Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack - Vista 32b - Firefox/Chrome


  • This topic is locked This topic is locked
16 replies to this topic

#1 gormancn

gormancn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 12 June 2011 - 01:41 PM

Hi - I first got the hijack around three weeks ago on Firefox and Chrome instantly. Originally - it set my homepage to "search-fever.com" although now it is quickquiteinsurance.com. The search bars also run weird searches through these sites instead of google.

I ran a bunch of malware scans, reinstalled the various programs (reinstalling firefox worked for about an hour), but to no avail. I'm hoping this is quick but it's gotten super annoying.

Attaching hijack this logs to this message. Thanks!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:31:08 PM, on 6/12/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18602)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\rdminer.exe
C:\Users\Chris Gorman\AppData\Roaming\Mikogo\Mikogo-Host.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Pro\DTAgent.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\SEC\Natural Color Pro\NCProTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TwonkyMedia\MediaManager\TwonkyMediaManager.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\McAfee Security Scan\1.0.150\McUICnt.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
C:\Users\Public\Games\World of Warcraft\WoW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Chris Gorman\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-fever.com/find.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: D - {107563F7-5723-3432-8F52-65B6FFADF51F} - C:\Windows\system32\xwr20602.dll (file missing)
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz0.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMen] C:\Windows\system32\rdminer.exe
O4 - HKCU\..\Run: [Mikogo] "C:\Users\Chris Gorman\AppData\Roaming\Mikogo\Mikogo-Host.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SugarSync] "C:\Program Files\SugarSync\SugarSyncManager.exe" -startInTray -usedelay=true
O4 - HKCU\..\Run: [Google Update] "C:\Users\Chris Gorman\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - HKCU\..\Run: [CPN Notifier] C:\Program Files\Cake Poker 2.0\PokerNotifier.exe
O4 - HKUS\S-1-5-21-1767521655-1598373030-993447095-1007\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'omaha828')
O4 - S-1-5-21-1767521655-1598373030-993447095-1007 User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'omaha828')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: setup_9.0.0.722_24.04.2011_22-06.lnk = Chris Gorman\Desktop\Virus Removal Tool\setup_9.0.0.722_24.04.2011_22-06\startup.exe
O4 - Startup: TwonkyMedia Manager.lnk = C:\Program Files\TwonkyMedia\MediaManager\TwonkyMediaManager.exe
O4 - Startup: Windows Update.lnk = C:\Windows\StartUp.exe
O4 - Global Startup: GammaTray.lnk = ?
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: NCProTray.lnk = ?
O4 - Global Startup: Twonky Tray Control.lnk = C:\Program Files\TwonkyMedia\twonkymediaserverconfig.exe
O4 - Global Startup: TwonkyMedia Tray Control.lnk = C:\Program Files\TwonkyMedia\twonkymediaserverconfig.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Download Flash with Flash &Grabber - res://C:\PROGRA~1\FLASHG~1\swfgrab.dll/iesave
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll (file missing)
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: B-Service - Unknown owner - C:\Users\Chris Gorman\AppData\Roaming\Mikogo\B-Service.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\TwonkyMedia\twonkymediaserverwatchdog.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 11220 bytes

Edited by hamluis, 12 June 2011 - 02:38 PM.
Moved from Vista to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:09 AM

Posted 12 June 2011 - 01:53 PM

Hello gormancn ,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If McAfee gives you any problems, you may have to temporarily uninstall it. For some reason, this is common with McAfee. <_<

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to gormancn.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 gormancn

gormancn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 12 June 2011 - 04:39 PM

thx. here's the log....

ComboFix 11-06-11.01 - Chris Gorman 06/12/2011 17:07:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.2225 [GMT -4:00]
Running from: c:\users\Chris Gorman\Downloads\gormancn.exe.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\gormancn.exe
c:\gormancn.exe\023.dat
c:\gormancn.exe\023v.dat
c:\gormancn.exe\AppDataFile.cfx
c:\gormancn.exe\AppDataFolder.cfx
c:\gormancn.exe\appinit.bad
c:\gormancn.exe\asp.str
c:\gormancn.exe\Assoc.cmd
c:\gormancn.exe\ATTRIB.cfxxe
c:\gormancn.exe\Auto-RC.cmd
c:\gormancn.exe\av.cmd
c:\gormancn.exe\av.vbs
c:\gormancn.exe\AWF.cmd
c:\gormancn.exe\badclsid
c:\gormancn.exe\Boot-Rk.cmd
c:\gormancn.exe\Boot.bat
c:\gormancn.exe\BootDrv.vbs
c:\gormancn.exe\c.bat
c:\gormancn.exe\c.mrk
c:\gormancn.exe\Catch-sub.cmd
c:\gormancn.exe\catchme.cfxxe
c:\gormancn.exe\CCS.bat
c:\gormancn.exe\CF-Script.cmd
c:\gormancn.exe\CF12380.cfxxe
c:\gormancn.exe\CHCP.bat
c:\gormancn.exe\Chris Gorman.user.cf
c:\gormancn.exe\clsid.c
c:\gormancn.exe\clsid.dat
c:\gormancn.exe\clsid.hiv
c:\gormancn.exe\Combobatch.bat
c:\gormancn.exe\ComboFix-Download.cfxxe
c:\gormancn.exe\Create.cmd
c:\gormancn.exe\Creg.dat
c:\gormancn.exe\CregC.cmd
c:\gormancn.exe\CregC.dat
c:\gormancn.exe\CregC_.dat
c:\gormancn.exe\CSCRIPT.cfxxe
c:\gormancn.exe\CSet.cmd
c:\gormancn.exe\d-delA.dat
c:\program files\Smart-Shopper
c:\program files\Smart-Shopper\cs\antiphishing\antiphishing.html
c:\program files\Smart-Shopper\cs\antiphishing\phishAlert.gif
c:\program files\Smart-Shopper\cs\antiphishing\x.gif
c:\program files\Smart-Shopper\cs\antiphishing\xActive.gif
c:\program files\Smart-Shopper\Uninst.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\SmartShopper
c:\programdata\Microsoft\Windows\Start Menu\Programs\SmartShopper\SmartShopper - Comapre product prices.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\SmartShopper\SmartShopper - Compare travel rate.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\SmartShopper\SmartShopper Help.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\SmartShopper\Uninstall SmartShopper.lnk
c:\users\Chris Gorman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.lnk
c:\windows\StartUp.exe
c:\windows\system32\28A0344E87.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-12 to 2011-06-12 )))))))))))))))))))))))))))))))
.
.
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\postgresuser\AppData\Local\temp
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\postgres\AppData\Local\temp
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\omaha828\AppData\Local\temp
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\holdem4\AppData\Local\temp
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\holdem3\AppData\Local\temp
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\holdem\AppData\Local\temp
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\Chris Gorman Again\AppData\Local\temp
2011-06-12 21:28 . 2011-06-12 21:28 -------- d-----w- c:\users\cgorman\AppData\Local\temp
2011-06-10 23:56 . 2011-06-10 23:56 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-06-10 06:06 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EF9B02EF-00D3-4175-9B2E-21B3AFE48A21}\mpengine.dll
2011-06-08 15:37 . 2011-06-08 15:51 -------- d-----w- c:\programdata\Hitman Pro
2011-06-03 23:54 . 2011-06-03 23:54 -------- d-----w- c:\program files\Twonky
2011-05-24 04:56 . 2011-06-08 16:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 21:47 . 2011-05-16 21:49 -------- d-----w- c:\programdata\Protexis
2011-05-16 21:46 . 2011-05-16 21:46 -------- d-----w- c:\program files\Oberon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-24 20:54 . 2011-04-24 20:54 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-19 00:00 . 2011-04-24 20:54 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-04-18 10:23 . 2011-04-24 22:29 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-14 03:32 . 2011-04-14 03:32 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-09 22:55 . 2011-04-09 22:55 15453336 ----a-w- c:\windows\system32\xlive.dll
2011-04-09 22:55 . 2011-04-09 22:55 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 04:10 . 2011-04-06 04:10 7774208 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-04-06 02:09 . 2011-04-06 02:09 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-04-06 02:09 . 2011-04-06 02:09 51712 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-06 02:09 . 2011-04-06 02:09 12385280 ----a-w- c:\windows\system32\amdocl.dll
2011-04-06 02:07 . 2011-04-06 02:07 17469952 ----a-w- c:\windows\system32\atioglxx.dll
2011-04-06 02:03 . 2011-04-06 02:03 147456 ----a-w- c:\windows\system32\atiapfxx.exe
2011-04-06 02:03 . 2010-07-07 01:54 671744 ----a-w- c:\windows\system32\aticfx32.dll
2011-04-06 01:59 . 2011-04-06 01:59 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-04-06 01:59 . 2011-04-06 01:59 393216 ----a-w- c:\windows\system32\atieclxx.exe
2011-04-06 01:58 . 2011-04-06 01:58 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-04-06 01:57 . 2008-09-16 12:19 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-04-06 01:57 . 2008-09-16 12:19 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-04-06 01:57 . 2011-04-06 01:57 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-04-06 01:56 . 2011-04-06 01:56 15872 ----a-w- c:\windows\system32\atimuixx.dll
2011-04-06 01:56 . 2011-04-06 01:56 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-04-06 01:53 . 2011-04-06 01:53 4307968 ----a-w- c:\windows\system32\atidxx32.dll
2011-04-06 01:42 . 2011-04-06 01:42 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-04-06 01:42 . 2011-04-06 01:42 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-04-06 01:38 . 2011-04-06 01:38 6098432 ----a-w- c:\windows\system32\aticaldd.dll
2011-04-06 01:35 . 2008-09-16 12:19 4256768 ----a-w- c:\windows\system32\atiumdag.dll
2011-04-06 01:34 . 2011-04-06 01:34 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
2011-04-06 01:28 . 2010-07-07 01:24 52736 ----a-w- c:\windows\system32\coinst.dll
2011-04-06 01:26 . 2008-09-16 12:19 3631616 ----a-w- c:\windows\system32\atiumdva.dll
2011-04-06 01:22 . 2011-04-06 01:22 258048 ----a-w- c:\windows\system32\atiadlxx.dll
2011-04-06 01:22 . 2011-04-06 01:22 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-04-06 01:21 . 2011-04-06 01:21 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-04-06 01:21 . 2011-04-06 01:21 242176 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-04-06 01:20 . 2011-04-06 01:20 31232 ----a-w- c:\windows\system32\atiuxpag.dll
2011-04-06 01:20 . 2010-07-07 01:14 29184 ----a-w- c:\windows\system32\atiu9pag.dll
2011-04-06 01:20 . 2010-07-07 01:14 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2011-04-06 01:20 . 2011-04-06 01:20 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-04-06 01:13 . 2011-04-06 01:13 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-04-06 01:13 . 2011-04-06 01:13 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-03-22 21:46 . 2011-03-22 21:46 218379 ----a-w- c:\windows\system32\rdminer.exe
2011-04-14 16:26 . 2011-06-12 16:16 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Vuze_Remote\prxtbVuz0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mikogo"="c:\users\Chris Gorman\AppData\Roaming\Mikogo\Mikogo-Host.exe" [2009-09-26 1277224]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2011-03-23 15921152]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2010-11-11 570688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-08-05 3563520]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SoundMen"="c:\windows\system32\rdminer.exe" [2011-03-22 218379]
.
c:\users\Chris Gorman Again\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
.
c:\users\Chris Gorman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-3-26 0]
setup_9.0.0.722_24.04.2011_22-06.lnk - c:\users\Chris Gorman\Desktop\Virus Removal Tool\setup_9.0.0.722_24.04.2011_22-06\startup.exe [2011-4-24 72208]
TwonkyMedia Manager.lnk - c:\program files\TwonkyMedia\MediaManager\TwonkyMediaManager.exe [2009-7-22 5601973]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-6-5 36864]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-6-6 49220]
Twonky Tray Control.lnk - c:\program files\TwonkyMedia\twonkymediaserverconfig.exe [2011-3-10 607832]
TwonkyMedia Tray Control.lnk - c:\program files\TwonkyMedia\twonkymediaserverconfig.exe [2011-3-10 607832]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-16 10:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Chris Gorman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Chris Gorman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Chris Gorman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Chris Gorman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2008-07-24 20:36 993520 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
2008-02-19 15:43 438403 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-09-16 09:51 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mikogo]
2009-09-26 02:42 1277224 ----a-w- c:\users\Chris Gorman\AppData\Roaming\Mikogo\Mikogo-Host.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2008-01-14 15:13 132392 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCUI]
2008-11-12 14:53 479232 ----a-w- c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2008-11-17 01:10 79872 ----a-w- c:\users\Chris Gorman\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-03-27 21:01 24103720 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-05 03:51 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UFC Media Manager Tray]
2008-01-08 23:50 374608 ----a-w- c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 B-Service;B-Service;c:\users\Chris Gorman\AppData\Roaming\Mikogo\B-Service.exe [2009-04-02 185640]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-04-19 15232]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-03-21 32408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 79099122;79099122 Boot Guard Driver;c:\windows\system32\DRIVERS\79099122.sys [2009-10-22 37392]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-04-19 64512]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-01 420920]
S1 79099121;79099121;c:\windows\system32\DRIVERS\79099121.sys [2009-09-25 128016]
S1 setup_9.0.0.722_24.04.2011_22-06drv;setup_9.0.0.722_24.04.2011_22-06drv;c:\windows\system32\DRIVERS\7909912.sys [2009-10-10 311312]
S1 trueping;trueping;c:\windows\system32\drivers\trueping.sys [2010-08-01 50584]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-06-25 73728]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-06 176128]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-05-16 2151128]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 TwonkyMedia;TwonkyMedia;c:\program files\TwonkyMedia\twonkymediaserverwatchdog.exe [2011-03-11 505432]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-06 7774208]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-06 242176]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-03-14 54784]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-03-13 203264]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-07-28 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-07-28 277504]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1767521655-1598373030-993447095-1000Core.job
- c:\users\Chris Gorman\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-23 00:39]
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1767521655-1598373030-993447095-1000UA.job
- c:\users\Chris Gorman\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-23 00:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.search-fever.com/find.php
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download Flash with Flash &Grabber - c:\progra~1\FLASHG~1\swfgrab.dll/iesave
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Chris Gorman\AppData\Roaming\Mozilla\Firefox\Profiles\0p7lf886.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.search.selectedEngine - Google
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{107563F7-5723-3432-8F52-65B6FFADF51F} - c:\windows\system32\xwr20602.dll
HKCU-Run-CPN Notifier - c:\program files\Cake Poker 2.0\PokerNotifier.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
AddRemove-Command & Conquer - c:\program\EA GAMES\Uninstal.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-SecondLife - c:\program files\SecondLife\uninst.exe
AddRemove-Smart-Shopper - c:\program files\Smart-Shopper\Uninst.exe
AddRemove-{A3BC1DBD-64D6-4EBC-0091-24C811662D40} - c:\program files\EA Sports\Madden NFL 08\EAUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 17:28
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1767521655-1598373030-993447095-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:17,10,44,06,ef,95,79,34,31,7e,f9,c1,60,bd,ba,bc,3d,f3,63,b4,ce,d6,72,
9e,20,be,be,fc,6a,6c,29,a6,06,9b,bb,77,0c,b6,1c,38,d4,ee,2b,86,03,85,70,c2,\
"??"=hex:8f,0d,d1,7d,84,7c,d8,ab,6f,96,36,c7,b4,40,0f,fa
.
[HKEY_USERS\S-1-5-21-1767521655-1598373030-993447095-1000\Software\SecuROM\License information*]
"datasecu"=hex:17,0f,a6,fc,c2,dc,c9,ff,b0,bb,1b,70,9f,56,1c,b6,20,93,f4,bd,6d,
a7,de,57,28,46,0d,a9,1c,91,db,72,8a,bd,1f,51,05,13,11,01,52,ab,9d,33,91,aa,\
"rkeysecu"=hex:d8,d9,0b,45,d5,5a,59,23,23,fb,17,4c,c3,08,6d,14
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(744)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-06-12 17:37:33
ComboFix-quarantined-files.txt 2011-06-12 21:37
.
Pre-Run: 20,632,612,864 bytes free
Post-Run: 21,567,533,056 bytes free
.
- - End Of File - - 3CBCDFB554E7BEE3E504010B187C6F8C

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:09 AM

Posted 12 June 2011 - 04:58 PM

How is it running now please? :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 gormancn

gormancn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 12 June 2011 - 05:15 PM

Ah - sorry :).

It didn't immediately fix it...

I did reinstall Firefox (Chrome is still affected but I don't use it much, just checked it after running the fix). Currently Firefox is running fine but did before...at some point a few hours in the changes came back.

Shall I just reply if Firefox gets affected again?

Thanks again.

#6 gormancn

gormancn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 12 June 2011 - 05:50 PM

Boooo - it's still there :(

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:09 AM

Posted 12 June 2011 - 06:28 PM

That's all right.....it really should not have been fixed. :wink: I just asked how it was running.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

DDs::
uStart Page = hxxp://www.search-fever.com/find.php

Firefox::
FF - ProfilePath - c:\users\Chris Gorman\AppData\Roaming\Mozilla\Firefox\Profiles\0p7lf886.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 gormancn

gormancn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 12 June 2011 - 10:39 PM

Just ran it again with the .txt file. Still hacked, but didn't reinstall anything. Here's the log:

ComboFix 11-06-11.01 - Chris Gorman 06/12/2011 23:13:37.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3581.1910 [GMT -4:00]
Running from: c:\users\Chris Gorman\Downloads\gormancn.exe.exe
Command switches used :: c:\users\Chris Gorman\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\gormancn.exe
c:\gormancn.exe\023.dat
c:\gormancn.exe\023v.dat
c:\gormancn.exe\ADS.dat
c:\gormancn.exe\AppData.folder.dat
c:\gormancn.exe\appinit.bad
c:\gormancn.exe\asp.str
c:\gormancn.exe\Assoc.cmd
c:\gormancn.exe\attr.dat
c:\gormancn.exe\ATTRIB.cfxxe
c:\gormancn.exe\autorun_inf.dat
c:\gormancn.exe\autorun_infB.dat
c:\gormancn.exe\av.cmd
c:\gormancn.exe\av.vbs
c:\gormancn.exe\AWF.cmd
c:\gormancn.exe\badclsid
c:\gormancn.exe\Boot-Rk.cmd
c:\gormancn.exe\Boot.bat
c:\gormancn.exe\BootDrv.vbs
c:\gormancn.exe\borlander_file.dat
c:\gormancn.exe\borlander_folder.dat
c:\gormancn.exe\c.bat
c:\gormancn.exe\c.mrk
c:\gormancn.exe\Cache.folder.dat
c:\gormancn.exe\Catch-sub.cmd
c:\gormancn.exe\catch_E.dat
c:\gormancn.exe\catch_k.dat
c:\gormancn.exe\catchme.cfxxe
c:\gormancn.exe\Catchme.tmp
c:\gormancn.exe\CCS.bat
c:\gormancn.exe\CF-Script.cmd
c:\gormancn.exe\CF18432.cfxxe
c:\gormancn.exe\cfdummy
c:\gormancn.exe\Cfiles.dat
c:\gormancn.exe\Cfolders.dat
c:\gormancn.exe\cfscriptDequarantine00
c:\gormancn.exe\cfscriptDequarantineB00
c:\gormancn.exe\cfscriptFilex6400
c:\gormancn.exe\cfscriptFolderx6400
c:\gormancn.exe\cfscriptRegistry00
c:\gormancn.exe\CHCP.bat
c:\gormancn.exe\Chris Gorman.user.cf
c:\gormancn.exe\ClistB.dat
c:\gormancn.exe\clsid.c
c:\gormancn.exe\clsid.dat
c:\gormancn.exe\clsid.hiv
c:\gormancn.exe\Combobatch.bat
c:\gormancn.exe\ComboFix-Download.cfxxe
c:\gormancn.exe\ConEnv.sed
c:\gormancn.exe\Cookies.folder.dat
c:\gormancn.exe\Create.cmd
c:\gormancn.exe\Creg.dat
c:\gormancn.exe\CregC.cmd
c:\gormancn.exe\CregC.dat
c:\gormancn.exe\CregC_.dat
c:\gormancn.exe\CSCRIPT.cfxxe
c:\gormancn.exe\CSet.cmd
c:\gormancn.exe\d-del_A.dat
c:\gormancn.exe\d-delA.dat
c:\gormancn.exe\dd.cfxxe
c:\gormancn.exe\DelClsid.bat
c:\gormancn.exe\delclsid00
c:\gormancn.exe\delclsid0A
c:\gormancn.exe\DelClsid64.bat
c:\gormancn.exe\Desktop.folder.dat
c:\gormancn.exe\desktop.ini
c:\gormancn.exe\DisclaimED.dat
c:\gormancn.exe\dll_whitelist.dat
c:\gormancn.exe\dnd.dat
c:\gormancn.exe\Do.dat
c:\gormancn.exe\DPF.str
c:\gormancn.exe\Drive.folder.dat
c:\gormancn.exe\DriveFile.dat
c:\gormancn.exe\Drives.dat
c:\gormancn.exe\DrvRun.vbs
c:\gormancn.exe\dumphive.cfxxe
c:\gormancn.exe\embedded.sed
c:\gormancn.exe\en-US\ATTRIB.cfxxe.mui
c:\gormancn.exe\en-US\CF18432.cfxxe.mui
c:\gormancn.exe\en-US\cmd.cfxxe.mui
c:\gormancn.exe\en-US\CSCRIPT.cfxxe.mui
c:\gormancn.exe\en-US\PING.cfxxe.mui
c:\gormancn.exe\en-US\REGT.cfxxe.mui
c:\gormancn.exe\en-US\ROUTE.cfxxe.mui
c:\gormancn.exe\Env.sed
c:\gormancn.exe\ERDNT.e_e
c:\gormancn.exe\ERDNTDOS.LOC
c:\gormancn.exe\ERDNTWIN.LOC
c:\gormancn.exe\ERUNT.cfxxe
c:\gormancn.exe\erunt.dat
c:\gormancn.exe\ERUNT.LOC
c:\gormancn.exe\Exe.reg
c:\gormancn.exe\extract.cfxxe
c:\gormancn.exe\f_system
c:\gormancn.exe\Favorites.folder.dat
c:\gormancn.exe\FD-SV.cmd
c:\gormancn.exe\FdsvOK
c:\gormancn.exe\ffdefstr.dll
c:\gormancn.exe\FileCFScript.dat
c:\gormancn.exe\FileKill.cfxxe
c:\gormancn.exe\files.pif
c:\gormancn.exe\Fin.dat
c:\gormancn.exe\FIND3M.bat
c:\gormancn.exe\FIXLSP.bat
c:\gormancn.exe\FKMGen.cmd
c:\gormancn.exe\ForeignWht
c:\gormancn.exe\Gateway
c:\gormancn.exe\GetHive.cmd
c:\gormancn.exe\GOLDUN.DAT
c:\gormancn.exe\grep.cfxxe
c:\gormancn.exe\gsar.cfxxe
c:\gormancn.exe\handle.cfxxe
c:\gormancn.exe\HDPEInfo.cfxxe
c:\gormancn.exe\hidec.cfxxe
c:\gormancn.exe\history.bat
c:\gormancn.exe\History.folder.dat
c:\gormancn.exe\Homer
c:\gormancn.exe\Homer.chk
c:\gormancn.exe\iexplore.exe
c:\gormancn.exe\image001.gif
c:\gormancn.exe\Imefile.dat
c:\gormancn.exe\katch.cmd
c:\gormancn.exe\Kill-All.cmd
c:\gormancn.exe\kmd.dat
c:\gormancn.exe\Lang.bat
c:\gormancn.exe\LatestVer
c:\gormancn.exe\List-B.bat
c:\gormancn.exe\List-C.bat
c:\gormancn.exe\lnkread.vbs
c:\gormancn.exe\LocalAppData.folder.dat
c:\gormancn.exe\LocalService.dat
c:\gormancn.exe\LocalServiceNetworkRestricted.dat
c:\gormancn.exe\LocalSettings.folder.dat
c:\gormancn.exe\LocalSystemNetworkRestricted.dat
c:\gormancn.exe\max_.dat
c:\gormancn.exe\mbr.cfxxe
c:\gormancn.exe\mbr.chk
c:\gormancn.exe\md5sum.pif
c:\gormancn.exe\Mirrors
c:\gormancn.exe\MoveIt.bat
c:\gormancn.exe\mtee.cfxxe
c:\gormancn.exe\MtPt00
c:\gormancn.exe\MUI
c:\gormancn.exe\Music.folder.dat
c:\gormancn.exe\MWindows.dat
c:\gormancn.exe\mynul.dat
c:\gormancn.exe\N_\12897
c:\gormancn.exe\N_\16405
c:\gormancn.exe\N_\17082
c:\gormancn.exe\N_\18607
c:\gormancn.exe\N_\21109
c:\gormancn.exe\N_\21487
c:\gormancn.exe\N_\21972
c:\gormancn.exe\N_\22163
c:\gormancn.exe\N_\22650
c:\gormancn.exe\N_\22818
c:\gormancn.exe\N_\24646
c:\gormancn.exe\N_\26960
c:\gormancn.exe\N_\27096
c:\gormancn.exe\N_\27210
c:\gormancn.exe\N_\27680
c:\gormancn.exe\N_\28735
c:\gormancn.exe\N_\29061
c:\gormancn.exe\N_\29310
c:\gormancn.exe\N_\29892
c:\gormancn.exe\N_\31403
c:\gormancn.exe\N_\31548
c:\gormancn.exe\N_\32313
c:\gormancn.exe\N_\32735
c:\gormancn.exe\N_\338
c:\gormancn.exe\N_\4550
c:\gormancn.exe\N_\6639
c:\gormancn.exe\N_\6744
c:\gormancn.exe\N_\72
c:\gormancn.exe\N_\8128
c:\gormancn.exe\N_\8327
c:\gormancn.exe\N_\8358
c:\gormancn.exe\N_\8437
c:\gormancn.exe\N_\8553
c:\gormancn.exe\N_\9436
c:\gormancn.exe\N_\9571
c:\gormancn.exe\N_\cfdummy00
c:\gormancn.exe\N_\CmdLine00
c:\gormancn.exe\ncmd.com
c:\gormancn.exe\ND_.bat
c:\gormancn.exe\ND_64.bat
c:\gormancn.exe\ndis_combofix.dat
c:\gormancn.exe\NetHood.folder.dat
c:\gormancn.exe\netsvc.bad.dat
c:\gormancn.exe\netsvc.dat
c:\gormancn.exe\NetworkService.dat
c:\gormancn.exe\NirCmd.cfxxe
c:\gormancn.exe\NircmdB.exe
c:\gormancn.exe\NirCmdC.cfxxe
c:\gormancn.exe\NIRKMD.cfxxe
c:\gormancn.exe\NlsLanguageDefault
c:\gormancn.exe\notifykeys.dat
c:\gormancn.exe\notifykeysB.dat
c:\gormancn.exe\NT-OS.cmd
c:\gormancn.exe\NULL
c:\gormancn.exe\OsId.txt
c:\gormancn.exe\OSid.vbs
c:\gormancn.exe\OsVer
c:\gormancn.exe\pausep.cfxxe
c:\gormancn.exe\pend.txt
c:\gormancn.exe\Personal.folder.dat
c:\gormancn.exe\pev.cfxxe
c:\gormancn.exe\pevb.cfxxe
c:\gormancn.exe\Pictures.folder.dat
c:\gormancn.exe\PING.cfxxe
c:\gormancn.exe\Policies.dat
c:\gormancn.exe\powp.dat
c:\gormancn.exe\PreDIR
c:\gormancn.exe\Prep.inf
c:\gormancn.exe\PrintHood.folder.dat
c:\gormancn.exe\Profiles.Folder.dat
c:\gormancn.exe\Profiles.Folder.folder.dat
c:\gormancn.exe\progfile.dat
c:\gormancn.exe\Programs.folder.dat
c:\gormancn.exe\Purity.dat
c:\gormancn.exe\PV.cfxxe
c:\gormancn.exe\pv.com
c:\gormancn.exe\rar_sfx.cmd
c:\gormancn.exe\RCLink.dat
c:\gormancn.exe\RcVer00
c:\gormancn.exe\Recent.folder.dat
c:\gormancn.exe\REGDACL.sed
c:\gormancn.exe\RegDo.dat
c:\gormancn.exe\RegDo.sed
c:\gormancn.exe\region.dat
c:\gormancn.exe\RegScan.cmd
c:\gormancn.exe\RegScan64.cmd
c:\gormancn.exe\REGT.cfxxe
c:\gormancn.exe\Resident.txt
c:\gormancn.exe\restore_pt.dat
c:\gormancn.exe\restore_pt.vbs
c:\gormancn.exe\Rkey.cmd
c:\gormancn.exe\rmbr.cfxxe
c:\gormancn.exe\rogues.dat
c:\gormancn.exe\ROUTE.cfxxe
c:\gormancn.exe\run.sed
c:\gormancn.exe\run2.sed
c:\gormancn.exe\Rust.str
c:\gormancn.exe\s0rt.cfxxe
c:\gormancn.exe\safeboot.dat
c:\gormancn.exe\safeboot.def.dat
c:\gormancn.exe\sed.cfxxe
c:\gormancn.exe\SendTo.folder.dat
c:\gormancn.exe\SetEnvmt.bat
c:\gormancn.exe\SetPath.bat
c:\gormancn.exe\setpath.cfxxe
c:\gormancn.exe\setpath_N.cmd
c:\gormancn.exe\SF.exe
c:\gormancn.exe\sfx.cmd
c:\gormancn.exe\SnapShot.cmd
c:\gormancn.exe\SRestore.cmd
c:\gormancn.exe\srizbi.md5
c:\gormancn.exe\Start_dat
c:\gormancn.exe\StartMenu.folder.dat
c:\gormancn.exe\StartUp.folder.dat
c:\gormancn.exe\StartUpFileB.dat
c:\gormancn.exe\SuppScan.cmd
c:\gormancn.exe\svc_wht.dat
c:\gormancn.exe\SvcDrv.vbs
c:\gormancn.exe\svchost.dat
c:\gormancn.exe\swreg.cfxxe
c:\gormancn.exe\swsc.cfxxe
c:\gormancn.exe\swxcacls.cfxxe
c:\gormancn.exe\SysPath.dat
c:\gormancn.exe\system_ini.dat
c:\gormancn.exe\tail.cfxxe
c:\gormancn.exe\Temp.dat
c:\gormancn.exe\Templates.folder.dat
c:\gormancn.exe\toolbar.sed
c:\gormancn.exe\unhand.dat
c:\gormancn.exe\Update-CF.cmd
c:\gormancn.exe\v_wht.dat
c:\gormancn.exe\VerCF.bat
c:\gormancn.exe\version.txt
c:\gormancn.exe\VikPev00
c:\gormancn.exe\Vikpev01
c:\gormancn.exe\VInfo
c:\gormancn.exe\VInfo2
c:\gormancn.exe\Vipev.dat
c:\gormancn.exe\ViPev00
c:\gormancn.exe\ViPev01
c:\gormancn.exe\Vista.krl
c:\gormancn.exe\Vista.mac
c:\gormancn.exe\vistaMcode.dat
c:\gormancn.exe\vistareg.dat
c:\gormancn.exe\vRun_DLL
c:\gormancn.exe\vun.dat
c:\gormancn.exe\vundonames.dat
c:\gormancn.exe\VwinTemp.dacl
c:\gormancn.exe\w_sock.dll
c:\gormancn.exe\w7Mcode.dat
c:\gormancn.exe\whiteAll.dat
c:\gormancn.exe\whitedir.dat
c:\gormancn.exe\whitedirCreated.dat
c:\gormancn.exe\Wmi_rem.vbs
c:\gormancn.exe\xpmcode.dat
c:\gormancn.exe\XPSBoot.reg
c:\gormancn.exe\zDomain.dat
c:\gormancn.exe\zhsvc.dat
c:\gormancn.exe\zip.cfxxe
c:\gormancn.exe\Zlob01
c:\windows\system32\28A0344E87.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-05-13 to 2011-06-13 )))))))))))))))))))))))))))))))
.
.
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\postgresuser\AppData\Local\temp
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\postgres\AppData\Local\temp
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\omaha828\AppData\Local\temp
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\holdem4\AppData\Local\temp
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\holdem3\AppData\Local\temp
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\holdem\AppData\Local\temp
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\Chris Gorman Again\AppData\Local\temp
2011-06-13 03:32 . 2011-06-13 03:32 -------- d-----w- c:\users\cgorman\AppData\Local\temp
2011-06-12 21:04 . 2011-06-12 21:37 -------- d-----w- C:\gormancn.exe16737g
2011-06-10 06:06 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EF9B02EF-00D3-4175-9B2E-21B3AFE48A21}\mpengine.dll
2011-06-08 15:37 . 2011-06-08 15:51 -------- d-----w- c:\programdata\Hitman Pro
2011-06-03 23:54 . 2011-06-03 23:54 -------- d-----w- c:\program files\Twonky
2011-05-24 04:56 . 2011-06-08 16:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-16 21:47 . 2011-05-16 21:49 -------- d-----w- c:\programdata\Protexis
2011-05-16 21:46 . 2011-05-16 21:46 -------- d-----w- c:\program files\Oberon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-24 20:54 . 2011-04-24 20:54 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-19 00:00 . 2011-04-24 20:54 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-04-18 10:23 . 2011-04-24 22:29 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-14 03:32 . 2011-04-14 03:32 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-09 22:55 . 2011-04-09 22:55 15453336 ----a-w- c:\windows\system32\xlive.dll
2011-04-09 22:55 . 2011-04-09 22:55 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-06 04:10 . 2011-04-06 04:10 7774208 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-04-06 02:09 . 2011-04-06 02:09 59904 ----a-w- c:\windows\system32\OVDecode.dll
2011-04-06 02:09 . 2011-04-06 02:09 51712 ----a-w- c:\windows\system32\OpenCL.dll
2011-04-06 02:09 . 2011-04-06 02:09 12385280 ----a-w- c:\windows\system32\amdocl.dll
2011-04-06 02:07 . 2011-04-06 02:07 17469952 ----a-w- c:\windows\system32\atioglxx.dll
2011-04-06 02:03 . 2011-04-06 02:03 147456 ----a-w- c:\windows\system32\atiapfxx.exe
2011-04-06 02:03 . 2010-07-07 01:54 671744 ----a-w- c:\windows\system32\aticfx32.dll
2011-04-06 01:59 . 2011-04-06 01:59 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-04-06 01:59 . 2011-04-06 01:59 393216 ----a-w- c:\windows\system32\atieclxx.exe
2011-04-06 01:58 . 2011-04-06 01:58 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2011-04-06 01:57 . 2008-09-16 12:19 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2011-04-06 01:57 . 2008-09-16 12:19 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2011-04-06 01:57 . 2011-04-06 01:57 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2011-04-06 01:56 . 2011-04-06 01:56 15872 ----a-w- c:\windows\system32\atimuixx.dll
2011-04-06 01:56 . 2011-04-06 01:56 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-04-06 01:53 . 2011-04-06 01:53 4307968 ----a-w- c:\windows\system32\atidxx32.dll
2011-04-06 01:42 . 2011-04-06 01:42 46080 ----a-w- c:\windows\system32\aticalrt.dll
2011-04-06 01:42 . 2011-04-06 01:42 44032 ----a-w- c:\windows\system32\aticalcl.dll
2011-04-06 01:38 . 2011-04-06 01:38 6098432 ----a-w- c:\windows\system32\aticaldd.dll
2011-04-06 01:35 . 2008-09-16 12:19 4256768 ----a-w- c:\windows\system32\atiumdag.dll
2011-04-06 01:34 . 2011-04-06 01:34 1912832 ----a-w- c:\windows\system32\atiumdmv.dll
2011-04-06 01:28 . 2010-07-07 01:24 52736 ----a-w- c:\windows\system32\coinst.dll
2011-04-06 01:26 . 2008-09-16 12:19 3631616 ----a-w- c:\windows\system32\atiumdva.dll
2011-04-06 01:22 . 2011-04-06 01:22 258048 ----a-w- c:\windows\system32\atiadlxx.dll
2011-04-06 01:22 . 2011-04-06 01:22 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2011-04-06 01:21 . 2011-04-06 01:21 32768 ----a-w- c:\windows\system32\atigktxx.dll
2011-04-06 01:21 . 2011-04-06 01:21 242176 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-04-06 01:20 . 2011-04-06 01:20 31232 ----a-w- c:\windows\system32\atiuxpag.dll
2011-04-06 01:20 . 2010-07-07 01:14 29184 ----a-w- c:\windows\system32\atiu9pag.dll
2011-04-06 01:20 . 2010-07-07 01:14 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2011-04-06 01:20 . 2011-04-06 01:20 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-04-06 01:13 . 2011-04-06 01:13 52736 ----a-w- c:\windows\system32\atimpc32.dll
2011-04-06 01:13 . 2011-04-06 01:13 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2011-03-22 21:46 . 2011-03-22 21:46 218379 ----a-w- c:\windows\system32\rdminer.exe
2011-04-14 16:26 . 2011-06-12 21:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-01-17 14:54 175912 ----a-w- c:\program files\Vuze_Remote\prxtbVuz0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncBackedUp]
@="{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}"
[HKEY_CLASSES_ROOT\CLSID\{0C4A258A-3F3B-4FFF-80A7-9B3BEC139472}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncPending]
@="{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}"
[HKEY_CLASSES_ROOT\CLSID\{62CCD8E3-9C21-41E1-B55E-1E26DFC68511}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncRoot]
@="{A759AFF6-5851-457D-A540-F4ECED148351}"
[HKEY_CLASSES_ROOT\CLSID\{A759AFF6-5851-457D-A540-F4ECED148351}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SugarSyncShared]
@="{1574C9EF-7D58-488F-B358-8B78C1538F51}"
[HKEY_CLASSES_ROOT\CLSID\{1574C9EF-7D58-488F-B358-8B78C1538F51}]
2011-03-23 04:56 319488 ----a-w- c:\program files\SugarSync\SugarSyncShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mikogo"="c:\users\Chris Gorman\AppData\Roaming\Mikogo\Mikogo-Host.exe" [2009-09-26 1277224]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SugarSync"="c:\program files\SugarSync\SugarSyncManager.exe" [2011-03-23 15921152]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2010-11-11 570688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-08-05 3563520]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"SoundMen"="c:\windows\system32\rdminer.exe" [2011-03-22 218379]
.
c:\users\Chris Gorman Again\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
.
c:\users\Chris Gorman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-3-26 0]
setup_9.0.0.722_24.04.2011_22-06.lnk - c:\users\Chris Gorman\Desktop\Virus Removal Tool\setup_9.0.0.722_24.04.2011_22-06\startup.exe [2011-4-24 72208]
TwonkyMedia Manager.lnk - c:\program files\TwonkyMedia\MediaManager\TwonkyMediaManager.exe [2009-7-22 5601973]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-6-5 36864]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
NCProTray.lnk - c:\program files\SEC\Natural Color Pro\NCProTray.exe [2009-6-6 49220]
Twonky Tray Control.lnk - c:\program files\TwonkyMedia\twonkymediaserverconfig.exe [2011-3-10 607832]
TwonkyMedia Tray Control.lnk - c:\program files\TwonkyMedia\twonkymediaserverconfig.exe [2011-3-10 607832]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-16 10:01 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk
backup=c:\windows\pss\QuickSet.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Chris Gorman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Chris Gorman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Chris Gorman^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Chris Gorman\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2008-07-24 20:36 993520 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
2008-02-19 15:43 438403 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2008-09-16 09:51 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mikogo]
2009-09-26 02:42 1277224 ----a-w- c:\users\Chris Gorman\AppData\Roaming\Mikogo\Mikogo-Host.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2008-01-14 15:13 132392 ------w- c:\program files\Dell\MediaDirect\PCMService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RCUI]
2008-11-12 14:53 479232 ----a-w- c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]
2008-11-17 01:10 79872 ----a-w- c:\users\Chris Gorman\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-03-27 21:01 24103720 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-10-05 03:51 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UFC Media Manager Tray]
2008-01-08 23:50 374608 ----a-w- c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 B-Service;B-Service;c:\users\Chris Gorman\AppData\Roaming\Mikogo\B-Service.exe [2009-04-02 185640]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-04-19 15232]
R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-03-21 32408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 79099122;79099122 Boot Guard Driver;c:\windows\system32\DRIVERS\79099122.sys [2009-10-22 37392]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-04-19 64512]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-01 420920]
S1 79099121;79099121;c:\windows\system32\DRIVERS\79099121.sys [2009-09-25 128016]
S1 setup_9.0.0.722_24.04.2011_22-06drv;setup_9.0.0.722_24.04.2011_22-06drv;c:\windows\system32\DRIVERS\7909912.sys [2009-10-10 311312]
S1 trueping;trueping;c:\windows\system32\drivers\trueping.sys [2010-08-01 50584]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-06-25 73728]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-06 176128]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-05-02 161048]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-05-16 2151128]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 TwonkyMedia;TwonkyMedia;c:\program files\TwonkyMedia\twonkymediaserverwatchdog.exe [2011-03-11 505432]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-06 7774208]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-06 242176]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-03-14 54784]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-03-13 203264]
S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-07-28 144672]
S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-07-28 277504]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1767521655-1598373030-993447095-1000Core.job
- c:\users\Chris Gorman\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-23 00:39]
.
2011-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1767521655-1598373030-993447095-1000UA.job
- c:\users\Chris Gorman\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-23 00:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.search-fever.com/find.php
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download Flash with Flash &Grabber - c:\progra~1\FLASHG~1\swfgrab.dll/iesave
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Chris Gorman\AppData\Roaming\Mozilla\Firefox\Profiles\u5tqdyc7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.search-fever.com/find.php
FF - prefs.js: browser.search.selectedEngine - Google
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-12 23:32
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1767521655-1598373030-993447095-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:17,10,44,06,ef,95,79,34,31,7e,f9,c1,60,bd,ba,bc,3d,f3,63,b4,ce,d6,72,
9e,20,be,be,fc,6a,6c,29,a6,06,9b,bb,77,0c,b6,1c,38,d4,ee,2b,86,03,85,70,c2,\
"??"=hex:8f,0d,d1,7d,84,7c,d8,ab,6f,96,36,c7,b4,40,0f,fa
.
[HKEY_USERS\S-1-5-21-1767521655-1598373030-993447095-1000\Software\SecuROM\License information*]
"datasecu"=hex:17,0f,a6,fc,c2,dc,c9,ff,b0,bb,1b,70,9f,56,1c,b6,20,93,f4,bd,6d,
a7,de,57,28,46,0d,a9,1c,91,db,72,8a,bd,1f,51,05,13,11,01,52,ab,9d,33,91,aa,\
"rkeysecu"=hex:d8,d9,0b,45,d5,5a,59,23,23,fb,17,4c,c3,08,6d,14
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(744)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2011-06-12 23:36:12
ComboFix-quarantined-files.txt 2011-06-13 03:36
ComboFix2.txt 2011-06-12 21:37
.
Pre-Run: 20,442,247,168 bytes free
Post-Run: 20,421,103,616 bytes free
.
- - End Of File - - C0E03557DC08433D2FE86007C502B7A1


thanks again.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:09 AM

Posted 13 June 2011 - 01:37 PM

What is this that includes your username? C:\gormancn.exe16737g
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 gormancn

gormancn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 13 June 2011 - 04:56 PM

I have no idea? <_<

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:09 AM

Posted 13 June 2011 - 05:42 PM

One more thing and I'll make you up a script to hit this thing with......

Are there really 9 (NINE!) user accounts on this computer?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 gormancn

gormancn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 13 June 2011 - 05:46 PM

Yikes! No! There are only two, plus the guest, which is turned off...

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:09 AM

Posted 13 June 2011 - 05:54 PM

c:\users\postgresuser\AppData\Local\temp
c:\users\postgres\AppData\Local\temp
c:\users\omaha828\AppData\Local\temp
c:\users\holdem4\AppData\Local\temp
c:\users\holdem3\AppData\Local\temp
c:\users\holdem\AppData\Local\temp
c:\users\Default\AppData\Local\temp
c:\users\Chris Gorman Again\AppData\Local\temp
c:\users\cgorman\AppData\Local\temp

Which are yours?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 gormancn

gormancn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 13 June 2011 - 06:07 PM

Kinda weird, b/c i don't see mine. The user I'm on right now is "Chris Gorman" and the other one is "Chris Gorman Again." The rest of the names actually look like they were setup somehow by a poker hand database program I used to use a lot. Those look like the names of my databases.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:02:09 AM

Posted 13 June 2011 - 06:35 PM

Okay....good info, thanks. Do you want me to leave them for you to deal with then? :) Probably best if you handle them.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users