Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, Audio ads playing in background, and IE script error messages.


  • This topic is locked This topic is locked
20 replies to this topic

#1 NinjasAreMammalsToo

NinjasAreMammalsToo

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 27 April 2011 - 11:20 AM

Sometime last week I got hit with a rogue anti-virus program, can't remember it's name, but I got rid of that rather easily. However, since then google has been redirecting me when I do searches, Internet Explorer script errors appear even though I don't have IE installed, and random audio ads play in the background without any program being open. These ads last anywhere from 15 seconds for the shortest to 15 minutes. I had almost a full radio show from a Christian radio station play last night. I would really appreciate any help with this! I have work in about two hours and then again tomorrow morning so my replies may be a bit slow, but please bear with me. Thanks in advance.

What already worries me is that I uninstalled Avira AntiVir PersonalEdition quite awhile, like months, ago.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mello at 23:40:22.57 on Tue 04/26/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1418 [GMT -5:00]
.
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8617F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AA43C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B7894-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8623A62C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8620B9DC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84188DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8621F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863FF794-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {839F1054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83F1E82C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8456682C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84BEF82C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83ED6054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {862748BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83B19244-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86267594-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862D36FC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863E1934-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86113DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AEB4C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {865799BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8620758C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {86245A0C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B6DB4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8589FDDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8628C204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863054BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862024BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86285254-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8615F54C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {862924BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863B5914-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8629C9BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862E68C4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83F5482C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862A79B4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862F271C-FFA4-00EF-0D24-347CA8A3377C}
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83529054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863F8964-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86409B64-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86171DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {861B79B4-FFA4-00DE-0D24-347CA8A3377C}
AV: McAfee VirusScan Online *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862792AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8634DB34-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8629098C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8625C604-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {86268A0C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8629B414-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8613255C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861BE90C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862A390C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8623B34C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86297564-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {864B4A94-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862892AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {82F55DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {860F8964-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862B1354-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862F3DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86393C04-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8626234C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862669DC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86590234-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862E0B3C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {865CCB64-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8693556C-FFA4-00DE-0D24-347CA8A3377C}
FW: McAfee Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Stephen Mello\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Stephen Mello\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Octoshape Streaming Services] "c:\documents and settings\stephen mello\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun
uRun: [Google Update] "c:\documents and settings\stephen mello\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {52F67820-7901-44F2-9FA1-8A5519A6553C} = 68.87.68.162,68.87.74.192
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\stephe~1\applic~1\mozilla\firefox\profiles\jx6jutol.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\stephen mello\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\stephen mello\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\stephen mello\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: XULRunner: {D7DCD3E1-4F69-4B6A-8215-CA3A259B728A} - c:\documents and settings\stephen mello\local settings\application data\{D7DCD3E1-4F69-4B6A-8215-CA3A259B728A}
FF - Ext: XULRunner: {601189F3-25FB-416A-ADCD-FB661D446137} - c:\documents and settings\stephen mello\local settings\application data\{601189F3-25FB-416A-ADCD-FB661D446137}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\stephen mello\application data\Move Networks
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-4 56816]
R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-7-11 540776]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-7-11 353368]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-7-11 256096]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
S0 fnlqswph;fnlqswph;c:\windows\system32\drivers\yxida.sys --> c:\windows\system32\drivers\yxida.sys [?]
S1 avgio;avgio;\??\c:\program files\avira\antivir desktop\avgio.sys --> c:\program files\avira\antivir desktop\avgio.sys [?]
S3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-6-16 221184]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-6-16 114464]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-12-28 34760]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-10-7 223128]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]
S4 AntiVirService;Avira AntiVir Guard;"c:\program files\avira\antivir desktop\avguard.exe" --> c:\program files\avira\antivir desktop\avguard.exe [?]
.
=============== Created Last 30 ================
.
2011-04-27 04:04:04 -------- d-----w- C:\ComboFix
2011-04-27 03:25:38 388096 ----a-r- c:\docume~1\stephe~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-27 03:25:37 -------- d-----w- c:\program files\Trend Micro
2011-04-23 22:35:51 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-23 22:35:51 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 22:56:57 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-04-20 22:56:57 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-04-15 17:15:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\hOj06511fGgBg06511
2011-04-08 03:15:38 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-04-08 03:15:38 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 03:15:34 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-04-08 03:15:34 13891176 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 03:15:34 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 03:15:32 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2011-04-08 03:15:32 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-04-04 02:47:17 -------- d-----r- c:\program files\Skype
2011-03-29 03:11:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\hHeBhAcEcCc06511
.
==================== Find3M ====================
.
2011-04-20 22:57:21 259604 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-04-20 22:57:21 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-04-20 22:57:19 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-04-08 05:14:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-08 05:14:00 5210112 ----a-w- c:\windows\system32\nvcuda.dll
2011-04-08 05:14:00 4111232 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-08 05:14:00 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
2011-04-08 05:14:00 2116894 ----a-w- c:\windows\system32\nvdata.bin
2011-04-08 05:14:00 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-04-08 05:14:00 2027008 ----a-w- c:\windows\system32\nvapi.dll
2011-04-08 05:14:00 14856192 ----a-w- c:\windows\system32\nvoglnt.dll
2011-04-08 05:14:00 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 23:41:52.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:33 PM

Posted 27 April 2011 - 01:41 PM

Hello NinjasAreMammalsToo,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.

1.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avira or Mcafee.

2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
Tdsskiler log
Combofix.txt
Are you able to burn CD's and have A USB Flash drive?
How is your machine running now?

Edited by fireman4it, 27 April 2011 - 01:43 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 NinjasAreMammalsToo

NinjasAreMammalsToo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 27 April 2011 - 10:28 PM

Well, I'm already at a roadblock. TDSS Rootkit Removing Tool won't run no matter what I name it and ComboFix says I have an Avira scanner currently running and recommends I turn it off before running Combo. The problem is I uninstalled Avira sometime last year so it shouldn't be active and I definitely have no way to turn off a scanner I shouldn't even have. I don't even have any iteration of Avira in my "Add or Remove Programs" list. So I'm kinda stuck... any insight?

Also, I apologize for the long delay in my replies as I have a strange work schedule. I may not be able to reply again until tomorrow evening.

Edited by NinjasAreMammalsToo, 27 April 2011 - 10:29 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:33 PM

Posted 28 April 2011 - 06:21 PM

Hello,

Please ignore the warning about avira and let it run. If it still wont run try it in Safemode with Networking.

Now reboot into Safe Mode with Networking.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 NinjasAreMammalsToo

NinjasAreMammalsToo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 28 April 2011 - 07:30 PM

Safe Mode with Networking worked for ComboFix but TDSS still wouldn't run. ComboFix log is posted below.


ComboFix 11-04-28.01 - Mello 04/28/2011 19:12:54.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1643 [GMT -5:00]
Running from: c:\documents and settings\Stephen Mello\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {861B79B4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8620758C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8620B9DC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8621F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8623B34C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {86245A0C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {86268A0C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {862748BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8628C204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {862924BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8629C9BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {864B4A94-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {82F55DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83529054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {839F1054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83B19244-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83ED6054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83F1E82C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83F5482C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84188DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8456682C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84BEF82C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8589FDDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {860F8964-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86113DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8613255C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8615F54C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86171DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8617F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B6DB4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B7894-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861BE90C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862024BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8623A62C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8625C604-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8626234C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862669DC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86267594-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862792AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86285254-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862892AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8629098C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86297564-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8629B414-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862A390C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862A79B4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AA43C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AEB4C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862B1354-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862D36FC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862E0B3C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862E68C4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862F271C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862F3DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863054BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8634DB34-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86393C04-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863B5914-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863E1934-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863F8964-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863FF794-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86409B64-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {865799BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86590234-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {865CCB64-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8693556C-FFA4-00DE-0D24-347CA8A3377C}
FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\d30338e
c:\documents and settings\All Users\Application Data\d30338e\22.mof
c:\documents and settings\All Users\Application Data\d30338e\BackUp\Adobe Reader Speed Launch.lnk
c:\documents and settings\All Users\Application Data\d30338e\BackUp\Extender Resource Monitor.lnk
c:\documents and settings\All Users\Application Data\d30338e\mozcrt19.dll
c:\documents and settings\All Users\Application Data\d30338e\SGD.ico
c:\documents and settings\All Users\Application Data\d30338e\SGDSys\vd952342.bd
c:\documents and settings\All Users\Application Data\d30338e\sqlite3.dll
c:\documents and settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}
c:\documents and settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}\chrome.manifest
c:\documents and settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}\chrome\content\_cfg.js
c:\documents and settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}\chrome\content\overlay.xul
c:\documents and settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}\install.rdf
c:\documents and settings\Stephen Mello\Recent\ANTIGEN.dll
c:\documents and settings\Stephen Mello\Recent\ANTIGEN.drv
c:\documents and settings\Stephen Mello\Recent\ANTIGEN.exe
c:\documents and settings\Stephen Mello\Recent\ANTIGEN.sys
c:\documents and settings\Stephen Mello\Recent\cb.dll
c:\documents and settings\Stephen Mello\Recent\cid.sys
c:\documents and settings\Stephen Mello\Recent\CLSV.drv
c:\documents and settings\Stephen Mello\Recent\DBOLE.drv
c:\documents and settings\Stephen Mello\Recent\ddv.exe
c:\documents and settings\Stephen Mello\Recent\delfile.drv
c:\documents and settings\Stephen Mello\Recent\delfile.exe
c:\documents and settings\Stephen Mello\Recent\dudl.exe
c:\documents and settings\Stephen Mello\Recent\eb.dll
c:\documents and settings\Stephen Mello\Recent\eb.exe
c:\documents and settings\Stephen Mello\Recent\eb.sys
c:\documents and settings\Stephen Mello\Recent\energy.dll
c:\documents and settings\Stephen Mello\Recent\energy.drv
c:\documents and settings\Stephen Mello\Recent\energy.sys
c:\documents and settings\Stephen Mello\Recent\exec.dll
c:\documents and settings\Stephen Mello\Recent\exec.drv
c:\documents and settings\Stephen Mello\Recent\exec.exe
c:\documents and settings\Stephen Mello\Recent\exec.sys
c:\documents and settings\Stephen Mello\Recent\fan.drv
c:\documents and settings\Stephen Mello\Recent\FS.exe
c:\documents and settings\Stephen Mello\Recent\FS.sys
c:\documents and settings\Stephen Mello\Recent\grid.exe
c:\documents and settings\Stephen Mello\Recent\grid.sys
c:\documents and settings\Stephen Mello\Recent\hymt.dll
c:\documents and settings\Stephen Mello\Recent\hymt.drv
c:\documents and settings\Stephen Mello\Recent\hymt.exe
c:\documents and settings\Stephen Mello\Recent\kernel32.dll
c:\documents and settings\Stephen Mello\Recent\kernel32.drv
c:\documents and settings\Stephen Mello\Recent\kernel32.exe
c:\documents and settings\Stephen Mello\Recent\kernel32.sys
c:\documents and settings\Stephen Mello\Recent\pal.dll
c:\documents and settings\Stephen Mello\Recent\pal.drv
c:\documents and settings\Stephen Mello\Recent\PE.dll
c:\documents and settings\Stephen Mello\Recent\PE.drv
c:\documents and settings\Stephen Mello\Recent\PE.sys
c:\documents and settings\Stephen Mello\Recent\ppal.dll
c:\documents and settings\Stephen Mello\Recent\ppal.drv
c:\documents and settings\Stephen Mello\Recent\runddlkey.dll
c:\documents and settings\Stephen Mello\Recent\runddlkey.exe
c:\documents and settings\Stephen Mello\Recent\SICKBOY.drv
c:\documents and settings\Stephen Mello\Recent\SICKBOY.exe
c:\documents and settings\Stephen Mello\Recent\sld.exe
c:\documents and settings\Stephen Mello\Recent\sld.sys
c:\documents and settings\Stephen Mello\Recent\snl2w.dll
c:\documents and settings\Stephen Mello\Recent\snl2w.drv
c:\documents and settings\Stephen Mello\Recent\snl2w.exe
c:\documents and settings\Stephen Mello\Recent\std.drv
c:\documents and settings\Stephen Mello\Recent\std.exe
c:\documents and settings\Stephen Mello\Recent\std.sys
c:\documents and settings\Stephen Mello\Recent\tempdoc.exe
c:\documents and settings\Stephen Mello\Recent\tjd.dll
c:\documents and settings\Stephen Mello\Recent\tjd.drv
c:\documents and settings\Stephen Mello\Recent\tjd.exe
c:\documents and settings\Stephen Mello\WINDOWS
C:\s
c:\windows\explorer(2).exe
c:\windows\pthreadGC2.dll
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\Tasks\vvkvjucm.job
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-27 03:25 . 2011-04-27 03:25 388096 ----a-r- c:\documents and settings\Stephen Mello\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-27 03:25 . 2011-04-27 03:25 -------- d-----w- c:\program files\Trend Micro
2011-04-23 22:35 . 2011-04-23 22:35 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-20 22:56 . 2011-04-08 05:14 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-04-20 22:56 . 2011-04-08 05:14 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-04-15 17:15 . 2011-04-15 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\hOj06511fGgBg06511
2011-04-08 03:15 . 2011-04-08 03:15 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-04-08 03:15 . 2011-04-08 03:15 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 03:15 . 2011-04-08 03:15 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-04-08 03:15 . 2011-04-08 03:15 13891176 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 03:15 . 2011-04-08 03:15 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 03:15 . 2011-04-08 03:15 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2011-04-08 03:15 . 2011-04-08 03:15 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-04-04 02:48 . 2011-04-21 23:02 -------- d-----w- c:\documents and settings\Stephen Mello\Application Data\skypePM
2011-04-04 02:48 . 2011-04-28 03:24 -------- d-----w- c:\documents and settings\Stephen Mello\Application Data\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----w- c:\program files\Common Files\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----r- c:\program files\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-08 05:14 . 2010-03-30 18:43 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-08 05:14 . 2010-03-30 18:43 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
2011-04-08 05:14 . 2010-03-30 18:43 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-04-08 05:14 . 2010-03-30 18:43 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
2011-04-08 05:14 . 2007-12-26 22:35 14856192 ----a-w- c:\windows\system32\nvoglnt.dll
2011-04-08 05:14 . 2007-12-26 22:35 5210112 ----a-w- c:\windows\system32\nvcuda.dll
2011-04-08 05:14 . 2007-12-26 22:35 2027008 ----a-w- c:\windows\system32\nvapi.dll
2011-04-08 05:14 . 2007-07-01 17:50 4111232 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-08 05:14 . 2005-08-16 09:35 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-03-07 05:33 . 2005-08-16 09:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-10 11:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2006-03-04 03:33 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2004-08-10 11:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 2004-08-10 11:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 11:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-10 11:00 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-17 03:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 11:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2005-08-16 09:37 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 11:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]
.
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Octoshape Streaming Services"="c:\documents and settings\Stephen Mello\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-03-08 17037704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-04-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-04-08 13891176]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 1753192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizansprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 09:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2007-11-02 00:12 582992 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-02-23 03:42 3537968 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\jack.exe.exe"=
"c:\\Documents and Settings\\Stephen Mello\\Desktop\\Misc Crap Folder\\SystemCheck_enUS.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\shadowgrounds demo\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\World of Warcraft\\Blizzard Downloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53400:TCP"= 53400:TCP:Azerues
"53400:UDP"= 53400:UDP:Azureus
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:Blizzard Downloader: 4000
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
"6113:TCP"= 6113:TCP:Blizzard Downloader: 6113
"6114:TCP"= 6114:TCP:Blizzard Downloader: 6114
.
S0 fnlqswph;fnlqswph;c:\windows\system32\drivers\yxida.sys --> c:\windows\system32\drivers\yxida.sys [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [12/28/2008 9:45 PM 34760]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [10/7/2006 5:07 AM 223128]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/7/2006 4:03 AM 611064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-9917181-921064675-2921056702-1005Core.job
- c:\documents and settings\Stephen Mello\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-20 16:45]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-9917181-921064675-2921056702-1005UA.job
- c:\documents and settings\Stephen Mello\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-20 16:45]
.
2011-04-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (GREENLEAFNINGUN-Stephen Mello).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-06-17 23:18]
.
2011-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-07-11 18:32]
.
2011-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-07-11 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {52F67820-7901-44F2-9FA1-8A5519A6553C} = 68.87.68.162,68.87.74.192
FF - ProfilePath - c:\documents and settings\Stephen Mello\Application Data\Mozilla\Firefox\Profiles\jx6jutol.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: XULRunner: {D7DCD3E1-4F69-4B6A-8215-CA3A259B728A} - c:\documents and settings\Stephen Mello\Local Settings\Application Data\{D7DCD3E1-4F69-4B6A-8215-CA3A259B728A}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Stephen Mello\Application Data\Move Networks
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
Notify-TPSvc - TPSvc.dll
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-shdufvfr - c:\documents and settings\Stephen Mello\Local Settings\Application Data\pkqmgv\wuicsysguard.exe
AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 19:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-9917181-921064675-2921056702-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:81,f9,24,b0,ca,07,41,2f,7b,ae,6f,22,bd,2e,a7,1d,e3,bf,70,af,10,9f,f3,
0b,87,60,2e,34,06,f7,37,fb,96,b4,7c,9c,26,0f,ad,0f,50,71,4c,89,7a,5a,c9,6f,\
"??"=hex:cd,e5,d7,fe,80,45,84,d0,c2,98,83,30,cc,41,76,ca
.
[HKEY_USERS\S-1-5-21-9917181-921064675-2921056702-1005\Software\SecuROM\License information*]
"datasecu"=hex:4c,8f,e9,01,45,09,cf,ff,83,57,02,bf,3e,20,91,6f,37,c2,d4,59,3e,
d1,9d,e4,89,44,41,f3,22,66,20,72,34,c6,b2,61,4f,52,7a,04,a7,be,74,aa,ca,2c,\
"rkeysecu"=hex:6f,60,2e,d1,f4,d4,0d,c9,8e,c1,54,0a,c9,53,10,bb
.
Completion time: 2011-04-28 19:20:03
ComboFix-quarantined-files.txt 2011-04-29 00:19
.
Pre-Run: 3,942,195,200 bytes free
Post-Run: 5,861,085,184 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
Current=5 Default=5 Failed=0 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
- - End Of File - - 8A9814E510006DBB2C2BF46338EC1DC7

#6 NinjasAreMammalsToo

NinjasAreMammalsToo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 28 April 2011 - 08:07 PM

Well, not sure how accurate that ComboFix log is now. Right after I posted it I stepped out for a smoke then when I got back I had some "XP Total Security" hijacking my browser, preventing me from running Malwarebyte's, and every time I tried to open anything a pop-up from the previously mentioned "XP Total Security" would appear 'warning' me of a trojan/keylogger. It also kept me from doing anything in safe mode so I had to do a system restore to an earlier point early this morning. I don't know if I renders my last log null and void or not. I guess I'm just wondering if I need to run ComboFix again and generate a new log.

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:33 PM

Posted 28 April 2011 - 10:50 PM

Hello,

Are you able to burn CD's And have a usb flash drive? Go ahead and run Combofix again and post its log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 NinjasAreMammalsToo

NinjasAreMammalsToo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 28 April 2011 - 11:55 PM

If you're asking if I have the necessary equipment to burn a CD; yes. If you're asking if I've tried and was successful; I haven't tried, I don't burn CD's too often.
Here's the new ComboFix log.

Ok...why is a smiley in my log?

ComboFix 11-04-28.01 - Mello 04/28/2011 23:40:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1518 [GMT -5:00]
Running from: c:\documents and settings\Stephen Mello\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {861B79B4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8620758C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8620B9DC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8621F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8623B34C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {86245A0C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {86268A0C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {862748BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8628C204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {862924BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8629C9BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {864B4A94-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {82F55DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83529054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {839F1054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83B19244-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83ED6054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83F1E82C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83F5482C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84188DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8456682C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84BEF82C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8589FDDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {860F8964-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86113DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8613255C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8615F54C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86171DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8617F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B6DB4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B7894-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861BE90C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862024BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8623A62C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8625C604-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8626234C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862669DC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86267594-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862792AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86285254-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862892AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8629098C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86297564-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8629B414-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862A390C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862A79B4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AA43C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AEB4C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862B1354-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862D36FC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862E0B3C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862E68C4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862F271C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862F3DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863054BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8634DB34-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86393C04-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863B5914-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863E1934-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863F8964-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863FF794-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86409B64-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {865799BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86590234-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {865CCB64-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8693556C-FFA4-00DE-0D24-347CA8A3377C}
AV: McAfee VirusScan Online *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\d30338e
c:\documents and settings\All Users\Application Data\d30338e\22.mof
c:\documents and settings\All Users\Application Data\d30338e\BackUp\Adobe Reader Speed Launch.lnk
c:\documents and settings\All Users\Application Data\d30338e\BackUp\Extender Resource Monitor.lnk
c:\documents and settings\All Users\Application Data\d30338e\mozcrt19.dll
c:\documents and settings\All Users\Application Data\d30338e\SGD.ico
c:\documents and settings\All Users\Application Data\d30338e\SGDSys\vd952342.bd
c:\documents and settings\All Users\Application Data\d30338e\sqlite3.dll
c:\documents and settings\Stephen Mello\Recent\ANTIGEN.dll
c:\documents and settings\Stephen Mello\Recent\ANTIGEN.drv
c:\documents and settings\Stephen Mello\Recent\ANTIGEN.exe
c:\documents and settings\Stephen Mello\Recent\ANTIGEN.sys
c:\documents and settings\Stephen Mello\Recent\cb.dll
c:\documents and settings\Stephen Mello\Recent\cid.sys
c:\documents and settings\Stephen Mello\Recent\CLSV.drv
c:\documents and settings\Stephen Mello\Recent\DBOLE.drv
c:\documents and settings\Stephen Mello\Recent\ddv.exe
c:\documents and settings\Stephen Mello\Recent\delfile.drv
c:\documents and settings\Stephen Mello\Recent\delfile.exe
c:\documents and settings\Stephen Mello\Recent\dudl.exe
c:\documents and settings\Stephen Mello\Recent\eb.dll
c:\documents and settings\Stephen Mello\Recent\eb.exe
c:\documents and settings\Stephen Mello\Recent\eb.sys
c:\documents and settings\Stephen Mello\Recent\energy.dll
c:\documents and settings\Stephen Mello\Recent\energy.drv
c:\documents and settings\Stephen Mello\Recent\energy.sys
c:\documents and settings\Stephen Mello\Recent\exec.dll
c:\documents and settings\Stephen Mello\Recent\exec.drv
c:\documents and settings\Stephen Mello\Recent\exec.exe
c:\documents and settings\Stephen Mello\Recent\exec.sys
c:\documents and settings\Stephen Mello\Recent\fan.drv
c:\documents and settings\Stephen Mello\Recent\FS.exe
c:\documents and settings\Stephen Mello\Recent\FS.sys
c:\documents and settings\Stephen Mello\Recent\grid.exe
c:\documents and settings\Stephen Mello\Recent\grid.sys
c:\documents and settings\Stephen Mello\Recent\hymt.dll
c:\documents and settings\Stephen Mello\Recent\hymt.drv
c:\documents and settings\Stephen Mello\Recent\hymt.exe
c:\documents and settings\Stephen Mello\Recent\kernel32.dll
c:\documents and settings\Stephen Mello\Recent\kernel32.drv
c:\documents and settings\Stephen Mello\Recent\kernel32.exe
c:\documents and settings\Stephen Mello\Recent\kernel32.sys
c:\documents and settings\Stephen Mello\Recent\pal.dll
c:\documents and settings\Stephen Mello\Recent\pal.drv
c:\documents and settings\Stephen Mello\Recent\PE.dll
c:\documents and settings\Stephen Mello\Recent\PE.drv
c:\documents and settings\Stephen Mello\Recent\PE.sys
c:\documents and settings\Stephen Mello\Recent\ppal.dll
c:\documents and settings\Stephen Mello\Recent\ppal.drv
c:\documents and settings\Stephen Mello\Recent\runddlkey.dll
c:\documents and settings\Stephen Mello\Recent\runddlkey.exe
c:\documents and settings\Stephen Mello\Recent\SICKBOY.drv
c:\documents and settings\Stephen Mello\Recent\SICKBOY.exe
c:\documents and settings\Stephen Mello\Recent\sld.exe
c:\documents and settings\Stephen Mello\Recent\sld.sys
c:\documents and settings\Stephen Mello\Recent\snl2w.dll
c:\documents and settings\Stephen Mello\Recent\snl2w.drv
c:\documents and settings\Stephen Mello\Recent\snl2w.exe
c:\documents and settings\Stephen Mello\Recent\std.drv
c:\documents and settings\Stephen Mello\Recent\std.exe
c:\documents and settings\Stephen Mello\Recent\std.sys
c:\documents and settings\Stephen Mello\Recent\tempdoc.exe
c:\documents and settings\Stephen Mello\Recent\tjd.dll
c:\documents and settings\Stephen Mello\Recent\tjd.drv
c:\documents and settings\Stephen Mello\Recent\tjd.exe
c:\documents and settings\Stephen Mello\WINDOWS
c:\windows\explorer(2).exe
c:\windows\pthreadGC2.dll
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-29 )))))))))))))))))))))))))))))))
.
.
2011-04-29 00:55 . 2011-04-29 00:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-29 00:55 . 2011-04-29 00:55 -------- d-----w- c:\documents and settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}
2011-04-29 00:23 . 2011-04-29 00:55 -------- d-----w- C:\RECYCLER(2)
2011-04-27 03:25 . 2011-04-27 03:25 388096 ----a-r- c:\documents and settings\Stephen Mello\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-27 03:25 . 2011-04-27 03:25 -------- d-----w- c:\program files\Trend Micro
2011-04-20 22:56 . 2011-04-08 05:14 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-04-20 22:56 . 2011-04-08 05:14 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-04-15 17:15 . 2011-04-15 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\hOj06511fGgBg06511
2011-04-08 03:15 . 2011-04-08 03:15 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-04-08 03:15 . 2011-04-08 03:15 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 03:15 . 2011-04-08 03:15 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-04-08 03:15 . 2011-04-08 03:15 13891176 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 03:15 . 2011-04-08 03:15 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 03:15 . 2011-04-08 03:15 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2011-04-08 03:15 . 2011-04-08 03:15 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-04-04 02:48 . 2011-04-21 23:02 -------- d-----w- c:\documents and settings\Stephen Mello\Application Data\skypePM
2011-04-04 02:48 . 2011-04-29 00:59 -------- d-----w- c:\documents and settings\Stephen Mello\Application Data\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----w- c:\program files\Common Files\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----r- c:\program files\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-08 05:14 . 2010-03-30 18:43 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-08 05:14 . 2010-03-30 18:43 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
2011-04-08 05:14 . 2010-03-30 18:43 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-04-08 05:14 . 2010-03-30 18:43 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
2011-04-08 05:14 . 2007-12-26 22:35 14856192 ----a-w- c:\windows\system32\nvoglnt.dll
2011-04-08 05:14 . 2007-12-26 22:35 5210112 ----a-w- c:\windows\system32\nvcuda.dll
2011-04-08 05:14 . 2007-12-26 22:35 2027008 ----a-w- c:\windows\system32\nvapi.dll
2011-04-08 05:14 . 2007-07-01 17:50 4111232 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-08 05:14 . 2005-08-16 09:35 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-03-07 05:33 . 2005-08-16 09:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-10 11:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2006-03-04 03:33 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2004-08-10 11:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 2004-08-10 11:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 11:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-10 11:00 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-17 03:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 11:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2005-08-16 09:37 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 11:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]
.
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Octoshape Streaming Services"="c:\documents and settings\Stephen Mello\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-03-08 17037704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-04-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-04-08 13891176]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 1753192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizansprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 09:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2007-11-02 00:12 582992 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shdufvfr]
c:\documents and settings\Stephen Mello\Local Settings\Application Data\pkqmgv\wuicsysguard.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-02-23 03:42 3537968 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\jack.exe.exe"=
"c:\\Documents and Settings\\Stephen Mello\\Desktop\\Misc Crap Folder\\SystemCheck_enUS.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\shadowgrounds demo\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\World of Warcraft\\Blizzard Downloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53400:TCP"= 53400:TCP:Azerues
"53400:UDP"= 53400:UDP:Azureus
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:Blizzard Downloader: 4000
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
"6113:TCP"= 6113:TCP:Blizzard Downloader: 6113
"6114:TCP"= 6114:TCP:Blizzard Downloader: 6114
.
S0 fnlqswph;fnlqswph;c:\windows\system32\drivers\yxida.sys --> c:\windows\system32\drivers\yxida.sys [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [12/28/2008 9:45 PM 34760]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [10/7/2006 5:07 AM 223128]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\Avira\AntiVir Desktop\sched.exe" --> c:\program files\Avira\AntiVir Desktop\sched.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/7/2006 4:03 AM 611064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-9917181-921064675-2921056702-1005Core.job
- c:\documents and settings\Stephen Mello\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-20 16:45]
.
2011-04-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-9917181-921064675-2921056702-1005UA.job
- c:\documents and settings\Stephen Mello\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-20 16:45]
.
2011-04-23 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (GREENLEAFNINGUN-Stephen Mello).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-06-17 23:18]
.
2011-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-07-11 18:32]
.
2011-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-07-11 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {52F67820-7901-44F2-9FA1-8A5519A6553C} = 68.87.68.162,68.87.74.192
FF - ProfilePath - c:\documents and settings\Stephen Mello\Application Data\Mozilla\Firefox\Profiles\jx6jutol.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: XULRunner: {D7DCD3E1-4F69-4B6A-8215-CA3A259B728A} - c:\documents and settings\Stephen Mello\Local Settings\Application Data\{D7DCD3E1-4F69-4B6A-8215-CA3A259B728A}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Stephen Mello\Application Data\Move Networks
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-28 23:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-9917181-921064675-2921056702-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:81,f9,24,b0,ca,07,41,2f,7b,ae,6f,22,bd,2e,a7,1d,e3,bf,70,af,10,9f,f3,
0b,87,60,2e,34,06,f7,37,fb,96,b4,7c,9c,26,0f,ad,0f,50,71,4c,89,7a,5a,c9,6f,\
"??"=hex:cd,e5,d7,fe,80,45,84,d0,c2,98,83,30,cc,41,76,ca
.
[HKEY_USERS\S-1-5-21-9917181-921064675-2921056702-1005\Software\SecuROM\License information*]
"datasecu"=hex:4c,8f,e9,01,45,09,cf,ff,83,57,02,bf,3e,20,91,6f,37,c2,d4,59,3e,
d1,9d,e4,89,44,41,f3,22,66,20,72,34,c6,b2,61,4f,52,7a,04,a7,be,74,aa,ca,2c,\
"rkeysecu"=hex:6f,60,2e,d1,f4,d4,0d,c9,8e,c1,54,0a,c9,53,10,bb
.
Completion time: 2011-04-28 23:48:36
ComboFix-quarantined-files.txt 2011-04-29 04:48
ComboFix2.txt 2011-04-29 00:20
.
Pre-Run: 3,571,355,648 bytes free
Post-Run: 3,569,721,344 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
Current=5 Default=5 Failed=0 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
- - End Of File - - D34043E392CA1D55118E37B63015A24A

Edited by NinjasAreMammalsToo, 28 April 2011 - 11:56 PM.


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:33 PM

Posted 29 April 2011 - 11:34 PM

Can you tell me how your machine is running now? Do you also have access to a USB FLASH Drive?

Edited by fireman4it, 29 April 2011 - 11:34 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 NinjasAreMammalsToo

NinjasAreMammalsToo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 30 April 2011 - 12:35 AM

Seems to be running fine. The random audio ads haven't been heard and the internet explorer script errors have also stopped. I don't have a USB drive, unfortunately. Oh and google is no longer redirecting.

Edited by NinjasAreMammalsToo, 30 April 2011 - 12:40 AM.


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:33 PM

Posted 30 April 2011 - 08:26 AM

Hello,

Lets finish the cleanup of leftovers and do some final checking.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\documents and settings\Stephen Mello\Local Settings\Application Data\pkqmgv\wuicsysguard.exe

Folder::
c:\documents and settings\Stephen Mello\Local Settings\Application Data\pkqmgv

Driver::
fnlqswph
AntiVirSchedulerService

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shdufvfr]

SecCenter::
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {861B79B4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8620758C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8620B9DC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8621F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8623B34C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {86245A0C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {86268A0C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {862748BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8628C204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {862924BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {8629C9BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Disabled/Updated* {864B4A94-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {00000000-0000-0000-0000-000000000000}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {82F55DDC-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83529054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {839F1054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83B19244-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83ED6054-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83F1E82C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {83F5482C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84188DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8456682C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {84BEF82C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8589FDDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {860F8964-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86113DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8613255C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8615F54C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86171DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8617F204-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B6DB4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861B7894-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {861BE90C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862024BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8623A62C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8625C604-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8626234C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862669DC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86267594-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862792AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86285254-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862892AC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8629098C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86297564-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8629B414-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862A390C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862A79B4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AA43C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862AEB4C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862B1354-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862D36FC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862E0B3C-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862E68C4-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862F271C-FFA4-00EF-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {862F3DDC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863054BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8634DB34-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86393C04-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863B5914-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863E1934-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863F8964-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {863FF794-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86409B64-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {865799BC-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {86590234-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {865CCB64-FFA4-00DE-0D24-347CA8A3377C}
AV: Avira AntiVir PersonalEdition Classic *Enabled/Updated* {8693556C-FFA4-00DE-0D24-347CA8A3377C}


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


3.
Click here to download Kaspersky Virus Removal Tool.
  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop.
  • After that leave what is selected and put a check next to My Computer.
  • Click on the option that says Threat Detection and change it to Disinfect => Do not select, delete if disinfection fails.
  • Then click on Start Scan.
  • Before it is done it may prompt for action regardless of the setting so choose skip if prompted.
  • When the scan is done no log will be produced.
  • Click on the bottom where it says Report to open the report.
  • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 NinjasAreMammalsToo

NinjasAreMammalsToo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 30 April 2011 - 05:14 PM

Kaspersky log:

Autoscan: stopped 2 hours ago (events: 2, objects: 2, time: 00:00:07)
Autoscan: completed 1 hour ago (events: 13, objects: 254541, time: 01:10:50)
4/30/2011 2:56:03 PM Task started
4/30/2011 3:15:42 PM Detected: Trojan-Downloader.Java.Agent.la C:\Documents and Settings\Stephen Mello\Application Data\Sun\Java\Deployment\cache\6.0\24\65a6f718-22629d68/importer/parser.class
4/30/2011 3:15:42 PM Untreated: Trojan-Downloader.Java.Agent.la C:\Documents and Settings\Stephen Mello\Application Data\Sun\Java\Deployment\cache\6.0\24\65a6f718-22629d68/importer/parser.class Cannot be disinfected
4/30/2011 3:46:09 PM Detected: Trojan.JS.Gord.a C:\Qoobox\Quarantine\C\Documents and Settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}\chrome\content\overlay.xul.vir
4/30/2011 3:46:09 PM Untreated: Trojan.JS.Gord.a C:\Qoobox\Quarantine\C\Documents and Settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}\chrome\content\overlay.xul.vir Cannot be disinfected
4/30/2011 3:53:28 PM Detected: Trojan.Win32.FakeAV.cuua C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP516\A0095724.exe
4/30/2011 3:53:28 PM Untreated: Trojan.Win32.FakeAV.cuua C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP516\A0095724.exe Cannot be disinfected
4/30/2011 3:54:00 PM Detected: Virus.Win32.TDSS.e C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP516\A0096371.sys
4/30/2011 3:54:00 PM Disinfected: Virus.Win32.TDSS.e C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP516\A0096371.sys
4/30/2011 3:54:00 PM Disinfected: Virus.Win32.TDSS.e C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP516\A0096371.sys
4/30/2011 4:04:33 PM Detected: Packed.Win32.Krap.gy C:\WINDOWS\system32\ckcnntfs.dll
4/30/2011 4:04:33 PM Untreated: Packed.Win32.Krap.gy C:\WINDOWS\system32\ckcnntfs.dll Cannot be disinfected
4/30/2011 4:06:53 PM Task completed


ComboFix Log;

ComboFix 11-04-29.04 - Stephen Mello 04/30/2011 11:13:48.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1442 [GMT -5:00]
Running from: c:\documents and settings\Stephen Mello\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stephen Mello\Desktop\CFScript.txt
AV: McAfee VirusScan Online *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\documents and settings\Stephen Mello\Local Settings\Application Data\pkqmgv\wuicsysguard.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\RECYCLER(2)
c:\recycler(2)\S-1-5-21-9917181-921064675-2921056702-1005(2)\INFO2
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ANTIVIRSCHEDULERSERVICE
-------\Service_AntiVirSchedulerService
-------\Service_fnlqswph
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-30 )))))))))))))))))))))))))))))))
.
.
2011-04-29 00:55 . 2011-04-29 00:55 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-29 00:55 . 2011-04-29 00:55 -------- d-----w- c:\documents and settings\Stephen Mello\Local Settings\Application Data\{601189F3-25FB-416A-ADCD-FB661D446137}
2011-04-27 03:25 . 2011-04-27 03:25 388096 ----a-r- c:\documents and settings\Stephen Mello\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-27 03:25 . 2011-04-27 03:25 -------- d-----w- c:\program files\Trend Micro
2011-04-20 22:56 . 2011-04-08 05:14 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
2011-04-20 22:56 . 2011-04-08 05:14 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
2011-04-15 17:15 . 2011-04-15 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\hOj06511fGgBg06511
2011-04-08 03:15 . 2011-04-08 03:15 81920 ----a-w- c:\windows\system32\nvwddi.dll
2011-04-08 03:15 . 2011-04-08 03:15 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-04-08 03:15 . 2011-04-08 03:15 277608 ----a-w- c:\windows\system32\nvmccs.dll
2011-04-08 03:15 . 2011-04-08 03:15 13891176 ----a-w- c:\windows\system32\nvcpl.dll
2011-04-08 03:15 . 2011-04-08 03:15 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-04-08 03:15 . 2011-04-08 03:15 155752 ----a-w- c:\windows\system32\nvsvc32.exe
2011-04-08 03:15 . 2011-04-08 03:15 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-04-04 02:48 . 2011-04-21 23:02 -------- d-----w- c:\documents and settings\Stephen Mello\Application Data\skypePM
2011-04-04 02:48 . 2011-04-29 00:59 -------- d-----w- c:\documents and settings\Stephen Mello\Application Data\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----w- c:\program files\Common Files\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----r- c:\program files\Skype
2011-04-04 02:47 . 2011-04-04 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-08 05:14 . 2010-03-30 18:43 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-08 05:14 . 2010-03-30 18:43 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
2011-04-08 05:14 . 2010-03-30 18:43 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-04-08 05:14 . 2010-03-30 18:43 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
2011-04-08 05:14 . 2007-12-26 22:35 14856192 ----a-w- c:\windows\system32\nvoglnt.dll
2011-04-08 05:14 . 2007-12-26 22:35 5210112 ----a-w- c:\windows\system32\nvcuda.dll
2011-04-08 05:14 . 2007-12-26 22:35 2027008 ----a-w- c:\windows\system32\nvapi.dll
2011-04-08 05:14 . 2007-07-01 17:50 4111232 ----a-w- c:\windows\system32\nv4_disp.dll
2011-04-08 05:14 . 2005-08-16 09:35 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-03-07 05:33 . 2005-08-16 09:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-10 11:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2006-03-04 03:33 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2004-08-10 11:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 2004-08-10 11:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-10 11:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-10 11:00 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-17 03:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-10 11:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2005-08-16 09:37 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-10 11:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-10 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2005-08-16 09:37 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]
.
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 139264]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Octoshape Streaming Services"="c:\documents and settings\Stephen Mello\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2009-01-08 70936]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-03-08 17037704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-04-08 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-04-08 13891176]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 1753192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-10 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizansprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 09:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2007-11-02 00:12 582992 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
2008-02-23 03:42 3537968 ----a-w- c:\program files\Veoh Networks\Veoh\VeohClient.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\jack.exe.exe"=
"c:\\Documents and Settings\\Stephen Mello\\Desktop\\Misc Crap Folder\\SystemCheck_enUS.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\shadowgrounds demo\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\World of Warcraft\\Blizzard Downloader.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"53400:TCP"= 53400:TCP:Azerues
"53400:UDP"= 53400:UDP:Azureus
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:Blizzard Downloader: 4000
"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112
"6113:TCP"= 6113:TCP:Blizzard Downloader: 6113
"6114:TCP"= 6114:TCP:Blizzard Downloader: 6114
.
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [12/28/2008 9:45 PM 34760]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [10/7/2006 5:07 AM 223128]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/7/2006 4:03 AM 611064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2011-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-9917181-921064675-2921056702-1005Core.job
- c:\documents and settings\Stephen Mello\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-20 16:45]
.
2011-04-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-9917181-921064675-2921056702-1005UA.job
- c:\documents and settings\Stephen Mello\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-20 16:45]
.
2011-04-29 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (GREENLEAFNINGUN-Stephen Mello).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-06-17 23:18]
.
2011-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-07-11 18:32]
.
2011-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-07-11 18:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: {52F67820-7901-44F2-9FA1-8A5519A6553C} = 68.87.68.162,68.87.74.192
FF - ProfilePath - c:\documents and settings\Stephen Mello\Application Data\Mozilla\Firefox\Profiles\jx6jutol.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: XULRunner: {D7DCD3E1-4F69-4B6A-8215-CA3A259B728A} - c:\documents and settings\Stephen Mello\Local Settings\Application Data\{D7DCD3E1-4F69-4B6A-8215-CA3A259B728A}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Stephen Mello\Application Data\Move Networks
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-30 11:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-9917181-921064675-2921056702-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:81,f9,24,b0,ca,07,41,2f,7b,ae,6f,22,bd,2e,a7,1d,e3,bf,70,af,10,9f,f3,
0b,87,60,2e,34,06,f7,37,fb,96,b4,7c,9c,26,0f,ad,0f,50,71,4c,89,7a,5a,c9,6f,\
"??"=hex:cd,e5,d7,fe,80,45,84,d0,c2,98,83,30,cc,41,76,ca
.
[HKEY_USERS\S-1-5-21-9917181-921064675-2921056702-1005\Software\SecuROM\License information*]
"datasecu"=hex:4c,8f,e9,01,45,09,cf,ff,83,57,02,bf,3e,20,91,6f,37,c2,d4,59,3e,
d1,9d,e4,89,44,41,f3,22,66,20,72,34,c6,b2,61,4f,52,7a,04,a7,be,74,aa,ca,2c,\
"rkeysecu"=hex:6f,60,2e,d1,f4,d4,0d,c9,8e,c1,54,0a,c9,53,10,bb
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1536)
c:\program files\McAfee\MSK\mskoeplg.dll
c:\windows\system32\ctagent.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\McAfee\MPS\mps.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\ehome\RMSvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\ehome\McrdSvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\McAfee\MPS\mpsevh.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\CTHELPER.EXE
c:\windows\system32\CTXFIHLP.EXE
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\rundll32.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2011-04-30 11:30:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-30 16:30
ComboFix2.txt 2011-04-29 04:48
ComboFix3.txt 2011-04-29 00:20
.
Pre-Run: 3,365,675,008 bytes free
Post-Run: 3,250,581,504 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
Current=5 Default=5 Failed=0 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
- - End Of File - - 7D9C2A5CCD4FC38D696F5B57E1BC670B

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:33 PM

Posted 30 April 2011 - 08:56 PM

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 NinjasAreMammalsToo

NinjasAreMammalsToo
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 01 May 2011 - 09:43 AM

Seems to be running just fine. Should I worry about the things Kaspersky found but could not disinfect?

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:33 PM

Posted 01 May 2011 - 09:39 PM

Hello,


Should I worry about the things Kaspersky found but could not disinfect?

All but one thing was either Combofix quarantine folder or Restore points. We will fix all this now. We will run Kaspersky different this time.

Download and Run Kaspersky Virus Removal Tool
Please disable all anti-malware protection before running this tool. Refer to this page if you are not sure how.
  • Click HERE to go to the download page. Select External Mirror 1. Save the installer on your desktop.
  • Double click the installer and follow the prompts. Kaspersky Virus Removal Tool will open after the installation.
  • Just under the "Automatic Scan" tab, check off all the boxes.
  • Click in the Settings box. Set the "Security Level" to High.
  • Change the Action settings to Do not Prompt for Action. Check Disinfect and Delete if disinfection fails. Click Ok to apply the settings.
  • Select Scan. Please be patient while the scan completes.
  • When the scan is finished, click the Report... button in the lower middle, select Save to file..., and save it onto your desktop as "report".
  • Close out of the program. When asked to uninstall, select Yes.
  • Reply back with the report saved on your desktop.

Edited by fireman4it, 01 May 2011 - 09:39 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users