Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I fell for the Ammyy SCAM via phone call - Have I been infected


  • This topic is locked This topic is locked
4 replies to this topic

#1 cj smith

cj smith

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 01 April 2011 - 07:52 PM

Hi,

Well this is my first post in here but I've visited many times over the years.

So yesterday I was busy trying to get all my tax paper ready for the accountant, phone rings and my wife hands me the phone.
Indian accent lady on the other ends of phone tells me that shes calling from some IT company and my computer is infected and it's sending warning messages to them, I was having a hard time understanding her and at the same time sorting paper work out. so my mind wasn't completely with it.


My laptop was purchased back in 2008 and it's probably time to get a new one, over the last month it's been running slow etc, I clean a whole bunch of things, purchase another software to try help fix things up etc.

But over the past 4 days my primary email address that's ......@rogers.com was getting a huge amount of virus emails, so I figure this lady was some IT person from Rogers, they also have call centers in India and other countries, unless you talk to customer relations.

Anyway, after she had my run a few "Run" CMD type commands she told me yes your laptop is infected and all software is corrupt.
She had me visit ammyy.com
I questioned her for a little about why would I need to use a remote desktop app, she said her tech guy will help guide me to remove/fix problem, so being stupid I granted access, then after running one more CMD command, not sure what the command was but after it finished it said something like:
"All software has been deactivated"

Now she tells me to visit another site and select a package so her tech guy can fix everything and re-activate all software.
I realized at that point that this has nothing to do with Rogers, looked up the site in google and noticed SCAM mentioned in some of the top 5 results, asked her to call back in ten minutes but never heard back.

--------

So now I need to figure out if anything was installed on my laptop during the few minutes I granted access.

--------

Since this happened I've changed my Router password, scanned hard drive with the few software programs I have installed, you will see what I have in logs I post below, I also created a backup of hard drive on external hd.

----------------------------
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Craig at 9:10:59.66 on 01/04/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2942.1740 [GMT -4:00]
.
AV: Webroot AntiVirus with Spy Sweeper *Enabled/Outdated* {53211D91-0C31-95F2-E3A5-7661FB22889E}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Webroot AntiVirus with Spy Sweeper *Enabled/Outdated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Craig\Desktop\Defogger.exe
C:\Users\Craig\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [hpWirelessAssistant] "c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe"
mRun: [WAWifiMessage] "c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe"
mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Free YouTube to Mp3 Converter - c:\users\craig\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
Trusted Zone: gistweb.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.trafficswarm.com/cgi-bin/swarm.cgi?612397&2870a4c4061c5bf17229e5c32d942f11
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - component: c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\photodex presenter\npPxPlay.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\craig\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: SEO For Firefox: seo4firefox@seobook.com - %profile%\extensions\seo4firefox@seobook.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
FF - Ext: Page Speed: {e3f6c2cc-d8db-498c-af6c-499fb211db97} - %profile%\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
FF - Ext: Google Docs Viewer: adonis.cuhk@gmail.com - %profile%\extensions\adonis.cuhk@gmail.com
FF - Ext: NoDoFollow: {c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294} - %profile%\extensions\{c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294}
FF - Ext: Link Checker: linkchecker@vik.josh - %profile%\extensions\linkchecker@vik.josh
FF - Ext: Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2010-1-27 40496]
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2010-9-23 85312]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\advanced system optimizer 3\ASO3DefragSrv.exe [2011-3-20 239928]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-3-31 67584]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2010-8-17 45072]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2010-8-17 3889232]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2010-8-16 3181888]
R3 ADASPROT;SYSTWEAKASO;c:\program files\advanced system optimizer 3\adasprot32.sys [2011-3-20 6656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-21 135664]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-6-18 19456]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-12-22 86016]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Micro Niche Finder Background Download Service;Micro Niche Finder Background Download Service;c:\program files\micro niche finder\srvany.exe --> c:\program files\micro niche finder\srvany.exe [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-9-23 20288]
.
=============== File Associations ===============
.
cmdfile=NOTEPAD.EXE %1
JSEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-04-01 02:25:28 -------- d-----w- c:\users\craig\appdata\local\Safe mirror
2011-04-01 02:24:55 -------- d-----w- c:\program files\Cobian Backup 10
2011-04-01 01:46:17 -------- d-----w- C:\BackupMarch31
2011-04-01 01:38:28 -------- d-----w- c:\program files\Cobian Backup 8
2011-03-31 19:03:49 -------- d-----w- c:\progra~2\AMMYY
2011-03-29 15:18:24 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-03-29 15:18:24 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-03-29 15:18:23 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2011-03-29 15:18:22 492504 ----a-w- c:\program files\mozilla firefox\sqlite3.dll
2011-03-29 15:18:21 1018328 ----a-w- c:\program files\mozilla firefox\js3250.dll
2011-03-29 13:31:08 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{f47b4610-83f7-4f4b-9f2d-74ce1ac1e53b}\mpengine.dll
2011-03-23 16:03:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 16:03:06 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-22 18:49:42 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-22 18:49:42 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-22 18:49:42 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-22 18:15:43 -------- d-----w- c:\program files\Windows Portable Devices
2011-03-22 17:47:50 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-03-22 17:47:44 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-03-22 17:47:43 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-03-22 17:46:20 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-03-22 17:46:04 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-03-22 17:46:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-03-22 17:46:04 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-03-22 17:46:04 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-03-22 17:46:03 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-03-22 17:46:01 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-03-22 17:42:10 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-03-22 17:42:07 234496 ----a-w- c:\windows\system32\oleacc.dll
2011-03-22 17:42:06 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-03-22 17:36:57 258048 ----a-w- c:\windows\system32\winspool.drv
2011-03-22 17:36:56 98816 ----a-w- c:\windows\system32\mfps.dll
2011-03-22 17:36:56 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-03-22 17:26:27 231424 ----a-w- c:\windows\system32\msshsq.dll
2011-03-21 19:25:47 -------- d-----w- c:\program files\Market Samurai
2011-03-21 18:35:07 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-03-21 18:34:39 457304 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2011-03-21 18:34:39 -------- d-----w- c:\windows\system32\ZoneLabs
2011-03-21 18:34:36 -------- d-----w- c:\program files\Zone Labs
2011-03-21 18:26:26 -------- d-----w- c:\windows\Internet Logs
2011-03-21 01:51:25 453152 ----a-w- c:\windows\system32\nvusmu.exe
2011-03-21 01:51:25 15872 ----a-w- c:\windows\system32\drivers\nvsmu.sys
2011-03-21 01:51:25 122880 ----a-w- c:\windows\system32\NVCOSMU.DLL
2011-03-21 01:49:39 46592 ----a-w- c:\windows\system32\drivers\risdptsk.sys
2011-03-21 01:47:42 38400 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2011-03-21 01:47:42 172032 ----a-w- c:\windows\system32\rixdicon.dll
2011-03-21 01:11:34 1832 ----a-w- c:\windows\system32\ASOROSet.bin
2011-03-21 01:11:34 16184 ----a-w- c:\windows\system32\ROBoot.exe
2011-03-20 22:51:31 -------- d-----w- c:\progra~2\Systweak
2011-03-20 21:55:01 17136 ----a-w- c:\windows\system32\sasnative32.exe
2011-03-20 21:54:24 -------- d-----w- c:\program files\Advanced System Optimizer 3
2011-03-20 21:53:09 -------- d-----w- c:\users\craig\appdata\roaming\Systweak
2011-03-20 21:28:52 -------- d-----w- c:\program files\iPod
2011-03-20 21:28:36 -------- d-----w- c:\program files\iTunes
2011-03-19 01:08:23 -------- d-----w- c:\windows\C6359569E03E4CDC98E8CDD080C6EEB5.TMP
2011-03-19 01:01:10 -------- d-----w- c:\program files\Defraggler
2011-03-19 00:45:58 -------- d-----w- c:\users\craig\appdata\roaming\ConsumerSoft
2011-03-19 00:45:48 -------- d-----w- c:\program files\ConsumerSoft
2011-03-19 00:41:29 -------- d-----w- c:\program files\Phoenix Labs
2011-03-17 19:04:57 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2011-03-17 19:04:56 77824 ----a-w- c:\windows\system32\EBAPI.dll
2011-03-17 19:04:56 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2011-03-17 19:04:56 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2011-03-17 19:04:56 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2011-03-17 19:01:37 457611 ----a-w- c:\windows\system32\ensppui.dll
2011-03-17 19:01:37 249344 ----a-w- c:\windows\system32\enspres.dll
2011-03-17 19:01:36 474892 ----a-w- c:\windows\system32\ensppmon.dll
2011-03-17 19:01:36 474892 ----a-w- c:\windows\system32\enppmon.dll
2011-03-17 19:01:36 457611 ----a-w- c:\windows\system32\enppui.dll
2011-03-17 19:01:36 249344 ----a-w- c:\windows\system32\enpres.dll
2011-03-17 19:01:33 -------- d-----w- c:\program files\EpsonNet
2011-03-17 19:00:36 80024 ----a-w- c:\windows\system32\PICSDK.dll
2011-03-17 19:00:36 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2011-03-17 19:00:36 108704 ----a-w- c:\windows\system32\PICEntry.dll
2011-03-17 19:00:36 -------- d-----w- c:\program files\common files\EPSON
2011-03-17 19:00:35 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2011-03-17 19:00:34 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2011-03-17 18:58:32 93696 ----a-w- c:\windows\system32\E_FLBGCA.DLL
2011-03-17 18:58:25 63488 ----a-w- c:\windows\system32\E_FD4BGCA.DLL
2011-03-17 18:57:43 -------- d-----w- c:\progra~2\EPSON
2011-03-17 18:55:15 -------- d-----w- c:\program files\Epson Software
2011-03-17 18:52:28 341504 ----a-w- c:\windows\system32\esw2ud.dll
2011-03-17 18:52:28 15872 ----a-w- c:\windows\system32\escdev.dll
2011-03-17 18:52:28 128392 ----a-w- c:\windows\system32\esdevapp.exe
2011-03-17 18:51:54 -------- d-----w- c:\program files\epson
2011-03-17 00:35:52 -------- d-----w- c:\progra~2\WEBREG
2011-03-17 00:18:51 312832 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp70v.dll
2011-03-17 00:14:00 -------- d-----w- c:\program files\Coupons
2011-03-17 00:13:39 -------- d-----w- c:\program files\HP Photo Creations
2011-03-17 00:13:39 -------- d-----w- c:\progra~2\HP Photo Creations
2011-03-17 00:12:32 -------- d-----w- c:\users\craig\appdata\roaming\HpUpdate
2011-03-16 23:58:38 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-03-16 23:52:52 966656 ----a-w- c:\windows\system32\hpost_p02c.dll
2011-03-16 23:52:50 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-03-16 23:52:18 452408 ----a-w- c:\windows\system32\hpzids01.dll
2011-03-16 23:52:00 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2011-03-15 23:18:33 -------- d-----w- c:\windows\system32\eu-ES
2011-03-15 23:18:33 -------- d-----w- c:\windows\system32\ca-ES
2011-03-15 23:18:29 -------- d-----w- c:\windows\system32\vi-VN
2011-03-15 21:49:38 40960 ----a-w- c:\program files\common files\microsoft shared\ink\fr\Microsoft.Ink.Resources.dll
2011-03-15 21:48:59 928768 ----a-w- c:\windows\system32\scavenge.dll
2011-03-15 21:47:50 57856 ----a-w- c:\windows\system32\compcln.exe
2011-03-15 21:43:57 69632 ----a-w- c:\windows\system32\sendmail.dll
2011-03-15 21:42:59 171008 ----a-w- c:\windows\system32\apphelp.dll
2011-03-15 21:41:59 69120 ----a-w- c:\program files\common files\microsoft shared\ink\IpsPlugin.dll
2011-03-15 21:40:59 657408 ----a-w- c:\windows\system32\WMVXENCD.DLL
2011-03-15 21:32:38 -------- d-----w- c:\windows\system32\EventProviders
2011-03-15 21:32:31 -------- d-----w- C:\e41499d0f65942616f1bf80260
2011-03-15 19:57:11 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-03-15 19:56:31 40448 ----a-w- c:\windows\system32\winrs.exe
2011-03-15 19:56:31 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-03-15 19:56:31 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-03-15 19:56:26 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-03-15 19:56:25 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-03-15 19:56:19 79872 ----a-w- c:\windows\system32\wecutil.exe
2011-03-15 19:56:19 56320 ----a-w- c:\windows\system32\wecapi.dll
2011-03-15 19:56:18 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2011-03-15 19:56:18 54272 ----a-w- c:\windows\system32\WsmRes.dll
2011-03-15 19:56:18 146944 ----a-w- c:\windows\system32\wecsvc.dll
2011-03-15 19:56:17 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2011-03-15 19:55:59 201184 ----a-w- c:\windows\system32\winrm.vbs
2011-03-15 19:55:41 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2011-03-15 19:55:41 241152 ----a-w- c:\windows\system32\winrscmd.dll
2011-03-15 19:55:41 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2011-03-15 19:55:41 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2011-03-15 19:55:40 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2011-03-15 19:55:40 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-03-15 19:53:58 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-15 19:53:57 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-15 19:53:56 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-15 19:53:56 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-15 19:53:46 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-15 19:53:45 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-15 19:53:45 63488 ----a-w- c:\windows\system32\tscupgrd.exe
.
==================== Find3M ====================
.
2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 9:13:32.29 ===============



-------------------------------------------------------------------------------------------------------------------

I've attached the 2 files as stated in the prep guide.

Please let me know if you need any other information,

Thanks
Craig

Hi,

I realized that I haven't really explained what help I need.

Here are some question I'm looking for advice on:


Do you think or can you see anything that indicates I have been infected during allowing remote access?
I use roboform to store all passwords etc, I need to access some sites on a daily basics, do you think I should access these site like normal and just keep eye open for strange active.

After making my post I ran another software I have called Advanced System Optimizer so I wanted to share the log below:

Scan Log Total Time: 109 Mins 50 Secs
Start Time: Apr 01, 2011 at 09:02:50 PM End Time: Apr 01, 2011 at 10:52:40 PM
roguesecurityprogram.hddrescue.c (Rogue Antispyware Program)
Status : Quarantined

Infected registry keys/values detected
hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon\taskman
Trojan.vilsel.xme (Trojan)
Status : Quarantined

Infected files detected

FileName: c:\swsetup\aolims\migrator.exe
MD5: b29eb165fe570cb4c4f4a7f367dff94c (228656 Bytes)
Signature:
Trojan.agent.dght (Trojan)
Status : Quarantined

Infected files detected

FileName: c:\swsetup\aolims\setup.exe
MD5: b78523ec7752bc9ea469085d223fcf63 (169520 Bytes)
Signature:
Trojan.agent.gjro (Trojan)
Status : Quarantined

Infected files detected

FileName: c:\tiger gaming\switch.exe
MD5: 335682605d9f51c941e59cfd1c12de74 (45056 Bytes)
Signature:
RogueProgram.antimalwaresuite.d (Rogue Antispyware Program)
Status : Quarantined

Infected files detected

FileName: c:\windows\twain001.mtx
MD5: ceb36966e83a08c4ace63d7c6d963247 (3 Bytes)
Signature:


EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 02 April 2011 - 03:43 PM.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:05:43 PM

Posted 06 April 2011 - 07:27 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 cj smith

cj smith
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 06 April 2011 - 08:22 AM

Hi,

Well I'm not sure if I still have a problem or not. I'm just asking if someone can look over my logs and see if anything doesn't look right really.

Since I created the first post I've been running scans on all software but not finding anything apart from junk files.

Yesterday I installed "ZoneAlarm Extreme Security" and removed "WebRoot spyware/virus/security" program.

Here are some details of my laptop:

Purchased in mid 2008, didn't come with a windows cd as I think all info is stored on the D: drive, if I need to reinstall.

Windows Vista - Home Premium
HP Pavilion dv6700
AMD Turion 64 X2 Mobile Technology TL-60 2.00GHz
3.00 GB
32-bit

--------------------------------------------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Craig at 9:05:08.92 on 06/04/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2942.1161 [GMT -4:00]
.
AV: ZoneAlarm Extreme Security Antivirus *Enabled/Updated* {E9467272-859A-F159-FA9E-55E7E32D7A25}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Extreme Security Anti-Spyware *Enabled/Updated* {52279396-A3A0-FED7-C02E-6E9598AA3098}
FW: ZoneAlarm Extreme Security Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Craig\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [hpWirelessAssistant] "c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe"
mRun: [WAWifiMessage] "c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Free YouTube to Mp3 Converter - c:\users\craig\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
Trusted Zone: gistweb.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.trafficswarm.com/cgi-bin/swarm.cgi?612397&2870a4c4061c5bf17229e5c32d942f11
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaDownload.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - component: c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\users\craig\appdata\roaming\mozilla\firefox\profiles\pod8vilb.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\photodex presenter\npPxPlay.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\craig\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: SEO For Firefox: seo4firefox@seobook.com - %profile%\extensions\seo4firefox@seobook.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: ColorZilla: {6AC85730-7D0F-4de0-B3FA-21142DD85326} - %profile%\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}
FF - Ext: Page Speed: {e3f6c2cc-d8db-498c-af6c-499fb211db97} - %profile%\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
FF - Ext: Google Docs Viewer: adonis.cuhk@gmail.com - %profile%\extensions\adonis.cuhk@gmail.com
FF - Ext: NoDoFollow: {c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294} - %profile%\extensions\{c2b1f3ae-5cd5-49b7-8a0c-2c3bcbbbb294}
FF - Ext: Link Checker: linkchecker@vik.josh - %profile%\extensions\linkchecker@vik.josh
FF - Ext: Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
FF - Ext: ForceField Toolbar: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;Hotcore helper;c:\windows\system32\drivers\hotcore3.sys [2010-1-27 40496]
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2010-9-23 85312]
R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\advanced system optimizer 3\ASO3DefragSrv.exe [2011-3-20 239928]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2010-8-27 26352]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2010-8-27 493032]
R3 ADASPROT;SYSTWEAKASO;c:\program files\advanced system optimizer 3\adasprot32.sys [2011-3-20 6656]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2010-8-27 35568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-21 135664]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2007-6-18 19456]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-1-20 21504]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-12-22 86016]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Micro Niche Finder Background Download Service;Micro Niche Finder Background Download Service;c:\program files\micro niche finder\srvany.exe --> c:\program files\micro niche finder\srvany.exe [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-9-23 20288]
.
=============== File Associations ===============
.
cmdfile=NOTEPAD.EXE %1
JSEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-04-05 23:34:13 -------- d-----w- c:\program files\PC Tune-Up
2011-04-05 18:22:46 -------- d-----w- c:\progra~2\Kaspersky SDK
2011-04-05 18:21:24 -------- d-----w- c:\users\craig\appdata\roaming\MailFrontier
2011-04-05 18:11:21 72704 ----a-w- c:\windows\zllsputility.exe
2011-04-05 18:11:13 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2011-04-05 18:09:31 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2011-04-05 18:09:17 462424 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2011-04-05 18:09:17 -------- d-----w- c:\windows\system32\ZoneLabs
2011-04-05 18:09:16 -------- d-----w- c:\program files\Zone Labs
2011-04-05 17:56:00 -------- d-----w- c:\windows\Internet Logs
2011-04-05 12:19:16 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{4e81aeaf-e1be-4924-a915-f884e1d62852}\mpengine.dll
2011-04-04 13:44:37 -------- d-----w- c:\users\craig\appdata\roaming\Microsys
2011-04-04 13:44:22 -------- d-----w- c:\program files\Microsys
2011-04-01 02:25:28 -------- d-----w- c:\users\craig\appdata\local\Safe mirror
2011-04-01 02:24:55 -------- d-----w- c:\program files\Cobian Backup 10
2011-04-01 01:46:17 -------- d-----w- C:\BackupMarch31
2011-04-01 01:38:28 -------- d-----w- c:\program files\Cobian Backup 8
2011-03-31 19:03:49 -------- d-----w- c:\progra~2\AMMYY
2011-03-29 15:18:24 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-03-29 15:18:24 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-03-29 15:18:23 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2011-03-29 15:18:22 492504 ----a-w- c:\program files\mozilla firefox\sqlite3.dll
2011-03-29 15:18:21 1018328 ----a-w- c:\program files\mozilla firefox\js3250.dll
2011-03-23 16:03:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-23 16:03:06 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-22 18:49:42 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-22 18:49:42 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-22 18:49:42 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-22 18:15:43 -------- d-----w- c:\program files\Windows Portable Devices
2011-03-22 17:47:50 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2011-03-22 17:47:44 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2011-03-22 17:47:43 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2011-03-22 17:46:20 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-03-22 17:46:04 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-03-22 17:46:04 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-03-22 17:46:04 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-03-22 17:46:04 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2011-03-22 17:46:03 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-03-22 17:46:01 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-03-22 17:42:10 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-03-22 17:42:07 234496 ----a-w- c:\windows\system32\oleacc.dll
2011-03-22 17:42:06 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-03-22 17:36:57 258048 ----a-w- c:\windows\system32\winspool.drv
2011-03-22 17:36:56 98816 ----a-w- c:\windows\system32\mfps.dll
2011-03-22 17:36:56 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-03-22 17:26:27 231424 ----a-w- c:\windows\system32\msshsq.dll
2011-03-21 19:25:47 -------- d-----w- c:\program files\Market Samurai
2011-03-21 01:51:25 453152 ----a-w- c:\windows\system32\nvusmu.exe
2011-03-21 01:51:25 15872 ----a-w- c:\windows\system32\drivers\nvsmu.sys
2011-03-21 01:51:25 122880 ----a-w- c:\windows\system32\NVCOSMU.DLL
2011-03-21 01:49:39 46592 ----a-w- c:\windows\system32\drivers\risdptsk.sys
2011-03-21 01:47:42 38400 ----a-w- c:\windows\system32\drivers\rixdptsk.sys
2011-03-21 01:47:42 172032 ----a-w- c:\windows\system32\rixdicon.dll
2011-03-21 01:11:34 1860 ----a-w- c:\windows\system32\ASOROSet.bin
2011-03-21 01:11:34 16184 ----a-w- c:\windows\system32\ROBoot.exe
2011-03-20 22:51:31 -------- d-----w- c:\progra~2\Systweak
2011-03-20 21:55:01 17136 ----a-w- c:\windows\system32\sasnative32.exe
2011-03-20 21:54:24 -------- d-----w- c:\program files\Advanced System Optimizer 3
2011-03-20 21:53:09 -------- d-----w- c:\users\craig\appdata\roaming\Systweak
2011-03-20 21:28:52 -------- d-----w- c:\program files\iPod
2011-03-20 21:28:36 -------- d-----w- c:\program files\iTunes
2011-03-19 01:08:23 -------- d-----w- c:\windows\C6359569E03E4CDC98E8CDD080C6EEB5.TMP
2011-03-19 01:01:10 -------- d-----w- c:\program files\Defraggler
2011-03-19 00:45:58 -------- d-----w- c:\users\craig\appdata\roaming\ConsumerSoft
2011-03-19 00:45:48 -------- d-----w- c:\program files\ConsumerSoft
2011-03-19 00:41:29 -------- d-----w- c:\program files\Phoenix Labs
2011-03-17 19:04:57 55808 ----a-w- c:\windows\system32\EEBSDKIF.dll
2011-03-17 19:04:56 77824 ----a-w- c:\windows\system32\EBAPI.dll
2011-03-17 19:04:56 65536 ----a-w- c:\windows\system32\EEBUtil.dll
2011-03-17 19:04:56 135168 ----a-w- c:\windows\system32\EEBAPI.dll
2011-03-17 19:04:56 110592 ----a-w- c:\windows\system32\EEBDSCVR.dll
2011-03-17 19:01:37 457611 ----a-w- c:\windows\system32\ensppui.dll
2011-03-17 19:01:37 249344 ----a-w- c:\windows\system32\enspres.dll
2011-03-17 19:01:36 474892 ----a-w- c:\windows\system32\ensppmon.dll
2011-03-17 19:01:36 474892 ----a-w- c:\windows\system32\enppmon.dll
2011-03-17 19:01:36 457611 ----a-w- c:\windows\system32\enppui.dll
2011-03-17 19:01:36 249344 ----a-w- c:\windows\system32\enpres.dll
2011-03-17 19:01:33 -------- d-----w- c:\program files\EpsonNet
2011-03-17 19:00:36 80024 ----a-w- c:\windows\system32\PICSDK.dll
2011-03-17 19:00:36 501912 ----a-w- c:\windows\system32\PICSDK2.dll
2011-03-17 19:00:36 108704 ----a-w- c:\windows\system32\PICEntry.dll
2011-03-17 19:00:36 -------- d-----w- c:\program files\common files\EPSON
2011-03-17 19:00:35 51360 ----a-w- c:\windows\system32\EpPicPrt.dll
2011-03-17 19:00:34 51360 ----a-w- c:\windows\system32\EpPicMgr.dll
2011-03-17 18:58:32 93696 ----a-w- c:\windows\system32\E_FLBGCA.DLL
2011-03-17 18:58:25 63488 ----a-w- c:\windows\system32\E_FD4BGCA.DLL
2011-03-17 18:57:43 -------- d-----w- c:\progra~2\EPSON
2011-03-17 18:55:15 -------- d-----w- c:\program files\Epson Software
2011-03-17 18:52:28 341504 ----a-w- c:\windows\system32\esw2ud.dll
2011-03-17 18:52:28 15872 ----a-w- c:\windows\system32\escdev.dll
2011-03-17 18:52:28 128392 ----a-w- c:\windows\system32\esdevapp.exe
2011-03-17 18:51:54 -------- d-----w- c:\program files\epson
2011-03-17 00:35:52 -------- d-----w- c:\progra~2\WEBREG
2011-03-17 00:18:51 312832 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp70v.dll
2011-03-17 00:13:39 -------- d-----w- c:\program files\HP Photo Creations
2011-03-17 00:13:39 -------- d-----w- c:\progra~2\HP Photo Creations
2011-03-17 00:12:32 -------- d-----w- c:\users\craig\appdata\roaming\HpUpdate
2011-03-16 23:58:38 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-03-16 23:52:52 966656 ----a-w- c:\windows\system32\hpost_p02c.dll
2011-03-16 23:52:50 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-03-16 23:52:18 452408 ----a-w- c:\windows\system32\hpzids01.dll
2011-03-16 23:52:00 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2011-03-15 23:18:33 -------- d-----w- c:\windows\system32\eu-ES
2011-03-15 23:18:33 -------- d-----w- c:\windows\system32\ca-ES
2011-03-15 23:18:29 -------- d-----w- c:\windows\system32\vi-VN
2011-03-15 21:49:38 40960 ----a-w- c:\program files\common files\microsoft shared\ink\fr\Microsoft.Ink.Resources.dll
2011-03-15 21:48:59 928768 ----a-w- c:\windows\system32\scavenge.dll
2011-03-15 21:47:50 57856 ----a-w- c:\windows\system32\compcln.exe
2011-03-15 21:43:57 69632 ----a-w- c:\windows\system32\sendmail.dll
2011-03-15 21:42:59 171008 ----a-w- c:\windows\system32\apphelp.dll
2011-03-15 21:41:59 69120 ----a-w- c:\program files\common files\microsoft shared\ink\IpsPlugin.dll
2011-03-15 21:40:59 657408 ----a-w- c:\windows\system32\WMVXENCD.DLL
2011-03-15 21:32:38 -------- d-----w- c:\windows\system32\EventProviders
2011-03-15 21:32:31 -------- d-----w- C:\e41499d0f65942616f1bf80260
2011-03-15 19:57:11 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-03-15 19:56:31 40448 ----a-w- c:\windows\system32\winrs.exe
2011-03-15 19:56:31 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-03-15 19:56:31 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-03-15 19:56:26 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-03-15 19:56:25 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-03-15 19:56:19 79872 ----a-w- c:\windows\system32\wecutil.exe
2011-03-15 19:56:19 56320 ----a-w- c:\windows\system32\wecapi.dll
2011-03-15 19:56:18 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2011-03-15 19:56:18 54272 ----a-w- c:\windows\system32\WsmRes.dll
2011-03-15 19:56:18 146944 ----a-w- c:\windows\system32\wecsvc.dll
2011-03-15 19:56:17 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2011-03-15 19:55:59 201184 ----a-w- c:\windows\system32\winrm.vbs
2011-03-15 19:55:41 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2011-03-15 19:55:41 241152 ----a-w- c:\windows\system32\winrscmd.dll
2011-03-15 19:55:41 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2011-03-15 19:55:41 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2011-03-15 19:55:40 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2011-03-15 19:55:40 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-03-15 19:53:58 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-15 19:53:57 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-15 19:53:56 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-15 19:53:56 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-15 19:53:46 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-15 19:53:45 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-15 19:53:45 63488 ----a-w- c:\windows\system32\tscupgrd.exe
.
==================== Find3M ====================
.
2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 9:07:33.25 ===============

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 09 April 2011 - 08:35 AM

Hello, cj smith.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!




Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case Advanced System Optimizer). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578

Registry Cleaner Warning


I also see that you have a Ccleaner installed. It is a great tool that I use. However, be careful of the registry cleaning functionality (versus file cleaning), Here at BC, we do not recommend using registry cleaners as they don't speed up your computer and they can do more harm than good if they remove a legitimate entry. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578


Viewpoint (foistware) Warning"

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/clickz/news/1714488/viewpoint-plunge-into-adware

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.




Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 2


There are some leftovers in the log. We'll use OTL as it has the ability to fix things it sees, unlike DDS. The first step is to generate a lot to build the script from.

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Select "Use Safelist" under "Extra Registry"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:43 PM

Posted 14 April 2011 - 05:25 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users