12 12:32:18 720896 ----a-w- C:\Windows\System32\odbc32.dll
2011-01-12 12:32:18 573440 ----a-w- C:\Windows\SysWow64\odbc32.dll
2011-01-12 12:32:18 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2011-01-12 12:32:17 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2011-01-12 12:32:17 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2011-01-12 12:32:17 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2011-01-12 12:32:17 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2011-01-12 12:32:17 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2011-01-12 12:32:17 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2011-01-12 12:32:17 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2011-01-03 20:57:10 -------- d-sh--w- C:\PROGRA~3\735146F1F2D7DFDC818DFB41E22169E1
2011-01-02 14:47:53 -------- d-----w- C:\PROGRA~3\Sync App Settings
2011-01-02 13:43:11 -------- d-----w- C:\PROGRA~3\GoodSync
2011-01-02 13:43:05 -------- d-----w- C:\Users\D\AppData\Roaming\GoodSync
2011-01-02 13:42:59 -------- d-----w- C:\Program Files\Siber Systems
2011-01-02 13:36:09 -------- d-sh--w- C:\PROGRA~3\SysWoW32
2011-01-02 13:35:54 203776 --sh--w- C:\PROGRA~3\unrar.exe
2011-01-01 17:42:51 -------- d--h--w- C:\.syncless
2010-12-31 19:43:55 -------- d-----w- C:\Users\D\AppData\Roaming\MioNetApplet
2010-12-31 19:11:41 -------- d-----w- C:\PROGRA~3\MemeoCommon
2010-12-31 19:10:38 -------- d-----w- C:\Users\D\AppData\Roaming\WD
2010-12-31 19:04:06 -------- d-----w- C:\Program Files\Common Files\eSellerate
2010-12-31 18:56:15 -------- d-----w- C:\Program Files (x86)\Western Digital
2010-12-31 18:54:50 20992 ----a-w- C:\Windows\jestertb.dll
2010-12-28 18:21:02 -------- d-----w- C:\Program Files (x86)\BitTorrent
2010-12-28 18:20:22 -------- d-----w- C:\Users\D\AppData\Roaming\BitTorrent
2010-12-27 13:27:55 11776 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nprjplug.dll
2010-12-27 13:27:36 -------- d-----w- C:\Program Files (x86)\Common Files\xing shared
2010-12-27 13:27:18 151776 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppl3260.dll
2010-12-27 13:27:08 100352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-27 13:26:54 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2010-12-27 13:26:54 348160 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2010-12-26 17:14:34 -------- d-----w- C:\Users\D\AppData\Roaming\FrostWire
2010-12-26 17:11:21 -------- d-----w- C:\Program Files (x86)\FrostWire
2010-12-18 15:40:40 -------- d-----w- C:\Users\D\AppData\Roaming\MusicNet
2010-12-18 15:38:29 -------- d-----w- C:\Users\D\AppData\Local\BearShare
2010-12-18 15:36:32 -------- d-----w- C:\Users\D\AppData\Local\PackageAware
2010-12-18 15:24:49 -------- d-----w- C:\Users\D\AppData\Roaming\Azureus

==================== Find3M ====================

2010-11-12 23:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:21:51 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2010-11-02 05:18:59 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2010-11-02 05:18:59 229888 ----a-w- C:\Windows\System32\XpsRasterService.dll
2010-11-02 05:18:58 470016 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:12:53 1133568 ----a-w- C:\Windows\System32\FntCache.dll
2010-11-02 05:12:25 1540608 ----a-w- C:\Windows\System32\DWrite.dll
2010-11-02 05:12:08 1837568 ----a-w- C:\Windows\System32\d3d10warp.dll
2010-11-02 05:12:07 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll
2010-11-02 05:12:06 902656 ----a-w- C:\Windows\System32\d2d1.dll
2010-11-02 05:12:06 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:59:08 144384 ----a-w- C:\Windows\System32\cdd.dll
2010-11-02 04:41:36 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2010-11-02 04:41:36 283648 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2010-11-02 04:41:36 135168 ----a-w- C:\Windows\SysWow64\XpsRasterService.dll
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:35:51 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2010-11-02 04:35:35 1170944 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2010-11-02 04:35:34 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2010-11-02 04:35:34 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2010-11-02 04:35:34 161792 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-11-02 02:50:58 258048 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2010-11-01 18:37:05 27640 ----a-w- C:\Windows\System32\drivers\vpnva64.sys
2010-11-01 18:37:05 24760 ----a-w- C:\Windows\SysWow64\vpnevents.dll
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-19 20:51:33 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-10-16 05:23:13 112000 ----a-w- C:\Windows\System32\consent.exe
2010-10-16 05:19:41 395776 ----a-w- C:\Windows\System32\webio.dll

============= FINISH: 23:41:14.64 ===============

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 14 January 2011 - 01:13 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 don242

don242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 14 January 2011 - 09:09 AM

The randowmwow.exe entries are gone from the start-up. Great job!

Here is the ComboFix log:

ComboFix 11-01-13.01 - D 14/01/2011 8:53.1.2 - x64
Microsoft Windows 7 Professional 6.1.7600.0.1252.2.1033.18.3033.1762 [GMT -5:00]
Running from: c:\users\D\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\api-ms-win-core-memory-l1-1-032.dll
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\SysWoW32
c:\programdata\SysWoW32\@u1254909305v0
c:\programdata\SysWoW32\_u1254909305v0
c:\programdata\SysWoW32\_u1254909305v1
c:\programdata\SysWoW32\_u1254909305v2
c:\programdata\SysWoW32\_u1254909305v3
c:\programdata\SysWoW32\mu1254909305v4.kwd
c:\programdata\SysWoW32\mu1254909305v5.kwd
c:\programdata\SysWoW32\mu1254909305v6.kwd
c:\programdata\SysWoW32\mu1254909305v7.kwd
c:\programdata\SysWoW32\wu1254909305v0
c:\programdata\SysWoW32\wu1254909305v0.kwd
c:\programdata\SysWoW32\wu1254909305v1
c:\programdata\SysWoW32\wu1254909305v1.kwd
c:\programdata\SysWoW32\wu1254909305v2
c:\programdata\SysWoW32\wu1254909305v2.kwd
c:\programdata\SysWoW32\wu1254909305v3
c:\programdata\SysWoW32\wu1254909305v3.kwd
c:\programdata\unrar.exe
c:\users\A\AppData\Roaming\Mozilla\Firefox\Profiles\m0l9wrhf.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}
c:\users\A\AppData\Roaming\Mozilla\Firefox\Profiles\m0l9wrhf.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\chrome.manifest
c:\users\A\AppData\Roaming\Mozilla\Firefox\Profiles\m0l9wrhf.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\chrome\xulcache.jar
c:\users\A\AppData\Roaming\Mozilla\Firefox\Profiles\m0l9wrhf.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\defaults\preferences\xulcache.js
c:\users\A\AppData\Roaming\Mozilla\Firefox\Profiles\m0l9wrhf.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\install.rdf
c:\users\C\AppData\Roaming\Mozilla\Firefox\Profiles\cw0xm4zz.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}
c:\users\C\AppData\Roaming\Mozilla\Firefox\Profiles\cw0xm4zz.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\chrome.manifest
c:\users\C\AppData\Roaming\Mozilla\Firefox\Profiles\cw0xm4zz.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\chrome\xulcache.jar
c:\users\C\AppData\Roaming\Mozilla\Firefox\Profiles\cw0xm4zz.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\defaults\preferences\xulcache.js
c:\users\C\AppData\Roaming\Mozilla\Firefox\Profiles\cw0xm4zz.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\install.rdf
c:\users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}
c:\users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\chrome.manifest
c:\users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\chrome\xulcache.jar
c:\users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\defaults\preferences\xulcache.js
c:\users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\install.rdf
c:\users\S\AppData\Roaming\Mozilla\Firefox\Profiles\v5xr2pvi.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}
c:\users\S\AppData\Roaming\Mozilla\Firefox\Profiles\v5xr2pvi.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\chrome.manifest
c:\users\S\AppData\Roaming\Mozilla\Firefox\Profiles\v5xr2pvi.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\chrome\xulcache.jar
c:\users\S\AppData\Roaming\Mozilla\Firefox\Profiles\v5xr2pvi.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\defaults\preferences\xulcache.js
c:\users\S\AppData\Roaming\Mozilla\Firefox\Profiles\v5xr2pvi.default\extensions\{67b80348-3565-4858-b053-a9866c00a74a}\install.rdf
c:\windows\jestertb.dll

----- BITS: Possible infected sites -----

hxxp://wlxindex
.
((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-14 13:59 . 2011-01-14 13:59 -------- d-----w- c:\users\S\AppData\Local\temp
2011-01-14 13:59 . 2011-01-14 13:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-14 13:59 . 2011-01-14 13:59 -------- d-----w- c:\users\A\AppData\Local\temp
2011-01-13 21:57 . 2010-11-10 05:35 8199504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37B11FA0-B3CA-4214-B33B-AB0F79614AD7}\mpengine.dll
2011-01-13 19:18 . 2011-01-13 19:20 -------- d-----w- c:\users\S\AppData\Roaming\GoodSync
2011-01-13 19:10 . 2011-01-13 19:11 -------- d-----w- c:\users\C\AppData\Roaming\GoodSync
2011-01-13 19:06 . 2011-01-13 19:08 -------- d-----w- c:\users\A\AppData\Roaming\GoodSync
2011-01-13 18:54 . 2010-08-04 07:07 552960 ----a-w- c:\windows\system32\msdri.dll
2011-01-13 18:54 . 2010-08-04 06:18 641536 ----a-w- c:\windows\SysWow64\CPFilters.dll
2011-01-13 18:54 . 2010-08-04 07:07 961024 ----a-w- c:\windows\system32\CPFilters.dll
2011-01-13 18:54 . 2010-08-04 07:05 288256 ----a-w- c:\windows\system32\MSNP.ax
2011-01-13 18:54 . 2010-08-04 07:05 258560 ----a-w- c:\windows\system32\mpg2splt.ax
2011-01-13 18:54 . 2010-08-04 06:15 204288 ----a-w- c:\windows\SysWow64\MSNP.ax
2011-01-13 18:54 . 2010-08-04 06:15 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2011-01-13 18:54 . 2010-03-24 06:59 1736608 ----a-w- c:\windows\system32\ntdll.dll
2011-01-13 18:54 . 2010-03-24 06:37 1289528 ----a-w- c:\windows\SysWow64\ntdll.dll
2011-01-13 18:54 . 2010-10-19 08:47 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-01-13 18:54 . 2010-10-19 08:10 7680 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2011-01-13 12:34 . 2011-01-13 12:34 -------- d-----w- c:\users\D\AppData\Roaming\Malwarebytes
2011-01-13 12:34 . 2010-12-20 23:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-01-13 12:34 . 2011-01-13 12:34 -------- d-----w- c:\programdata\Malwarebytes
2011-01-13 12:34 . 2010-12-20 23:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-13 12:34 . 2011-01-13 12:34 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-01-12 12:32 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 12:32 . 2010-10-16 05:16 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-12 12:32 . 2010-10-16 04:34 573440 ----a-w- c:\windows\SysWow64\odbc32.dll
2011-01-12 12:32 . 2010-10-16 05:16 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-12 12:32 . 2010-10-16 05:16 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-12 12:32 . 2010-10-16 05:16 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-12 12:32 . 2010-10-16 04:33 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2011-01-12 12:32 . 2010-10-16 04:33 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2011-01-12 12:32 . 2010-10-16 04:33 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2011-01-12 12:32 . 2010-10-16 04:33 208896 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2011-01-03 23:25 . 2011-01-03 23:25 -------- d-----w- c:\users\S\AppData\Roaming\Sync App Settings
2011-01-03 22:44 . 2011-01-03 22:44 -------- d-----w- c:\users\C\AppData\Roaming\Sync App Settings
2011-01-03 21:47 . 2011-01-03 21:47 -------- d-----w- c:\users\A\AppData\Roaming\Sync App Settings
2011-01-03 20:57 . 2011-01-13 12:31 -------- d-sh--w- c:\programdata\735146F1F2D7DFDC818DFB41E22169E1
2011-01-02 16:38 . 2011-01-02 17:05 -------- d-----w- c:\users\S\AppData\Roaming\WD
2011-01-02 15:39 . 2011-01-02 16:24 -------- d-----w- c:\users\A\AppData\Local\Adobe
2011-01-02 14:47 . 2011-01-02 14:47 -------- d-----w- c:\programdata\Sync App Settings
2011-01-02 13:43 . 2011-01-02 13:43 -------- d-----w- c:\programdata\GoodSync
2011-01-02 13:43 . 2011-01-13 19:49 -------- d-----w- c:\users\D\AppData\Roaming\GoodSync
2011-01-02 13:42 . 2011-01-13 17:45 -------- d-----w- c:\program files\Siber Systems
2011-01-01 17:42 . 2011-01-01 17:52 -------- d-----w- C:\.syncless
2011-01-01 16:15 . 2011-01-02 17:05 -------- d-----w- c:\users\C\AppData\Roaming\WD
2011-01-01 15:24 . 2011-01-01 15:24 -------- d-----w- c:\users\A\AppData\Roaming\Creative
2011-01-01 13:47 . 2011-01-02 17:05 -------- d-----w- c:\users\A\AppData\Roaming\WD
2010-12-31 19:43 . 2010-12-31 19:44 -------- d-----w- c:\users\D\AppData\Roaming\MioNetApplet
2010-12-31 19:11 . 2010-12-31 19:11 -------- d-----w- c:\programdata\MemeoCommon
2010-12-31 19:10 . 2011-01-02 17:05 -------- d-----w- c:\users\D\AppData\Roaming\WD
2010-12-31 19:04 . 2010-12-31 19:04 -------- d-----w- c:\program files\Common Files\eSellerate
2010-12-31 18:56 . 2010-12-31 18:56 -------- d-----w- c:\program files (x86)\Western Digital
2010-12-28 18:21 . 2010-12-28 18:21 -------- d-----w- c:\program files (x86)\BitTorrent
2010-12-28 18:20 . 2011-01-04 16:36 -------- d-----w- c:\users\D\AppData\Roaming\BitTorrent
2010-12-27 13:27 . 2010-12-27 13:27 11776 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nprjplug.dll
2010-12-27 13:27 . 2010-12-27 13:27 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2010-12-27 13:27 . 2010-12-27 13:27 151776 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppl3260.dll
2010-12-27 13:27 . 2010-12-27 13:27 100352 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-27 13:26 . 2010-12-27 13:26 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2010-12-27 13:26 . 2010-12-27 13:26 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2010-12-26 21:22 . 2010-12-26 21:22 -------- d-----w- c:\users\A\AppData\Roaming\Unity
2010-12-26 21:18 . 2010-12-26 21:18 -------- d-----w- c:\users\A\AppData\Local\Unity
2010-12-26 17:14 . 2011-01-02 13:31 -------- d-----w- c:\users\D\AppData\Roaming\FrostWire
2010-12-26 17:11 . 2010-12-26 17:15 -------- d-----w- c:\program files (x86)\FrostWire
2010-12-25 16:14 . 2010-12-25 16:14 -------- d-----r- c:\users\S\Podcasts
2010-12-18 15:40 . 2010-12-18 15:40 -------- d-----w- c:\users\D\AppData\Roaming\MusicNet
2010-12-18 15:38 . 2010-12-18 15:40 -------- d-----w- c:\users\D\AppData\Local\BearShare
2010-12-18 15:36 . 2010-12-18 15:36 -------- d-----w- c:\users\D\AppData\Local\PackageAware
2010-12-18 15:24 . 2010-12-18 15:29 -------- d-----w- c:\users\D\AppData\Roaming\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-13 14:14 . 2009-10-09 21:58 573760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-11-12 23:53 . 2010-04-22 12:04 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-11-10 05:35 . 2010-10-28 15:39 8199504 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-04 06:35 . 2010-12-15 12:52 1194496 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 06:31 . 2010-12-15 12:52 57856 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 05:52 . 2010-12-15 12:52 978944 ----a-w- c:\windows\SysWow64\wininet.dll
2010-11-04 05:48 . 2010-12-15 12:52 44544 ----a-w- c:\windows\SysWow64\licmgr10.dll
2010-11-04 05:16 . 2010-12-15 12:52 482816 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:41 . 2010-12-15 12:52 386048 ----a-w- c:\windows\SysWow64\html.iec
2010-11-04 04:35 . 2010-12-15 12:52 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-04 04:08 . 2010-12-15 12:52 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2010-11-02 05:18 . 2010-12-15 12:52 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 05:17 . 2010-12-15 12:52 1169408 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 05:17 . 2010-12-15 12:52 473600 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 05:16 . 2010-12-15 12:52 1114624 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 05:10 . 2010-12-15 12:52 464384 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 05:10 . 2010-12-15 12:52 285696 ----a-w- c:\windows\system32\schtasks.exe
2010-11-02 04:40 . 2010-12-15 12:52 496128 ----a-w- c:\windows\SysWow64\taskschd.dll
2010-11-02 04:40 . 2010-12-15 12:52 305152 ----a-w- c:\windows\SysWow64\taskcomp.dll
2010-11-02 04:34 . 2010-12-15 12:52 192000 ----a-w- c:\windows\SysWow64\taskeng.exe
2010-11-02 04:34 . 2010-12-15 12:52 179712 ----a-w- c:\windows\SysWow64\schtasks.exe
2010-11-01 18:37 . 2010-11-01 18:37 27640 ----a-w- c:\windows\system32\drivers\vpnva64.sys
2010-11-01 18:37 . 2010-11-01 18:37 24760 ----a-w- c:\windows\SysWow64\vpnevents.dll
2010-10-27 05:06 . 2010-12-15 12:52 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-27 04:32 . 2010-12-15 12:52 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2010-10-20 05:20 . 2010-12-15 12:52 46080 ----a-w- c:\windows\system32\atmlib.dll
2010-10-20 04:54 . 2010-12-15 12:52 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2010-10-20 03:09 . 2010-12-15 12:52 3124224 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 03:05 . 2010-12-15 12:52 367104 ----a-w- c:\windows\system32\atmfd.dll
2010-10-20 02:58 . 2010-12-15 12:52 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
2010-10-19 20:51 . 2009-10-03 12:41 270720 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{96fa205d-3071-4e54-a1d2-6a773dde09f6}"= "c:\program files (x86)\AIR MILES TOOLBAR\Helper.dll" [2010-01-07 242688]

[HKEY_CLASSES_ROOT\clsid\{96fa205d-3071-4e54-a1d2-6a773dde09f6}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{D370AC3C-673D-4ED1-871E-DED06A9F79AF}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{8DAE31D7-464C-47F0-AF2B-E6F8EABE2898}]
2010-01-07 00:26 1445888 ----a-w- c:\program files (x86)\AIR MILES TOOLBAR\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{A893B09E-7D3B-486C-96D9-1A4A232A1FEB}"= "c:\program files (x86)\AIR MILES TOOLBAR\Toolbar.dll" [2010-01-07 1445888]

[HKEY_CLASSES_ROOT\clsid\{a893b09e-7d3b-486c-96d9-1a4a232a1feb}]
[HKEY_CLASSES_ROOT\FCTB000060399.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{7BB4454E-EB68-4D9B-8E14-0EBBE671F764}]
[HKEY_CLASSES_ROOT\FCTB000060399.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]
"Google Update"="c:\users\D\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]
"Xmarks"="c:\program files (x86)\Xmarks\IE Extension\xmarkssync.exe" [2010-09-28 1048576]
"GoodSync"="c:\program files\Siber Systems\GoodSync\GoodSync.exe" [2011-01-07 6926264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-01-07 36864]
"DELL Webcam Manager"="c:\program files (x86)\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2010-12-27 274608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 135664]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [x]
R3 AllShare;SAMSUNG AllShare Service;c:\program files (x86)\Samsung\SAMSUNG PC Share Manager\WiselinkPro.exe [2010-07-16 6638080]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-25 1255736]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-11-01 399032]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 40832]
S3 O2MDGRDR;O2MDGRDR;c:\windows\system32\DRIVERS\o2mdgx64.sys [2009-01-08 62368]
S3 O2SDGRDR;O2SDGRDR;c:\windows\system32\DRIVERS\o2sdgx64.sys [2009-01-08 49056]
S3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\DRIVERS\OEM13Vfx.sys [2007-03-05 12288]
S3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\DRIVERS\OEM13Vid.sys [2008-05-28 267296]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 01:46]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-09 01:46]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4237552581-2108679205-1672937622-1001Core.job
- c:\users\D\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-02 12:21]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4237552581-2108679205-1672937622-1001UA.job
- c:\users\D\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-02 12:21]
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-13 309248]
"fssui"="c:\program files (x86)\Windows Live\Family Safety\fsui.exe" [2010-09-23 884584]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1448568]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://ca.my.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: npsp.com\calcium
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://calcium.npsp.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {B8E73359-3422-4384-8D27-4EA1B4C01232} - hxxps://calcium.npsp.com/+CSCOL+/cscopf.cab
FF - ProfilePath - c:\users\D\AppData\Roaming\Mozilla\Firefox\Profiles\ju9f9bdr.default\
FF - prefs.js: browser.search.selectedEngine - BearShare Web Search
FF - prefs.js: browser.startup.homepage - hxxp://ca.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Autofill Forms: autofillForms@blueimp.net - %profile%\extensions\autofillForms@blueimp.net
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Tiny Menu: {d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904} - %profile%\extensions\{d33c2f7c-b1e6-4d46-ab0e-be1f6d05c904}
FF - Ext: Hide Caption: {002349F5-59AB-4fdc-8329-BF4248243C95} - %profile%\extensions\{002349F5-59AB-4fdc-8329-BF4248243C95}
FF - Ext: Favicon Picker 3: {446c03e0-2c35-11db-a98b-0800200c9a67} - %profile%\extensions\{446c03e0-2c35-11db-a98b-0800200c9a67}
FF - Ext: iMacros for Firefox: {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670} - %profile%\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~2\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
BHO-{43425F5C-AAF6-7454-6A7B-A28B5F263D24} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
BHO-{612A8550-7E75-5141-4A53-0C5452474F70} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
BHO-{917F8785-2E9A-6815-8D35-A219AB84FE71} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
BHO-{949EB289-C5B2-18F5-C8DB-EAD40417A2A8} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
BHO-{9FC31370-1B36-0BD9-24F9-896039C0676F} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
BHO-{ACB8A596-847A-23B5-0840-91A0A181E3A9} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
BHO-{C15AA3A3-D2DB-2A8D-D969-4F8A024FC014} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
BHO-{D5D79626-814D-6E3D-5D01-F2F5181FE861} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
BHO-{F646C5DB-8A7E-F52A-C52E-16EBF1BC77E3} - c:\programdata\api-ms-win-core-memory-l1-1-032.dll
Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~2\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll
Wow6432Node-HKCU-Run-xpsrasterservicewow.exe - c:\windows\XpsRasterServicewow.exe
Wow6432Node-HKCU-Run-fmswow.exe - c:\windows\fmswow.exe
Wow6432Node-HKCU-Run-dxgiwow.exe - c:\windows\dxgiwow.exe
Wow6432Node-HKLM-Run-muifontsetupwow.exe - c:\windows\muifontsetupwow.exe
WebBrowser-{A893B09E-7D3B-486C-96D9-1A4A232A1FEB} - (no file)
AddRemove-Clifford Reading - c:\windows\system32\Clifford Uninstall.exe
AddRemove-Inquisit 3 Web Edition - c:\windows\system32\javaws.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\B*i*o* *&* *C*h*e*m* \Validation]
"Order"=hex:08,00,00,00,02,00,00,00,f6,02,00,00,01,00,00,00,05,00,00,00,c6,00,
00,00,02,00,00,00,b8,00,32,00,cd,00,00,00,00,e5,39,bc,20,00,47,55,49,44,45,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\C*o*m*p*u*t*e*r* *&* *S*o*f*t*w*a*r*e* \Dell]
"Order"=hex:08,00,00,00,02,00,00,00,e4,01,00,00,01,00,00,00,04,00,00,00,60,00,
00,00,02,00,00,00,52,00,32,00,cd,00,00,00,00,15,13,21,20,00,44,65,6c,6c,2e,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\F*i*n*a*n*c*i*a*l* \Bills]
"Order"=hex:08,00,00,00,02,00,00,00,a2,01,00,00,01,00,00,00,04,00,00,00,6a,00,
00,00,00,00,00,00,5c,00,32,00,cd,00,00,00,00,88,61,be,20,00,42,45,4c,4c,43,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\F*i*n*a*n*c*i*a*l* \Calculators]
"Order"=hex:08,00,00,00,02,00,00,00,2c,03,00,00,01,00,00,00,05,00,00,00,a6,00,
00,00,00,00,00,00,98,00,32,00,cd,00,00,00,00,e1,f5,ed,20,00,43,41,4e,41,44,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\F*i*n*a*n*c*i*a*l* \Cards]
"Order"=hex:08,00,00,00,02,00,00,00,20,03,00,00,01,00,00,00,06,00,00,00,8a,00,
00,00,05,00,00,00,7c,00,32,00,cd,00,00,00,00,4d,5a,be,20,00,41,4d,45,52,49,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\F*i*n*a*n*c*i*a*l* \Funds]
"Order"=hex:08,00,00,00,02,00,00,00,84,03,00,00,01,00,00,00,08,00,00,00,5c,00,
00,00,00,00,00,00,4e,00,32,00,cd,00,00,00,00,ab,41,8f,20,00,41,47,46,2e,75,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\F*i*n*a*n*c*i*a*l* \Life Insurance]
"Order"=hex:08,00,00,00,02,00,00,00,98,00,00,00,01,00,00,00,01,00,00,00,8c,00,
00,00,00,00,00,00,7e,00,32,00,cd,00,00,00,00,9f,a2,60,20,00,4d,4f,52,54,47,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\F*i*n*a*n*c*i*a*l* \Other]
"Order"=hex:08,00,00,00,02,00,00,00,0a,03,00,00,01,00,00,00,06,00,00,00,9c,00,
00,00,04,00,00,00,8e,00,32,00,cd,00,00,00,00,5a,32,58,20,00,43,41,4e,41,44,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\F*N*A* \Price Guide]
"Order"=hex:08,00,00,00,02,00,00,00,6c,01,00,00,01,00,00,00,02,00,00,00,aa,00,
00,00,00,00,00,00,9c,00,32,00,cd,00,00,00,00,91,c3,3c,20,00,41,44,44,41,4c,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\F*N*A* \Site Design]
"Order"=hex:08,00,00,00,02,00,00,00,3a,02,00,00,01,00,00,00,04,00,00,00,8e,00,
00,00,00,00,00,00,80,00,32,00,cd,00,00,00,00,c2,b9,3f,20,00,44,45,43,49,4d,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\H*o*m*e* \Garden]
"Order"=hex:08,00,00,00,02,00,00,00,ba,04,00,00,01,00,00,00,09,00,00,00,80,00,
00,00,00,00,00,00,72,00,32,00,cd,00,00,00,00,91,6f,d7,20,00,43,4f,4d,50,41,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \A Set]
"Order"=hex:08,00,00,00,02,00,00,00,96,05,00,00,01,00,00,00,0c,00,00,00,7e,00,
00,00,00,00,00,00,70,00,32,00,cd,00,00,00,00,5a,f9,30,20,00,41,50,4f,54,45,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \Companies]
"Order"=hex:08,00,00,00,02,00,00,00,dc,00,00,00,01,00,00,00,02,00,00,00,60,00,
00,00,00,00,00,00,52,00,32,00,cd,00,00,00,00,87,b2,10,20,00,43,50,4c,7e,31,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \Directory & Resource]
"Order"=hex:08,00,00,00,02,00,00,00,f4,00,00,00,01,00,00,00,02,00,00,00,60,00,
00,00,01,00,00,00,52,00,32,00,cd,00,00,00,00,a8,d1,e8,20,00,42,48,52,43,2e,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \Search Sites & Recruiters]
"Order"=hex:08,00,00,00,02,00,00,00,be,01,00,00,01,00,00,00,03,00,00,00,7a,00,
00,00,00,00,00,00,6c,00,32,00,cd,00,00,00,00,45,98,06,20,00,48,45,53,53,41,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \Set 1]
"Order"=hex:08,00,00,00,02,00,00,00,fa,08,00,00,01,00,00,00,12,00,00,00,6e,00,
00,00,00,00,00,00,60,00,32,00,cd,00,00,00,00,79,81,38,20,00,41,42,42,4f,54,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \Set 2]
"Order"=hex:08,00,00,00,02,00,00,00,3c,08,00,00,01,00,00,00,0e,00,00,00,9e,00,
00,00,00,00,00,00,90,00,32,00,cd,00,00,00,00,aa,ec,2a,20,00,41,4c,50,48,41,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \Set 3]
"Order"=hex:08,00,00,00,02,00,00,00,ba,08,00,00,01,00,00,00,10,00,00,00,84,00,
00,00,00,00,00,00,76,00,32,00,cd,00,00,00,00,44,33,b1,20,00,41,4c,54,41,4e,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \Set 4]
"Order"=hex:08,00,00,00,02,00,00,00,5e,09,00,00,01,00,00,00,10,00,00,00,96,00,
00,00,00,00,00,00,88,00,32,00,cd,00,00,00,00,e8,d5,e9,20,00,41,4c,4c,49,45,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\J*o*b* \Set 5]
"Order"=hex:08,00,00,00,02,00,00,00,fa,08,00,00,01,00,00,00,11,00,00,00,80,00,
00,00,00,00,00,00,72,00,32,00,cd,00,00,00,00,ce,67,b2,20,00,41,41,49,50,48,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\S*h*o*p*p*i*n*g* \Watching]
"Order"=hex:08,00,00,00,02,00,00,00,4a,02,00,00,01,00,00,00,03,00,00,00,9e,00,
00,00,02,00,00,00,90,00,32,00,cd,00,00,00,00,33,8f,8f,20,00,27,50,52,45,53,\

[HKEY_USERS\S-1-5-21-4237552581-2108679205-1672937622-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\S*p*o*r*t*s* \Soccer]
"Order"=hex:08,00,00,00,02,00,00,00,22,09,00,00,01,00,00,00,0f,00,00,00,9e,00,
00,00,09,00,00,00,90,00,32,00,cd,00,00,00,00,cb,cc,21,20,00,43,4f,30,43,34,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-01-14 09:05:16
ComboFix-quarantined-files.txt 2011-01-14 14:05

Pre-Run: 64,753,553,408 bytes free
Post-Run: 65,294,446,592 bytes free

- - End Of File - - EF7255D337679054D425CFE9B40BDA82

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 14 January 2011 - 11:15 AM

Great.. Just use the computer for a couple of days, and if everything is good, we can close this topic :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 don242

don242
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 14 January 2011 - 11:25 AM

Thanks for your help. I will let you know.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 18 January 2011 - 01:26 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users