Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

bad malware


  • This topic is locked This topic is locked
46 replies to this topic

#1 shedman

shedman

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 24 May 2011 - 09:17 AM

Hi there

I hope someone can help me.

My son will insist on streaming football from dodgy websites and I have to clean up the mess of unwanted malware.Thank heaven it was the last game of the season last night, but this time he has downloaded something more serious than the usual junk. i usually run malwarebytes and then superantispyware free. This time every program I tried to run put up an error message saying couldn't find associated file.However I swithed accounts from this user account to administrator account and everything runs fine. I ran the above programs and they found and removed a lot of stuff but when I go back to the user account its the same problem. system restore is disabled on the admin account but I dont know about the user account because it won't run.

I would be grateful for any advice on how to proceed. I could just use the administrator account but I think there could be something still lurking in there. Here are the logs from the above programs.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6644

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005

23/05/2011 00:28:00
mbam-log-2011-05-23 (00-28-00).txt

Scan type: Quick scan
Objects scanned: 187946
Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\User\AppData\Local\ign.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\User\AppData\Local\ign.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\User\AppData\Local\ign.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/23/2011 at 00:47 AM

Application Version : 4.52.1000

Core Rules Database Version : 7113
Trace Rules Database Version: 4925

Scan type : Quick Scan
Total Scan Time : 00:16:45

Memory items scanned : 319
Memory threats detected : 0
Registry items scanned : 2747
Registry threats detected : 0
File items scanned : 15217
File threats detected : 200

Adware.Tracking Cookie
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@atdmt[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@clicksor[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@media.medhelp[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@discountvouchers.co[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@multimedia.foxsports[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@fl01.ct2.comclick[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adtech[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@media6degrees[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adserver.adtechus[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@paypal.112.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@ru4[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adbrite[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@myroitracking[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@specificclick[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@revsci[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@e-2dj6wgkicid5ieo.stats.esomniture[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@tribalfusion[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@www.googleadservices[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@tacoda.at.atwola[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@e-2dj6wjkyeidjmbp.stats.esomniture[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@at.atwola[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@ads.pubmatic[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@eharmony.112.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@fr.sitestat[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@pro-market[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@user.lucidmedia[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adxpose[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@invitemedia[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@bs.serving-sys[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@amznmothercare.122.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@content.yieldmanager[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@112.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@trinitymirror.112.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@adecn[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@eas.apm.emediate[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@vdwp.solution.weborama[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@kantarmedia[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@weborama[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@pointroll[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@questionmarket[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@serving-sys[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@menmedia.co[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@advertising[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@fr.sitestat[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@videoegg.adbureau[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@www.googleadservices[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@uk.at.atwola[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@ads.pointroll[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@yieldmanager[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@www.discountvouchers.co[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@men.122.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@stats.paypal[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@medhelpinternational.112.2o7[1].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@tacoda[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@yieldmanager[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@e-2dj6wblyemd5wdo.stats.esomniture[2].txt
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@ads.telegraph.co[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@content.yieldmanager[3].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.ventivmedia[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@aim4media[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ad.yieldmanager[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@adserver.adtechus[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@tribalfusion[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.watchmygf[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@smartadserver[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.crakmedia[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.eporner[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@toplist[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.ad4game[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@cumonmouthporn[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@adxpose[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@adtech[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ar.atwola[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@adxpansion[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@alotporn[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@at.atwola[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@content.yieldmanager[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@delivery.trafficbroker[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@eporner[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@hardsextube[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@harrenmedianetwork[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@invitemedia[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@media6degrees[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@pornxi[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@oporn[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@pro-market[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ru4[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@tacoda.at.atwola[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@xxxbunker[2].txt
tracking.dc-storm.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.questionmarket.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.uk.at.atwola.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.uk.at.atwola.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
www4.smartadserver.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.uk.at.atwola.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.clickfuse.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.riverisland.122.2o7.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.247realmedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.media6degrees.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.specificclick.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.specificclick.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.specificclick.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.tsleducation.112.2o7.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.tribalfusion.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adserver.adtechus.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adxpose.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.pro-market.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.invitemedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.collective-media.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.collective-media.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.collective-media.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.collective-media.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.collective-media.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.collective-media.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.collective-media.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.smartadserver.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.smartadserver.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.smartadserver.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.smartadserver.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
menmedia.co.uk [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.menmedia.co.uk [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.menmedia.co.uk [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.menmedia.co.uk [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
menmedia.co.uk [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.trinitymirror.112.2o7.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.men.122.2o7.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.menmedia.co.uk [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.imrworldwide.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.imrworldwide.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
passport.menmedia.co.uk [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.premiumtv.122.2o7.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.newsquestdigitalmedia.122.2o7.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.smartadserver.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.collective-media.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.smartadserver.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.ru4.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.lucidmedia.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.bs.serving-sys.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.questionmarket.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.adtech.de [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
trafficking.nabbr.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
eas.apm.emediate.eu [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
eas.apm.emediate.eu [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.harrenmedianetwork.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.aim4media.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.game-advertising-online.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
wmedia.rotator.hadj7.adjuggler.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
wmedia.rotator.hadj7.adjuggler.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
adserv.rotator.hadj7.adjuggler.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
adserv.rotator.hadj7.adjuggler.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.advertnation.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
ie-stat.bmmetrix.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
ie-stat.bmmetrix.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.e-2dj6wmlyskdpeko.stats.esomniture.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.e-2dj6wfloamczklq.stats.esomniture.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.e-2dj6wdl4gicjoho.stats.esomniture.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.content.yieldmanager.com [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.msnportal.112.2o7.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]
.revsci.net [ C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\cookies.sqlite ]

Hi there

I forgot this log

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_23
Run by Administrator at 15:38:11 on 2011-05-24
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3325.1814 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\System32\svchost.exe -k ipripsvc
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgsrmax.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\vsnpstd3.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=0080808
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeBridge]
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [DLUPDR] "c:\program files\dell printers\additional color laser software\updater\DLUPDR.EXE"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\cun9qhip.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-8 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-26 176128]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2011-3-9 140184]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2008-1-21 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-4 1153368]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-11-26 6650368]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-11-26 231936]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2010-11-17 97296]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9cbedec28ead0;Google Update Service (gupdate1c9cbedec28ead0);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-2-17 79360]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-8 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-8 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-8 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-8 40552]
S3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2008-1-21 11264]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
.
=============== Created Last 30 ================
.
2011-05-23 14:35:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-22 23:28:43 -------- d-----w- c:\users\administrator\appdata\roaming\SUPERAntiSpyware.com
2011-05-11 08:07:00 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-10 12:42:44 -------- d-----w- c:\program files\iPod
2011-05-10 12:42:39 -------- d-----w- c:\program files\iTunes
2011-05-10 12:40:13 -------- d-----w- c:\program files\Bonjour
2011-05-01 06:45:48 -------- d-----w- c:\users\administrator\appdata\roaming\AVG10
2011-04-27 08:45:06 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 08:45:05 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 08:44:57 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-24 21:19:49 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-04-24 21:19:40 -------- d-----w- c:\program files\common files\xing shared
2011-04-24 21:19:29 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-04-24 21:19:27 105472 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
.
==================== Find3M ====================
.
2011-04-14 20:28:18 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-09 17:55:44 15453336 ----a-w- c:\windows\system32\xlive.dll
2011-04-09 17:55:42 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2011-04-06 15:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-04 23:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 15:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
.
============= FINISH: 15:38:36.83 ===============

EDIT: Posts merged ~Budapest

Edited by Budapest, 24 May 2011 - 05:55 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,046 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:35 PM

Posted 02 June 2011 - 03:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.


Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.

animinionsmalltext.gif

 


#3 shedman

shedman
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 03 June 2011 - 06:26 AM

Hi there

Thanks for replying, i'm not surprised it takes a long time, the number of posts is incredible.here are the logs:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-06-03 11:29:44
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-1 ST3160815AS rev.4.ADA
Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\uwldypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA0AE87A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA0AE8848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA0AE88E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA0AE8980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 82EB1B74 4 Bytes [A0, 87, AE, A0]
.text ntkrnlpa.exe!KeSetEvent + 621 82EB1DA4 8 Bytes [48, 88, AE, A0, E4, 88, AE, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 82EB1E04 4 Bytes [80, 89, AE, A0]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9080A000, 0x3617E0, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1408] ntdll.dll!LdrLoadDll 77BF93A8 5 Bytes JMP 00C113F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP@LastIndex 1356
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore@LastIndex 1356

---- EOF - GMER 1.0.15 ----


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_23
Run by Administrator at 11:37:12 on 2011-06-03
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3325.1587 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\System32\svchost.exe -k ipripsvc
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\vsnpstd3.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DivX\DivX Plus Web Player\DDMService.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\dlpsp.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Updater\dlupdr.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\avgcfgex.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=0080808
mDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_uk?hl=en&client=dell-usuk&channel=uk-smb&ibd=0080808
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeBridge]
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
mRun: [DLUPDR] "c:\program files\dell printers\additional color laser software\updater\DLUPDR.EXE"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableSecureUIAPaths = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: FilterAdministratorToken = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\cun9qhip.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-8-8 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-26 176128]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2011-3-9 140184]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 iprip;RIP Listener;c:\windows\system32\svchost.exe -k ipripsvc [2008-1-21 21504]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-4 1153368]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2011-4-22 92592]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-11-26 6650368]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-11-26 231936]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2010-11-17 97296]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9cbedec28ead0;Google Update Service (gupdate1c9cbedec28ead0);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-2-17 79360]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-8-8 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-8-8 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-8-8 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-8-8 40552]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
S3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2008-1-21 11264]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
.
=============== Created Last 30 ================
.
2011-06-01 20:31:23 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-05-23 14:35:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-22 23:28:43 -------- d-----w- c:\users\administrator\appdata\roaming\SUPERAntiSpyware.com
2011-05-11 08:07:00 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-10 12:42:44 -------- d-----w- c:\program files\iPod
2011-05-10 12:42:39 -------- d-----w- c:\program files\iTunes
2011-05-10 12:40:13 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-05-29 08:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 20:28:18 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-09 17:55:44 15453336 ----a-w- c:\windows\system32\xlive.dll
2011-04-09 17:55:42 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2011-04-06 15:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-04 23:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 15:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
.
============= FINISH: 11:37:43.03 ===============

Attached Files



#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:35 PM

Posted 04 June 2011 - 11:47 PM

Hi shedman
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

Please do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista/Windows7 users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
  • The log can be located here if it was closed. C:\Combofix.txt
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 shedman

shedman
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 05 June 2011 - 06:05 AM

Hi Maranatha

Thanks for helping me out.The problem seems to be confined to one user account that was used for the streaming. Admin acount and the new user account I set up work ok, except that graphics dont display in the help screen of the new user account.However I would like to find out if there is a nasty bug in there somewhere.

I tried running combofix but get an error message saying either uninstall AVG 2011 (which I had disabled) or use another tool. How would you like me to proceed?

#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:35 PM

Posted 05 June 2011 - 11:01 AM

Hi shedman
I just found out that due to changes in AVG, you will need to uninstall AVG to run Combofix.

Is this acceptable?

Thanks
maranatha

Edited by maranatha, 05 June 2011 - 11:10 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 shedman

shedman
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 05 June 2011 - 11:13 AM

No. it just says use another tool or uninstall so I will uninstall and try again

#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:35 PM

Posted 05 June 2011 - 11:21 AM

Hi
OK, Thanks.
If Combofix was not so indispensable to our fight against malware I would not ask you to do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 shedman

shedman
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 05 June 2011 - 11:44 AM

hi

I've uninstalled it but there will be will be a short delay while I create dell recovery disks which I've just remembered I've forgotten to do.

Regards

#10 shedman

shedman
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 05 June 2011 - 01:38 PM

Hi

Sorry about the delay there was a problem with the DVD writer has to use usb in the end. Here is the log

ComboFix 11-06-05.02 - Administrator 05/06/2011 19:13:12.4.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3325.1973 [GMT 1:00]
Running from: c:\users\Administrator\Desktop\ComboFix.com.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Templates\aq7ihxrnx8m737xh6m6f4
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-05-05 to 2011-06-05 )))))))))))))))))))))))))))))))
.
.
2011-06-05 18:21 . 2011-06-05 18:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-06-05 18:21 . 2011-06-05 18:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-05 18:21 . 2011-06-05 18:21 -------- d-----w- c:\users\User\AppData\Local\temp
2011-06-05 18:08 . 2011-06-05 18:08 -------- d-----w- C:\ComboFix.com
2011-06-05 17:19 . 2011-06-05 17:19 -------- d-----w- c:\users\Administrator\My Backup Files
2011-06-05 17:17 . 2011-06-05 17:17 -------- d-----w- c:\users\Default\AppData\Local\SoftThinks
2011-06-05 17:17 . 2011-06-05 17:19 -------- d-----w- c:\users\Administrator\AppData\Local\SoftThinks
2011-06-05 16:57 . 2011-06-05 16:57 -------- d-sh--w- C:\System Recovery
2011-06-05 16:53 . 2006-11-01 16:50 128104 ----a-w- c:\windows\system32\drivers\WimFltr.sys
2011-06-05 16:53 . 2011-06-05 18:05 -------- d-----w- c:\program files\Dell DataSafe Local Backup
2011-06-05 16:52 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C1A4FF6-8C5D-42E6-B1A0-B8EC796032EA}\mpengine.dll
2011-06-05 16:49 . 2004-07-15 23:20 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-06-05 16:49 . 2004-07-15 23:20 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-06-05 16:49 . 2004-07-15 23:19 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-06-05 16:49 . 2004-07-15 23:18 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-06-05 16:49 . 2004-07-15 23:18 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-06-05 16:49 . 2011-06-05 16:49 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
2011-06-05 16:49 . 2011-06-05 16:49 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
2011-06-05 16:41 . 2011-06-05 16:41 -------- d-----w- c:\users\Administrator\AppData\Roaming\Dell
2011-06-05 16:34 . 2011-06-05 16:36 -------- d-----w- c:\users\Administrator\AppData\Roaming\PCDr
2011-06-04 16:38 . 2011-06-04 16:38 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-06-04 16:37 . 2011-06-04 16:37 -------- d-----w- c:\program files\Microsoft Sync Framework
2011-06-04 16:37 . 2011-06-04 16:37 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-06-04 16:36 . 2011-06-04 16:36 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-06-04 16:35 . 2011-06-04 16:35 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-06-04 16:34 . 2011-06-04 16:34 -------- d-----w- c:\users\Administrator\AppData\Local\Microsoft Help
2011-06-04 16:34 . 2011-06-05 02:05 -------- d-----w- c:\programdata\Microsoft Help
2011-06-04 16:33 . 2011-06-04 16:33 -------- d-----r- C:\MSOCache
2011-06-01 20:31 . 2009-08-19 22:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-06-01 13:41 . 2011-06-05 10:35 -------- d-----w- c:\users\New User
2011-05-23 14:35 . 2011-05-23 14:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-22 23:28 . 2011-05-22 23:28 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2011-05-11 08:07 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-10 12:42 . 2011-05-10 12:42 -------- d-----w- c:\program files\iPod
2011-05-10 12:42 . 2011-05-10 12:43 -------- d-----w- c:\program files\iTunes
2011-05-10 12:40 . 2011-05-10 12:40 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 08:11 . 2010-10-08 10:47 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11 . 2010-10-08 10:47 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 18:14 . 2009-11-11 08:24 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-09 17:55 . 2011-04-09 17:55 15453336 ----a-w- c:\windows\system32\xlive.dll
2011-04-09 17:55 . 2011-04-09 17:55 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2011-04-06 15:20 . 2011-04-06 15:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 15:20 . 2011-04-06 15:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-18 17:29 . 2009-08-18 11:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-12 21:55 . 2011-04-27 08:44 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03 . 2011-04-13 07:26 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-13 07:26 1136640 ----a-w- c:\windows\system32\mfc42.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-10 39408]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-04-22 247728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-14 4452352]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-10 68592]
"P17RunE"="P17RunE.dll" [2008-03-28 14848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-01-30 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-25 336384]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2009-07-08 406840]
"DLUPDR"="c:\program files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE" [2009-07-08 243008]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-04-24 273544]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableInstallerDetection"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"FilterAdministratorToken"= 1 (0x1)
"EnableUIADesktopToggle"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 18:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2011-01-30 23:36 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-10-22 07:56 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-01-22 10:13 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 03:59 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 20:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-27 00:22 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 01:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 07:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 08:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-11-25 21:40 336384 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9cbedec28ead0;Google Update Service (gupdate1c9cbedec28ead0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 133104]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-02-17 79360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 133104]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2011-05-12 21744]
R3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2008-01-21 11264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-26 176128]
S2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
S2 iprip;RIP Listener;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SftService;SoftThinks Agent Service;c:\program files\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2011-04-22 92592]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-11-26 6650368]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-11-26 231936]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2010-11-17 97296]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
rsmsvcs REG_MULTI_SZ ntmssvc
ipripsvc REG_MULTI_SZ iprip
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-10 12:51]
.
2011-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 12:51]
.
2011-06-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 12:51]
.
2011-06-05 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-05-16 22:16]
.
2011-04-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-289552094-3321907144-662373747-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 09:47]
.
2011-06-05 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-05-16 22:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\cun9qhip.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-PWRISOVM.EXE - c:\program files\PowerISO\PWRISOVM.EXE
AddRemove-PowerISO - c:\program files\PowerISO\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-05 19:21
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-289552094-3321907144-662373747-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Microsoft Internet Mail Message"
.
[HKEY_USERS\S-1-5-21-289552094-3321907144-662373747-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-289552094-3321907144-662373747-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-289552094-3321907144-662373747-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-289552094-3321907144-662373747-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-289552094-3321907144-662373747-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
Completion time: 2011-06-05 19:23:34
ComboFix-quarantined-files.txt 2011-06-05 18:23
ComboFix2.txt 2011-04-15 14:36
.
Pre-Run: 12,361,867,264 bytes free
Post-Run: 13,568,421,888 bytes free
.
- - End Of File - - 24234026DEB8C6E35D3D9D4054917B9F

#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:35 PM

Posted 05 June 2011 - 07:40 PM

Hi
This shows that this is the second run of Combofix...
Administrator 05/06/2011 19:13:12.4.2

I would like to see the first log. It should be located in the folder here...
C:\qoobox
Please open that folder and open the Combofix.txt file and copy and paste it here.

Thanks

FYI... There are infections out there that are incurable and using P2P is a good way of infecting yourself.
I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page Is becoming more and more a common pratice of malware removers. Though I do not require that you remove them,
I strongly recommend that you do yourself a favor and stop using them,

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file sharing as a major conduit to spread their wares and their infections.
See here
and here

References for the risk of these programs are
here, and here.

I would strongly recommend that you uninstall them,

Please post the other Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 shedman

shedman
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 06 June 2011 - 04:30 AM

Hi there

You are absolutely right about those programs. I've told my son but he ignores me and leaves me to sort it out but this is the last time! That's why its his user account that has been mostly screwed up this time. At least limewire dosen't work any more. I will have to get him a laptop so it will be his problem to sort out. If he had to take all this time he would soon learn.

Anyway ,thanks again for your help with this and here is that log

ComboFix 11-04-14.03 - User 15/04/2011 14:52:19.3.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.44.1033.18.3325.1877 [GMT 1:00]
Running from: c:\users\User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~2\Adobe Systems
c:\progra~2\Adobe Systems\Product licenses\B2B86000.dat
c:\progra~2\PCDr\5744\Downloads\162088e9-0b41-471a-947d-e6bfb7774266.dll
c:\progra~2\PCDr\5744\Downloads\26671a7e-758b-4293-8191-e6b81368d7ac.dll
c:\progra~2\PCDr\5744\Downloads\2da1393a-9d2c-436b-a660-c3dd133e9836.dll
c:\progra~2\PCDr\5744\Downloads\3060b7ae-c612-4b71-be9a-0721727ba831.dll
c:\progra~2\PCDr\5744\Downloads\38db339b-86cf-40c4-86da-57495513b374.dll
c:\progra~2\PCDr\5744\Downloads\3abc4f65-3752-4824-83cd-674c30d9f41c.dll
c:\progra~2\PCDr\5744\Downloads\48edbc2f-6595-43d2-a911-c3713e9b499f.dll
c:\progra~2\PCDr\5744\Downloads\4b07fd4d-6cb2-4166-8e08-7e3d0fb96a24.dll
c:\progra~2\PCDr\5744\Downloads\5f66a5f6-96e8-487a-b1da-d49f4e9f0813.dll
c:\progra~2\PCDr\5744\Downloads\61963b16-da7a-4faf-ba6b-14eb102d0df8.dll
c:\progra~2\PCDr\5744\Downloads\654e4133-96c6-421b-9240-26a29538de3f.dll
c:\progra~2\PCDr\5744\Downloads\69bf7709-6da5-40eb-b648-3731ebda143c.dll
c:\progra~2\PCDr\5744\Downloads\69df3b5e-bee6-4786-8070-a683635a81cd.dll
c:\progra~2\PCDr\5744\Downloads\70b66070-48fe-4fad-ac33-5f17042d5ee7.dll
c:\progra~2\PCDr\5744\Downloads\86fa80c6-799b-4d0b-a3f5-f7886c10db2c.dll
c:\progra~2\PCDr\5744\Downloads\890823c6-b297-4c5e-8839-80468e0508dc.dll
c:\progra~2\PCDr\5744\Downloads\920b4bdb-56cb-44d8-b977-2de6535367f0.dll
c:\progra~2\PCDr\5744\Downloads\a2f393bb-92a1-4fda-a382-66896efa06dd.dll
c:\progra~2\PCDr\5744\Downloads\b0ad9f03-890a-4558-bcd7-38c10ea44def.dll
c:\progra~2\PCDr\5744\Downloads\db760e79-da96-4a2b-a687-8256c6e72fb6.dll
c:\progra~2\PCDr\5744\Downloads\f6b10855-5837-4857-9c20-c7b6a6dc2589.dll
c:\users\User\AppData\Roaming\Local
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\(2).ddr
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\(3).ddr
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\(4).ddr
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\.ddr
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\0.ddi
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\1.ddi
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\2.ddi
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\settings.ddi
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2)
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\(2).ddp
c:\users\User\AppData\Roaming\Local\Temp\DDM\Settings\Temporary Downloaded Files\.ddp
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-15 13:59 . 2011-04-15 13:59 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-04-15 13:59 . 2011-04-15 13:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-15 13:59 . 2011-04-15 13:59 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-04-15 11:58 . 2011-03-14 20:05 6792528 ----a-w- c:\progra~2\Microsoft\Microsoft Antimalware\Definition Updates\{6AD2F074-E3A5-46B6-9178-91E81ABDF31A}\mpengine.dll
2011-04-13 07:26 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-13 07:26 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-13 07:26 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-13 07:26 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-13 07:26 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-13 07:26 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-13 07:26 . 2011-03-10 17:03 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-13 07:26 . 2011-03-10 17:03 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-04-10 23:23 . 2011-04-11 17:45 -------- d-----w- c:\progra~2\eDf31002fPdLh31002
2011-04-06 07:50 . 2011-02-04 06:46 439632 ------w- c:\progra~2\Microsoft\Microsoft Antimalware\Definition Updates\{5D16E68F-2FCA-4D78-BD55-BA28263CCD53}\gapaengine.dll
2011-04-03 17:14 . 2011-04-03 17:14 -------- d-----w- C:\_OTL
2011-04-02 11:43 . 2011-04-02 11:43 -------- d-----w- c:\program files\UltraISO
2011-03-26 11:21 . 2011-02-04 06:46 439632 ------w- c:\progra~2\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-03-23 03:38 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 03:38 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 03:38 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-17 08:13 . 2011-03-17 08:13 -------- d-----w- c:\users\Administrator\AppData\Local\VirtualStore
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-18 17:29 . 2009-08-18 11:24 18328 ----a-w- c:\progra~2\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-14 20:05 . 2010-10-19 15:20 6792528 ----a-w- c:\progra~2\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-23 09:35 . 2011-02-25 12:45 5943120 ----a-w- c:\progra~2\Microsoft\Windows Defender\Definition Updates\{536819EC-36D4-47EB-B1D0-C2CDFDE1BD26}\mpengine.dll
2011-02-02 17:11 . 2009-11-11 08:24 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-10 06:28 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-10 06:28 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-10 06:28 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-10 06:28 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08 . 2011-02-10 06:28 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-10 06:28 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07 . 2011-02-10 06:28 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-10 06:28 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-10 06:28 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-10 06:28 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-10 06:28 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-10 06:28 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-10 06:28 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-10 06:28 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-10 06:28 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-10 06:28 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-10 06:28 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-10 06:28 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-10 06:28 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-10 06:28 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-10 06:28 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-10 06:28 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-10 06:28 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-10 06:28 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-10 06:28 683008 ----a-w- c:\windows\system32\d2d1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-10 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"HydraVisionMDEngine"="c:\program files\ATI Technologies\HydraVision\HydraMD.exe" [2010-11-25 569344]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-14 4452352]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-10 68592]
"P17RunE"="P17RunE.dll" [2008-03-28 14848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-11-25 336384]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"DLPSP"="c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE" [2009-07-08 406840]
"DLUPDR"="c:\program files\Dell Printers\Additional Color Laser Software\Updater\DLUPDR.EXE" [2009-07-08 243008]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableInstallerDetection"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"FilterAdministratorToken"= 1 (0x1)
"EnableUIADesktopToggle"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^User^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-09-22 18:11 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-09-23 04:42 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-10-22 07:56 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-01-22 10:13 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-29 03:59 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-10 20:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 15:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-11-10 01:54 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 07:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 08:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2010-11-25 21:40 336384 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9cbedec28ead0;Google Update Service (gupdate1c9cbedec28ead0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 133104]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-02-17 79360]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
R3 WMSvc;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [2008-01-21 11264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-26 176128]
S2 DLSDB;Dell Printer Status Database;c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE [2006-12-07 140184]
S2 iprip;RIP Listener;c:\windows\System32\svchost.exe [2008-01-21 21504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-11-26 6650368]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-11-26 231936]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2010-11-17 97296]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
rsmsvcs REG_MULTI_SZ ntmssvc
ipripsvc REG_MULTI_SZ iprip
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-10 12:51]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 12:51]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 12:51]
.
2011-03-29 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-04-15 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:56121
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\r2ewfhdk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 56121
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-dscactivate - c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 15:29
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-289552094-3321907144-662373747-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:6d,7c,aa,4f,54,a8,4e,4f,b8,ec,75,57,62,aa,82,97,70,94,4e,6a,f9,24,1a,
b2,c2,b7,26,f5,94,78,fc,f8,3f,b4,11,74,ae,73,e6,11,41,a1,a2,9f,0a,35,33,d2,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
[HKEY_USERS\S-1-5-21-289552094-3321907144-662373747-1000\Software\SecuROM\License information*]
"datasecu"=hex:07,59,2a,e5,55,a4,34,b5,48,e3,1d,58,d5,54,af,05,76,ae,47,cc,e2,
ee,e8,69,3d,42,7e,43,a8,5c,df,fe,2d,f8,52,ba,bf,bb,91,bc,2a,10,6e,bd,48,8b,\
"rkeysecu"=hex:a2,f1,b2,98,d9,ed,1c,79,13,e3,8c,76,75,f8,df,09
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4424)
c:\program files\ATI Technologies\HydraVision\HydraMDH.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2011-04-15 15:36:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-15 14:36
.
Pre-Run: 48,308,604,928 bytes free
Post-Run: 48,326,270,976 bytes free
.
- - End Of File - - EC1EBCD70DD03445CBE73832231C5BED

#13 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:35 PM

Posted 06 June 2011 - 09:14 PM

Hi
OK well that log was from back in April. :wink:

Please check that User account again and see if it still has a problem.

I'm not seeing anything in the Combofix log, so lets get an on line scan.

Please do this.

Please Run the ESET Online Scanner and post the ScanLog..

  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Click on the ESET on line scanner button.
  • Check the “YES, I accept the Terms of Use” box. And click “Start”
    If your Pop=up blocker comes up, please allow the Add-ON
  • Be sure the option to Remove found threats is Un-checked and click Start.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log.


Please post the ESET results.

Thanks
maranatha

Edited by maranatha, 06 June 2011 - 09:17 PM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#14 shedman

shedman
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:10:35 PM

Posted 07 June 2011 - 05:30 AM

Hi there,

Thanks for the reply. you won't believe this but my idiot son has gone on the computer last night and has done it again and is now BANNED! This morning I'm greeted by a windows diagnostic screen saying imminent hard drive failure and offering to fix it. This is a fake windows program which I found details of by googling it on another computer. This is the description

"Windows Diagnostic is a fake disk defragmenter that displays fake error messages and pop-ups to make you think that your computer has some serious hard drive problems. The rogue program prompts to pay for a full version of the program to fix the errors. If you choose to purchase this bogus program, you will lose your money and give your credit card details to the scammers who created this malware. Please use the removal instructions below to remove Windows Diagnostic from your computer as soon as possible.

Windows Diagnostic enters the system via Trojans, infected websites and fake online scanners. The program runs system scanner and later on reports critical errors detected on your system. It warns you that some of your private data might be lost because of the lack of free space, RAM memory usage, etc. The truth is that it is fake information and Windows Diagnostic only wants you to believe your system is infected. Windows Diagnostic will offer you purchasing a full version of its program with a promise that this will fix everything. However, its real intention is to receive your money, but in return you won’t get anything. Do not buy this rogue program. It won't help you.

In order to stop all malicious activities on your computer you should remove Windows Diagnostic upon detection. You can remove Windows Diagnostic manually too, but remember that manual removal guide was made for the rogue program only and do not include other possible malware, rootkits. That's why you should scan your computer with Spyware Doctor or other anti-spyware software."

I would appreciate very much if you would continue to help me, though I would understand if you are fed up with this as I certainly am!




Related files: [random].exe, [random].dll, Windows Diagnostic.lnk, Uninstall Windows Diagnostic.lnk

Windows Diagnostic properties:
• Changes browser settings
• Shows commercial adverts
• Connects itself to the internet
• Stays resident in background

Windows Diagnostic snapshot:
Windows Diagnostic removal

#15 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:03:35 PM

Posted 07 June 2011 - 07:06 AM

Hi
Please re-run Combofix.

**NOTE - Allow ComboFix to update if prompted.

Post the new log.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users