Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP ANTIVIRUS 2011 Trojan.Qhost.lxe


  • This topic is locked This topic is locked
31 replies to this topic

#1 Cornetto

Cornetto

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 21 June 2011 - 08:16 PM

My PC is running XP with windows security essentials and avira.

During the attack I was hit by screen after screen with warnings about malware. The screens looked similar to ones I saw online describing the "XP Antivirus 2011".


I was blocked from running Malwarebytes or any other scan from my desktop.

My browsers would open but I was blocked from entering anything in the search box.

I loaded rkill onto a thumbdrive and ran it from there. Everything returned to normal instantly.

The next time I used the computer the virus came back, but in a much milder form. I used rkill again and again it worked instantly.

The only odd thing I am seeing now is that when the bug hit, it turned off my automatic updates. I am still unable to turn them on, even manually.


A second recent event:

I was following instructions requiring my using the Host file. When I opened it there were a lot of odd entries. I ran a copy of the Host file through Jotti and got three hits on: "Trojan.Qhost.LXE" I have a copy of the Host File ready to upload but I have not attached it to avoid clutter.


Are these two issues related? The XP Antivirus 2011 bug struck very recently but the Qhost Trojan has been redirecting searches for almost two years.


I need a guiding hand or I will surely perish.

Thanks, KGH




DDS
.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Kim Hawke at 1:28:58 on 2011-06-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2015.1524 [GMT -6:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sunbelt Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYSTEM~1\WScheduler.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Creative\Sound Blaster Play\Surround Mixer\CTSysVol.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\WINDOWS\system32\NlsSrv32.exe
C:\Program Files\Macrium backup imager\ReflectService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Evernote\Evernote3\Evernote.exe
C:\Program Files\Evernote\Evernote3\EvernoteTray.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\philips\intern~1\ARCURL~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [IpSharkk] "c:\program files\ipsharkk\IpSharkk.exe" /auto
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [WScheduler] c:\progra~1\system~1\WScheduler.exe /LOGON
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min/nosplash
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [CTSysVol] c:\program files\creative\sound blaster play\surround mixer\CTSysVol.exe /r
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AtherosBtXpStack] c:\program files\asus bluetooth xp suite\BluetoothSuit.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO] c:\program files\comodo\comodo livepcsupport\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo livepcsupport\VALA.exe
StartupFolder: c:\docume~1\kimhaw~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\kim hawke\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\kimhaw~1\startm~1\programs\startup\pandau~1.lnk - c:\program files\panda usb vaccine\USBVaccine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\backup~1.lnk - c:\program files\ascomp software\backup maker\bkmaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235694667031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 172.16.1.254
TCP: Interfaces\{A528EC12-8AA2-4ED2-81EB-FF950F24F462} : DhcpNameServer = 172.16.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [2011-6-3 15888]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 anf0100.sys;anf0100.sys;c:\windows\system32\drivers\anf0100.sys [2011-3-25 9728]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-11 11608]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2009-3-2 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-24 56816]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2011-5-25 154432]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2010-4-7 61440]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium backup imager\ReflectService.exe [2008-8-6 216032]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-3-2 65576]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 a2free;a-squared Free Service;"g:\a-squared free\a2service.exe" --> g:\a-squared free\a2service.exe [?]
S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\avupgsvc.exe" /tempstart:""c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\setup.exe" /notempcleanup /crossupgrade" --> c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\avupgsvc.exe [?]
S3 AthDfu;Atheros Valkyrie USB BootROM;c:\windows\system32\drivers\AthDfu.sys [2011-4-6 38272]
S3 BTATHPROT;General Bluetooth Filter;c:\windows\system32\drivers\btathprot.sys [2011-4-6 604544]
S3 BTATHUSB;General Bluetooth Device;c:\windows\system32\drivers\btathusb.sys [2011-4-6 64640]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-12-26 30192]
S3 gwiopm;gwiopm;\??\c:\program files\unknown device identifier\gwiopm.sys --> c:\program files\unknown device identifier\gwiopm.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 2151128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-13 15232]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2008-7-8 31712]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 vtcdrv;GoGear Recovery Mode;c:\windows\system32\drivers\vtcdrv.sys [2009-11-23 18560]
.
=============== File Associations ===============
.
txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"
.reg=Regedit.Document
.
=============== Created Last 30 ================
.
2011-06-18 08:50:57 -------- d-----w- c:\documents and settings\kim hawke\application data\ASCOMP Software
2011-06-18 08:50:36 1242552 ----a-w- c:\windows\system32\NMSDVDXU.dll
2011-06-18 08:50:34 -------- d-----w- c:\program files\ASCOMP Software
2011-06-06 20:44:21 -------- d-----w- C:\Audio Video Play and Edit
2011-06-04 02:37:21 -------- d-----w- c:\documents and settings\kim hawke\local settings\application data\K-Meleon
2011-06-04 02:36:08 -------- d-----w- c:\program files\K-Meleonn
2011-06-03 10:21:54 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-06-03 10:21:53 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-06-03 10:19:37 -------- d-----w- c:\program files\COMODO
2011-06-03 10:12:15 15888 ----a-w- c:\windows\system32\drivers\EnumProcessesDriver.sys
2011-06-03 10:09:56 -------- d-----w- c:\documents and settings\kim hawke\application data\ComodoGroup
2011-06-03 06:42:07 -------- d-----w- c:\documents and settings\kim hawke\local settings\application data\Chromium
2011-06-03 06:41:54 -------- d-----w- c:\program files\SRWare Iron
2011-06-03 06:22:31 -------- d-----w- c:\documents and settings\kim hawke\application data\K-Meleon
2011-06-03 06:21:50 -------- d-----w- c:\program files\K-Meleon
2011-06-02 21:19:37 -------- d-----w- c:\program files\Empty Program Files Created After xp anti-v attack xx probably unrelated to attack
2011-06-02 11:40:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-31 21:20:24 -------- d-----w- c:\program files\HD Tune
2011-05-26 04:43:16 -------- d-----w- c:\program files\DVDFab 8 Qt
2011-05-26 03:33:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
==================== Find3M ====================
.
2011-05-29 15:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 15:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 11:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 08:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 09:30:50 246804 ----a-w- c:\windows\system32\drivers\AtherosBT.bin
2011-01-27 05:38:43 8768200 ----a-w- c:\program files\common files\lpuninstall.exe
.
============= FINISH: 1:30:21.15 ===============Attached File  ark.txt   109.73KB   1 downloads

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 29 June 2011 - 01:44 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here or here
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log

Use multiple posts if you can't fit everything into one post.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 Cornetto

Cornetto
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 30 June 2011 - 01:37 AM

Thanks for your help km2357

I appreciate what you are doing there.


I am posting the two files dds and attach.


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Kim Hawke at 22:48:08 on 2011-06-29
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2015.1380 [GMT -6:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sunbelt Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYSTEM~1\WScheduler.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Creative\Sound Blaster Play\Surround Mixer\CTSysVol.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\WINDOWS\system32\NlsSrv32.exe
C:\Program Files\Macrium backup imager\ReflectService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Evernote\Evernote3\Evernote.exe
C:\Program Files\Evernote\Evernote3\EvernoteTray.exe
C:\Documents and Settings\Kim Hawke\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\philips\intern~1\ARCURL~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [IpSharkk] "c:\program files\ipsharkk\IpSharkk.exe" /auto
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10q_Plugin.exe -update plugin
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [WScheduler] c:\progra~1\system~1\WScheduler.exe /LOGON
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min/nosplash
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [CTSysVol] c:\program files\creative\sound blaster play\surround mixer\CTSysVol.exe /r
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AtherosBtXpStack] c:\program files\asus bluetooth xp suite\BluetoothSuit.exe
mRun: [COMODO] c:\program files\comodo\comodo livepcsupport\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo livepcsupport\VALA.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\kimhaw~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\kim hawke\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\kimhaw~1\startm~1\programs\startup\pandau~1.lnk - c:\program files\panda usb vaccine\USBVaccine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\backup~1.lnk - c:\program files\ascomp software\backup maker\bkmaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235694667031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 172.16.1.254
TCP: Interfaces\{A528EC12-8AA2-4ED2-81EB-FF950F24F462} : DhcpNameServer = 172.16.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [2011-6-3 15888]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 anf0100.sys;anf0100.sys;c:\windows\system32\drivers\anf0100.sys [2011-3-25 9728]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-11 11608]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2009-3-2 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-24 56816]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2011-5-25 154432]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2010-4-7 61440]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium backup imager\ReflectService.exe [2008-8-6 216032]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-3-2 65576]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 a2free;a-squared Free Service;"g:\a-squared free\a2service.exe" --> g:\a-squared free\a2service.exe [?]
S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\avupgsvc.exe" /tempstart:""c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\setup.exe" /notempcleanup /crossupgrade" --> c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\avupgsvc.exe [?]
S3 AthDfu;Atheros Valkyrie USB BootROM;c:\windows\system32\drivers\AthDfu.sys [2011-4-6 38272]
S3 BTATHPROT;General Bluetooth Filter;c:\windows\system32\drivers\btathprot.sys [2011-4-6 604544]
S3 BTATHUSB;General Bluetooth Device;c:\windows\system32\drivers\btathusb.sys [2011-4-6 64640]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-12-26 30192]
S3 gwiopm;gwiopm;\??\c:\program files\unknown device identifier\gwiopm.sys --> c:\program files\unknown device identifier\gwiopm.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 2151128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-13 15232]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2008-7-8 31712]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 vtcdrv;GoGear Recovery Mode;c:\windows\system32\drivers\vtcdrv.sys [2009-11-23 18560]
.
=============== File Associations ===============
.
txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"
.reg=Regedit.Document
.
=============== Created Last 30 ================
.
2011-06-22 07:18:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-18 08:50:57 -------- d-----w- c:\documents and settings\kim hawke\application data\ASCOMP Software
2011-06-18 08:50:36 1242552 ----a-w- c:\windows\system32\NMSDVDXU.dll
2011-06-18 08:50:34 -------- d-----w- c:\program files\ASCOMP Software
2011-06-06 20:44:21 -------- d-----w- C:\Audio Video Play and Edit
2011-06-04 02:37:21 -------- d-----w- c:\documents and settings\kim hawke\local settings\application data\K-Meleon
2011-06-04 02:36:08 -------- d-----w- c:\program files\K-Meleonn
2011-06-03 10:21:54 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-06-03 10:21:53 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-06-03 10:19:37 -------- d-----w- c:\program files\COMODO
2011-06-03 10:12:15 15888 ----a-w- c:\windows\system32\drivers\EnumProcessesDriver.sys
2011-06-03 10:09:56 -------- d-----w- c:\documents and settings\kim hawke\application data\ComodoGroup
2011-06-03 06:42:07 -------- d-----w- c:\documents and settings\kim hawke\local settings\application data\Chromium
2011-06-03 06:41:54 -------- d-----w- c:\program files\SRWare Iron
2011-06-03 06:22:31 -------- d-----w- c:\documents and settings\kim hawke\application data\K-Meleon
2011-06-03 06:21:50 -------- d-----w- c:\program files\K-Meleon
2011-06-02 21:19:37 -------- d-----w- c:\program files\Empty Program Files Created After xp anti-v attack xx probably unrelated to attack
2011-06-02 11:40:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-31 21:20:24 -------- d-----w- c:\program files\HD Tune
.
==================== Find3M ====================
.
2011-06-22 07:17:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 15:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 15:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-26 03:33:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-06 09:30:50 246804 ----a-w- c:\windows\system32\drivers\AtherosBT.bin
2011-01-27 05:38:43 8768200 ----a-w- c:\program files\common files\lpuninstall.exe
.
============= FINISH: 22:50:29.09 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2/26/2009 2:43:37 PM
System Uptime: 6/18/2011 1:32:54 PM (273 hours ago)
.
Motherboard: Foxconn | | 661MXPlus
Processor: Intel® Celeron® CPU 2.60GHz | Socket 478 | 2600/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 190 GiB total, 147.537 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
G: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP182: 3/26/2011 8:00:16 AM - Software Distribution Service 3.0
RP183: 3/26/2011 8:19:23 PM - Software Distribution Service 3.0
RP184: 5/27/2011 6:33:16 AM - System Checkpoint
RP185: 5/28/2011 10:04:26 AM - System Checkpoint
RP186: 3/29/2011 5:59:04 AM - System Checkpoint
RP187: 3/30/2011 6:16:23 AM - System Checkpoint
RP188: 3/31/2011 10:04:26 AM - System Checkpoint
RP189: 4/1/2011 10:29:30 AM - System Checkpoint
RP190: 4/2/2011 2:26:20 PM - System Checkpoint
RP191: 4/3/2011 4:25:04 PM - System Checkpoint
RP192: 4/4/2011 6:20:21 PM - System Checkpoint
RP193: 4/5/2011 6:55:53 PM - System Checkpoint
RP194: 4/6/2011 3:30:25 AM - Installed Bluetooth XP Suite.
RP195: 5/7/2011 3:57:03 AM - System Checkpoint
RP196: 5/8/2011 7:46:30 AM - System Checkpoint
RP197: 5/9/2011 10:05:29 AM - System Checkpoint
RP198: 5/10/2011 10:16:54 AM - System Checkpoint
RP199: 5/11/2011 10:31:55 AM - System Checkpoint
RP200: 5/12/2011 12:24:21 PM - System Checkpoint
RP201: 5/13/2011 12:54:54 PM - System Checkpoint
RP202: 4/14/2011 5:39:19 PM - System Checkpoint
RP203: 4/15/2011 8:25:24 PM - System Checkpoint
RP204: 4/16/2011 10:06:45 PM - System Checkpoint
RP205: 4/18/2011 12:24:19 AM - System Checkpoint
RP206: 4/19/2011 2:38:46 PM - System Checkpoint
RP207: 4/20/2011 4:38:20 PM - System Checkpoint
RP208: 4/22/2011 3:50:11 AM - System Checkpoint
RP209: 4/23/2011 6:08:44 AM - System Checkpoint
RP210: 4/23/2011 7:00:17 AM - Software Distribution Service 3.0
RP211: 4/24/2011 7:00:17 AM - Software Distribution Service 3.0
RP212: 4/25/2011 7:00:18 AM - Software Distribution Service 3.0
RP213: 4/26/2011 7:00:17 AM - Software Distribution Service 3.0
RP214: 4/27/2011 7:00:19 AM - Software Distribution Service 3.0
RP215: 4/28/2011 7:00:19 AM - Software Distribution Service 3.0
RP216: 4/29/2011 7:00:23 AM - Software Distribution Service 3.0
RP217: 4/30/2011 7:00:23 AM - Software Distribution Service 3.0
RP218: 5/1/2011 7:00:23 AM - Software Distribution Service 3.0
RP219: 5/2/2011 7:00:23 AM - Software Distribution Service 3.0
RP220: 5/3/2011 7:00:17 AM - Software Distribution Service 3.0
RP221: 5/4/2011 7:00:27 AM - Software Distribution Service 3.0
RP222: 5/5/2011 7:00:20 AM - Software Distribution Service 3.0
RP223: 5/6/2011 7:00:21 AM - Software Distribution Service 3.0
RP224: 5/7/2011 7:00:23 AM - Software Distribution Service 3.0
RP225: 5/8/2011 7:00:23 AM - Software Distribution Service 3.0
RP226: 5/9/2011 7:03:13 AM - Software Distribution Service 3.0
RP227: 5/10/2011 7:00:24 AM - Software Distribution Service 3.0
RP228: 5/11/2011 7:00:22 AM - Software Distribution Service 3.0
RP229: 5/11/2011 6:55:07 PM - Installed Java™ 6 Update 12
RP230: 5/12/2011 7:00:21 AM - Software Distribution Service 3.0
RP231: 5/13/2011 7:00:22 AM - Software Distribution Service 3.0
RP232: 5/14/2011 7:00:22 AM - Software Distribution Service 3.0
RP233: 5/15/2011 7:00:22 AM - Software Distribution Service 3.0
RP234: 5/16/2011 7:00:27 AM - Software Distribution Service 3.0
RP235: 5/17/2011 7:00:23 AM - Software Distribution Service 3.0
RP236: 5/18/2011 7:00:23 AM - Software Distribution Service 3.0
RP237: 5/19/2011 7:00:24 AM - Software Distribution Service 3.0
RP238: 5/20/2011 7:00:23 AM - Software Distribution Service 3.0
RP239: 5/21/2011 7:00:21 AM - Software Distribution Service 3.0
RP240: 5/22/2011 7:00:23 AM - Software Distribution Service 3.0
RP241: 5/23/2011 7:00:22 AM - Software Distribution Service 3.0
RP242: 5/24/2011 8:00:20 AM - Software Distribution Service 3.0
RP243: 5/25/2011 8:00:24 AM - Software Distribution Service 3.0
RP244: 5/26/2011 8:00:27 AM - Software Distribution Service 3.0
RP245: 5/27/2011 8:00:23 AM - Software Distribution Service 3.0
RP246: 5/28/2011 8:00:22 AM - Software Distribution Service 3.0
RP247: 5/29/2011 8:00:21 AM - Software Distribution Service 3.0
RP248: 5/30/2011 8:00:22 AM - Software Distribution Service 3.0
RP249: 5/31/2011 8:00:28 AM - Software Distribution Service 3.0
RP250: 6/1/2011 8:00:25 AM - Software Distribution Service 3.0
RP251: 6/1/2011 11:47:00 PM - Removed Final Draft
RP252: 6/2/2011 12:02:07 AM - Installed Java™ 6 Update 25
RP253: 6/2/2011 12:12:53 AM - Removed Java™ 6 Update 12
RP254: 6/2/2011 12:33:40 AM - Removed QuickTime
RP255: 6/3/2011 1:12:56 AM - Installed Safari
RP256: 6/5/2011 12:06:31 PM - System Checkpoint
RP257: 6/7/2011 12:43:38 AM - System Checkpoint
RP258: 6/7/2011 3:29:48 PM - Removed RocketFM
RP259: 6/7/2011 4:07:29 PM - Revo Uninstaller's restore point - Adobe Reader 9.3.2
RP260: 6/7/2011 4:21:27 PM - Removed Windows Live ID Sign-in Assistant
RP261: 6/7/2011 9:15:08 PM - before looking for redirect virus in sys32 drivers hosts
RP262: 6/9/2011 12:17:55 AM - System Checkpoint
RP263: 6/10/2011 8:04:23 AM - System Checkpoint
RP264: 6/11/2011 8:54:50 AM - System Checkpoint
RP265: 6/12/2011 1:36:06 PM - System Checkpoint
RP266: 6/13/2011 4:54:53 PM - System Checkpoint
RP267: 6/14/2011 8:54:57 PM - System Checkpoint
RP268: 6/15/2011 9:13:13 PM - System Checkpoint
RP269: 6/17/2011 12:54:55 AM - System Checkpoint
RP270: 6/18/2011 1:27:05 AM - System Checkpoint
RP271: 6/19/2011 3:11:32 AM - System Checkpoint
RP272: 6/20/2011 6:39:50 AM - System Checkpoint
RP273: 6/21/2011 6:40:57 AM - System Checkpoint
RP274: 6/22/2011 1:15:49 AM - Removed Java™ 6 Update 24
RP275: 6/22/2011 1:16:41 AM - Installed Java™ 6 Update 26
RP276: 6/23/2011 1:39:54 AM - System Checkpoint
.
==== Hosts File Hijack ======================
.
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 www.getavplusnow.com
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 209.212.147.219 www.google.com
Hosts: 209.212.147.219 google.com
Hosts: 209.212.147.219 google.com.au
Hosts: 209.212.147.219 www.google.com.au
Hosts: 209.212.147.219 google.be
Hosts: 209.212.147.219 www.google.be
Hosts: 209.212.147.219 google.com.br
Hosts: 209.212.147.219 www.google.com.br
Hosts: 209.212.147.219 google.ca
Hosts: 209.212.147.219 www.google.ca
Hosts: 209.212.147.219 google.ch
Hosts: 209.212.147.219 www.google.ch
Hosts: 209.212.147.219 google.de
Hosts: 209.212.147.219 www.google.de
Hosts: 209.212.147.219 google.dk
Hosts: 209.212.147.219 www.google.dk
Hosts: 209.212.147.219 google.fr
Hosts: 209.212.147.219 www.google.fr
Hosts: 209.212.147.219 google.ie
Hosts: 209.212.147.219 www.google.ie
Hosts: 209.212.147.219 google.it
Hosts: 209.212.147.219 www.google.it
Hosts: 209.212.147.219 google.co.jp
Hosts: 209.212.147.219 www.google.co.jp
Hosts: 209.212.147.219 google.nl
Hosts: 209.212.147.219 www.google.nl
Hosts: 209.212.147.219 google.no
Hosts: 209.212.147.219 www.google.no
Hosts: 209.212.147.219 google.co.nz
Hosts: 209.212.147.219 www.google.co.nz
Hosts: 209.212.147.219 google.pl
Hosts: 209.212.147.219 www.google.pl
Hosts: 209.212.147.219 google.se
Hosts: 209.212.147.219 www.google.se
Hosts: 209.212.147.219 google.co.uk
Hosts: 209.212.147.219 www.google.co.uk
Hosts: 209.212.147.219 google.co.za
Hosts: 209.212.147.219 www.google.co.za
Hosts: 209.212.147.219 www.google-analytics.com
Hosts: 209.212.147.219 www.bing.com
Hosts: 209.212.147.219 search.yahoo.com
Hosts: 209.212.147.219 www.search.yahoo.com
Hosts: 209.212.147.219 uk.search.yahoo.com
Hosts: 209.212.147.219 ca.search.yahoo.com
Hosts: 209.212.147.219 de.search.yahoo.com
Hosts: 209.212.147.219 fr.search.yahoo.com
Hosts: 209.212.147.219 au.search.yahoo.com
.
==== Installed Programs ======================
.
Sansa Media Converter
µTorrent
7-Zip 4.65
a-squared Free 4.0
AbiWord 2.8.1
Absolute Uninstaller 2.8.0.636
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Any Audio Converter 1.1.0
Any Video Converter 3.0.3
Apple Application Support
Apple Software Update
Audacity 1.2.6
Auslogics Disk Defrag
Avi to Mpeg 3.2
Avira AntiVir Personal - Free Antivirus
BackUp Maker v6.2
Battery-Resistor Circuit
Belarc Advisor 8.1
Bluetooth XP Suite
CamStudio
CCleaner
CDBurnerXP
Circuit Construction Kit (AC+DC), Virtual Lab
ClamWin Free Antivirus 0.96.2.1
CleanMem
Combined Community Codec Pack 2009-09-09
COMODO livePCsupport
Conexant SoftK56 Modem(M)
Creative MediaSource 5
Creative Software AutoUpdate
Creative System Information
Dropbox
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab 8.0.9.2 (12/05/2011) Qt
Empty Temp Folders 2.8.3
EULAlyzer 2.0
Evernote
Exact Audio Copy 0.99pb5
FastStone Photo Resizer 2.8
Free Audio Converter version 1.1
Free DVD Decrypter version 1.3
Free Hide Folder
Free Video Converter V 2.5
Free YouTube Download 2.2
Free YouTube Downloader 3.1.75
Free YouTube to Mp3 Converter version 3.1
FreshIP 1.0
G4FON Koch Method Morse Trainer
Gantt Designer
Google Desktop
HandBrake 0.9.5
HD Tune 2.55
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
IcoFX 1.6.4
IpSharkk 2.5
IrfanView (remove only)
iWisoft Free Video Converter 1.2
IZArc 3.81
Java Auto Updater
Java™ 6 Update 26
K-Lite Codec Pack 4.1.6 (Standard)
K-Meleon 1.6.0 en-US (remove only)
LastPass (uninstall only)
Launchy 2.5
LightBox Free Image Editor
Macrium Reflect - Free Edition
Malwarebytes' Anti-Malware version 1.51.0.1200
Maxthon Browser (remove only)
Media Converter for Philips
Media Player Classic - Home Cinema v. 1.3.1249.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Midisport 1x1 1.0.1.0
MiniTool Power Data Recovery
Moffsoft FreeCalc
Mozilla Thunderbird (3.1.11)
MPEG2 Codec(libmpeg2/mad)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyDefrag v4.2.0.Beta
Panda USB Vaccine 1.0.1.4
PDF-Viewer
QuickTime Alternative 3.1.0
RadioSim 8.01
Real Alternative 2.0.2
Realtek AC'97 Audio
Recuva
Retail Virtual EVE
Revo Uninstaller 1.89
Safari
Sandboxie 3.48
ScanSoft PaperPort 11
Secunia PSI (2.0.0.3001)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SimpleOCR 3.1
SiS VGA Utilities
Skype Toolbars
Skype™ 5.1
Smart Defrag
Sound Blaster Play!
Spybot - Search & Destroy
SRWare Iron 11.0.700.3
Sunbelt Personal Firewall
SUPERAntiSpyware Free Edition
System Scheduler 3.82
trakAxPC
Uniblue DriverScanner 2009
Uninstall 1.0.0.1
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
.
==== End Of File ===========================


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-29 23:23:09
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6L200P0 rev.BAJ41G20
Running: gmer.exe; Driver: C:\DOCUME~1\KIMHAW~1\LOCALS~1\Temp\kfadakod.sys


---- System - GMER 1.0.15 ----

Code F7A58C9C ZwRequestPort
Code F7A58D3C ZwRequestWaitReplyPort
Code F7A58BFC ZwTraceEvent
Code F7A58C9B NtRequestPort
Code F7A58D3B NtRequestWaitReplyPort
Code F7A58BFB NtTraceEvent

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)

---- EOF - GMER 1.0.15 ----


I hope this was done right.

Again,

Thank you km2357 for your support

#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 30 June 2011 - 01:36 PM

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

µTorrent

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).



Remove one of your Anti Virus programs.

You are operating your computer with multiple Anti Virus programs running in memory at once:

ClamWin Free Antivirus 0.96.2.1

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please uninstall ClamWin from your computer.


You also have 5 anti-malware/anti-spyware programs on your computer. You only really need a minimum of two anti-malware programs running on your computer at one time.

Here is my suggestion concerning these programs. :)

Go ahead and uninstall the following programs:

a-squared Free 4.0

Ad-Aware



I would keep MalwareBytes' Anti-Malware installed and its your choice on which of the other two programs to keep. Either keep Spybot - Search & Destroy or SUPERAntiSpyware Free Edition to go along with MalwareBytes'.




Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 Cornetto

Cornetto
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 30 June 2011 - 09:34 PM

Oops!
I have incurred a minor setback.

I uninstalled the following programs in the order given below:

µTorrent

ClamWin

a-squared Free 4.0

Ad-Aware

Spybot - Search & Destroy





I then rebooted the computer.
Results:

Many Programs have disappeared including ComboFix. They do not appear in a search nor in their respective program file. All Shortcuts are intact but programs such as: all browsers, media players, and word processors are gone.

In addition System Restore won't work either.

The firewall seems to be ok.


I have taken no further steps to recover files nor install or remove anything.

That's about it.

#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 01 July 2011 - 01:35 PM

That's strange. <_< :blink:

If you haven't already try rebooting the computer again and see if everything comes back.


All Shortcuts are intact but programs such as: all browsers, media players, and word processors are gone.


When you click on these shortcuts and try to open your browser, media player, etc., what error message(s), if any show up?


If resetting your computer doesn't fix the problem, try this:

Restart your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Last Known Good Configuration, then hit enter.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 Cornetto

Cornetto
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 02 July 2011 - 01:55 AM

.
We have a BINGO! :thumbsup:

[quote]When you click on these shortcuts and try to open your browser, media player, etc., what error message(s), if any show up?/quote]

When I click on the shortcuts I get the "Choose the program you want to open this file" menu.

Otherwise the "Application not found" message pops up.

I didn't see the "Last Known Good Configuration" but it started in Safe Mode and I used a restore point at June 5, 2011.

The system seems as it was a few days ago, i.e. the programs that didn't run yesterday now work.


Shall I run Combofix now or should I do the DDS scan again?

#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 02 July 2011 - 12:19 PM

Shall I run Combofix now or should I do the DDS scan again?


Go ahead and download the latest version of ComboFix (using the link I posted earlier) and run it. We can uninstall any programs that came back when you did the System Restore at a later time. :)

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 05 July 2011 - 01:39 PM

Cornetto? How are things coming along?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 08 July 2011 - 01:39 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 13 July 2011 - 01:19 PM

Thread reopened due to OP's request.


The ComboFix Log you posted was incomplete.

Let's try another run with the latest version of ComboFix and see if we can get a complete log. :)


First delete ComboFix.exe off of your computer and then download the latest version of ComboFix from the link below:


http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Run ComboFix and post the log in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 14 July 2011 - 01:14 AM

OP's ComboFix Log:

ComboFix 11-07-13.04 - Kim Hawke 07/13/2011 22:06:35.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2015.1462 [GMT -6:00]
Running from: c:\documents and settings\Kim Hawke\Desktop\deltaComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sunbelt Personal Firewall *Enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-07-02 06:03 . 2011-07-02 06:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 06:00 . 2011-07-02 06:00 -------- d-----w- c:\program files\LTC
2011-07-02 06:00 . 2011-07-02 06:00 -------- d-----w- c:\program files\WinHTTrack
2011-07-02 06:00 . 2011-07-02 06:00 -------- d-----w- c:\program files\MuseScore 0.9
2011-07-02 05:57 . 2011-07-02 05:57 -------- d-----w- c:\program files\JGsoft
2011-07-02 05:56 . 2011-07-02 05:56 -------- d-----w- c:\program files\Common Files\Java
2011-07-02 05:55 . 2011-07-02 05:55 -------- d-----w- c:\program files\uTorrent
2011-07-02 05:55 . 2011-07-02 05:55 -------- d-----w- c:\documents and settings\Kim Hawke\Application Data\.clamwin
2011-07-02 05:55 . 2011-07-02 05:55 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-07-02 05:54 . 2011-07-02 05:54 -------- d-----w- c:\program files\Lavasoft
2011-07-02 05:54 . 2011-07-02 05:55 -------- d-----w- c:\program files\ClamWin
2011-07-02 05:54 . 2011-07-02 05:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2011-06-18 08:50 . 2011-06-18 08:50 -------- d-----w- c:\documents and settings\Kim Hawke\Application Data\ASCOMP Software
2011-06-18 08:50 . 2011-06-18 08:50 -------- d-----w- c:\program files\ASCOMP Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-03 10:21 . 2011-06-03 10:21 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-06-03 10:21 . 2011-06-03 10:21 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-05-29 15:11 . 2009-04-03 08:18 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 15:11 . 2009-04-03 08:18 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-26 03:33 . 2011-05-26 03:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-01-27 05:38 . 2011-01-27 05:38 8768200 ----a-w- c:\program files\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-08-09 389352]
"IpSharkk"="c:\program files\IpSharkk\IpSharkk.exe" [2009-04-03 1441792]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-06-25 249856]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"WScheduler"="c:\progra~1\SYSTEM~1\WScheduler.exe" [2007-05-17 99328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-08-20 86016]
"CTSysVol"="c:\program files\Creative\Sound Blaster Play\Surround Mixer\CTSysVol.exe" [2007-09-05 57344]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-12-26 30192]
"AtherosBtXpStack"="c:\program files\ASUS Bluetooth XP Suite\BluetoothSuit.exe" [2009-10-27 1642496]
"COMODO"="c:\program files\COMODO\COMODO livePCsupport\CLPSLA.exe" [2011-05-26 208192]
"CPA"="c:\program files\COMODO\COMODO livePCsupport\VALA.exe" [2011-05-26 182592]
.
c:\documents and settings\Alex\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-1-26 8768200]
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-1-26 8768200]
.
c:\documents and settings\Kim Hawke\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
PandaUSBVaccine.lnk - c:\program files\Panda USB Vaccine\USBVaccine.exe [2011-5-9 1287176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2011-1-9 380928]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Kim Hawke\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\IpSharkk\\IpSharkk.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 a2free;a-squared Free Service;g:\a-squared free\a2service.exe [x]
R2 AntiVirUpgradeService;Avira Upgrade Service;c:\docume~1\KIMHAW~1\LOCALS~1\Temp\AVSETUP_4b0b7d6c\basic\avupgsvc.exe [x]
R3 AthDfu;Atheros Valkyrie USB BootROM;c:\windows\system32\Drivers\AthDfu.sys [2009-07-25 38272]
R3 BTATHPROT;General Bluetooth Filter;c:\windows\system32\DRIVERS\btathprot.sys [2009-10-09 604544]
R3 BTATHUSB;General Bluetooth Device;c:\windows\system32\DRIVERS\btathusb.sys [2009-10-09 64640]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-12-26 30192]
R3 gwiopm;gwiopm;c:\program files\Unknown Device Identifier\gwiopm.sys [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-05-31 2151128]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
R3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2008-07-08 31712]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [x]
R3 vtcdrv;GoGear Recovery Mode;c:\windows\system32\Drivers\vtcdrv.sys [2009-06-12 18560]
S0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [2009-12-07 15888]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2008-05-20 15328]
S1 anf0100.sys;anf0100.sys;c:\windows\system32\drivers\anf0100.sys [2007-10-04 9728]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-10-31 270888]
S1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-06-21 66600]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2011-05-26 154432]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2009-06-07 61440]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium backup imager\ReflectService.exe [2008-08-06 216032]
S2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-10-31 95528]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-10-31 1365288]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-23 c:\windows\Tasks\Ad-Aware Scan (Last Thing).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 03:45]
.
2011-04-23 c:\windows\Tasks\Ad-Aware Scan (New Virgin of Ad Unaware).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 03:45]
.
2011-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 03:45]
.
2011-07-13 c:\windows\Tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job
- c:\program files\All Security and Other Utilities\Auslogics\Auslogics Disk Defrag\cdefrag.exe [2010-03-23 19:21]
.
2011-07-13 c:\windows\Tasks\COMODO Cloud Scanner Update.job
- c:\documents and settings\Kim Hawke\Desktop\CCS_SETUP_1.0.135930.9_xp_vista_server2003_win7_32bit\UpdateApplications.exe [2011-06-03 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadPro6\EditPadPro.exe" "%1"
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM-Run-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
HKLM-Run-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
HKLM-Run-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
AddRemove-a-squared Free_is1 - c:\program files\a-squared Free\unins000.exe
AddRemove-Absolute Uninstaller_is1 - c:\program files\Absolute Uninstaller\unins000.exe
AddRemove-Any Audio Converter_is1 - c:\program files\Any Audio Converter\unins000.exe
AddRemove-Any Video Converter_is1 - c:\program files\Any Video Converter\unins000.exe
AddRemove-Audacity_is1 - c:\program files\Audacity\unins000.exe
AddRemove-CamStudio - c:\program files\CamStudio\uninstall.exe
AddRemove-DVD Decrypter - c:\program files\DVD Decrypter\uninstall.exe
AddRemove-DVD Shrink_is1 - c:\program files\DVD Shrink\unins000.exe
AddRemove-Exact Audio Copy - c:\program files\Exact Audio Copy\uninst.exe
AddRemove-FastStone Photo Resizer - c:\program files\FastStone Photo Resizer\uninst.exe
AddRemove-Free Audio Converter_is1 - c:\program files\DVDVideoSoft\Free Audio Converter\unins000.exe
AddRemove-Free DVD Decrypter_is1 - c:\program files\DVDVideoSoft\Free DVD Decrypter\unins000.exe
AddRemove-Free Video Converter_is1 - c:\program files\Free Video Converter\unins000.exe
AddRemove-Free YouTube Download_is1 - c:\program files\DVDVideoSoft\Free YouTube Download\unins000.exe
AddRemove-Free YouTube to Mp3 Converter_is1 - c:\program files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe
AddRemove-LightBox Free Image Editor - c:\program files\19th Parallel\LightBox\UninstallFree.exe
AddRemove-MiniTool Power Data Recovery_is1 - i:\powerdatarecovery\unins000.exe
AddRemove-MyDefrag v4.2.0.Beta_is1 - c:\program files\MyDefrag v4.2.0.Beta\unins000.exe
AddRemove-RealAlt_is1 - c:\program files\Real Alternative\unins000.exe
AddRemove-Smart Defrag_is1 - c:\program files\IObit\IObit SmartDefrag\unins000.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
AddRemove-{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1 - c:\program files\MPC HomeCinema\unins000.exe
AddRemove-{7E265513-8CDA-4631-B696-F40D983F3B07}_is1 - c:\program files\CDBurnerXP\unins000.exe
AddRemove-{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1 - c:\program files\Auslogics\Auslogics Disk Defrag\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 22:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2544)
c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-13 22:24:46
ComboFix-quarantined-files.txt 2011-07-14 04:24
ComboFix2.txt 2010-05-06 21:58
.
Pre-Run: 158,231,908,352 bytes free
Post-Run: 158,214,492,160 bytes free
.
- - End Of File - -



Also
I can now enable the automatic updates. This has not been possible, even manually since the first attack.

Thanks


=======================================================



Step # 1 Run CCleaner

CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!

  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 24 hours
  • Then select the items you wish to clean up.
  • In the Windows Tab:
  • Clean all entries in the Internet Explorer section except Cookies
  • Clean all the entries in the Windows Explorer section
  • Clean all entries in the System section
  • Clean all entries in the Advanced section
  • Clean any others that you choose
  • In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it
  • Clean all in the Opera section if you use it
  • Clean Sun Java in the Internet Section
  • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO



Step # 2 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.



In your next post/reply, I need to see the following:

1. MalwareBytes' Log
2. A fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 Cornetto

Cornetto
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 15 July 2011 - 02:20 AM

ComboFix 11-07-13.04 - Kim Hawke 07/13/2011 22:06:35.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2015.1462 [GMT -6:00]
Running from: c:\documents and settings\Kim Hawke\Desktop\deltaComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sunbelt Personal Firewall *Enabled* {82B1150E-9B37-49FC-83EB-D52197D900D0}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-07-02 06:03 . 2011-07-02 06:03 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 06:00 . 2011-07-02 06:00 -------- d-----w- c:\program files\LTC
2011-07-02 06:00 . 2011-07-02 06:00 -------- d-----w- c:\program files\WinHTTrack
2011-07-02 06:00 . 2011-07-02 06:00 -------- d-----w- c:\program files\MuseScore 0.9
2011-07-02 05:57 . 2011-07-02 05:57 -------- d-----w- c:\program files\JGsoft
2011-07-02 05:56 . 2011-07-02 05:56 -------- d-----w- c:\program files\Common Files\Java
2011-07-02 05:55 . 2011-07-02 05:55 -------- d-----w- c:\program files\uTorrent
2011-07-02 05:55 . 2011-07-02 05:55 -------- d-----w- c:\documents and settings\Kim Hawke\Application Data\.clamwin
2011-07-02 05:55 . 2011-07-02 05:55 -------- d-----w- c:\documents and settings\All Users\.clamwin
2011-07-02 05:54 . 2011-07-02 05:54 -------- d-----w- c:\program files\Lavasoft
2011-07-02 05:54 . 2011-07-02 05:55 -------- d-----w- c:\program files\ClamWin
2011-07-02 05:54 . 2011-07-02 05:54 -------- d--h--w- c:\documents and settings\All Users\Application Data\{65893B95-F47B-4483-B883-86BA181E9B54}
2011-06-18 08:50 . 2011-06-18 08:50 -------- d-----w- c:\documents and settings\Kim Hawke\Application Data\ASCOMP Software
2011-06-18 08:50 . 2011-06-18 08:50 -------- d-----w- c:\program files\ASCOMP Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-03 10:21 . 2011-06-03 10:21 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-06-03 10:21 . 2011-06-03 10:21 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-05-29 15:11 . 2009-04-03 08:18 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 15:11 . 2009-04-03 08:18 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-26 03:33 . 2011-05-26 03:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-01-27 05:38 . 2011-01-27 05:38 8768200 ----a-w- c:\program files\Common Files\lpuninstall.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-08-09 389352]
"IpSharkk"="c:\program files\IpSharkk\IpSharkk.exe" [2009-04-03 1441792]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-06-25 249856]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"WScheduler"="c:\progra~1\SYSTEM~1\WScheduler.exe" [2007-05-17 99328]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2010-08-20 86016]
"CTSysVol"="c:\program files\Creative\Sound Blaster Play\Surround Mixer\CTSysVol.exe" [2007-09-05 57344]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-12-26 30192]
"AtherosBtXpStack"="c:\program files\ASUS Bluetooth XP Suite\BluetoothSuit.exe" [2009-10-27 1642496]
"COMODO"="c:\program files\COMODO\COMODO livePCsupport\CLPSLA.exe" [2011-05-26 208192]
"CPA"="c:\program files\COMODO\COMODO livePCsupport\VALA.exe" [2011-05-26 182592]
.
c:\documents and settings\Alex\Start Menu\Programs\Startup\
Install LastPass FF RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-1-26 8768200]
Install LastPass IE RunOnce.lnk - c:\program files\Common Files\lpuninstall.exe [2011-1-26 8768200]
.
c:\documents and settings\Kim Hawke\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
PandaUSBVaccine.lnk - c:\program files\Panda USB Vaccine\USBVaccine.exe [2011-5-9 1287176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2011-1-9 380928]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Kim Hawke\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\IpSharkk\\IpSharkk.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 a2free;a-squared Free Service;g:\a-squared free\a2service.exe [x]
R2 AntiVirUpgradeService;Avira Upgrade Service;c:\docume~1\KIMHAW~1\LOCALS~1\Temp\AVSETUP_4b0b7d6c\basic\avupgsvc.exe [x]
R3 AthDfu;Atheros Valkyrie USB BootROM;c:\windows\system32\Drivers\AthDfu.sys [2009-07-25 38272]
R3 BTATHPROT;General Bluetooth Filter;c:\windows\system32\DRIVERS\btathprot.sys [2009-10-09 604544]
R3 BTATHUSB;General Bluetooth Device;c:\windows\system32\DRIVERS\btathusb.sys [2009-10-09 64640]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-12-26 30192]
R3 gwiopm;gwiopm;c:\program files\Unknown Device Identifier\gwiopm.sys [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-05-31 2151128]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-02-04 15232]
R3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2008-07-08 31712]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [x]
R3 vtcdrv;GoGear Recovery Mode;c:\windows\system32\Drivers\vtcdrv.sys [2009-06-12 18560]
S0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [2009-12-07 15888]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [2008-05-20 15328]
S1 anf0100.sys;anf0100.sys;c:\windows\system32\drivers\anf0100.sys [2007-10-04 9728]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2008-10-31 270888]
S1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-06-21 66600]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 CLPSLS;COMODO livePCsupport Service;c:\program files\COMODO\COMODO livePCsupport\CLPSLS.exe [2011-05-26 154432]
S2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2009-06-07 61440]
S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium backup imager\ReflectService.exe [2008-08-06 216032]
S2 SbPF.Launcher;SbPF.Launcher;c:\program files\Sunbelt Software\Personal Firewall\SbPFLnch.exe [2008-10-31 95528]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
S2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\SbPFSvc.exe [2008-10-31 1365288]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\sbfwim.sys [2008-06-21 65576]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-23 c:\windows\Tasks\Ad-Aware Scan (Last Thing).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 03:45]
.
2011-04-23 c:\windows\Tasks\Ad-Aware Scan (New Virgin of Ad Unaware).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 03:45]
.
2011-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-06 03:45]
.
2011-07-13 c:\windows\Tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job
- c:\program files\All Security and Other Utilities\Auslogics\Auslogics Disk Defrag\cdefrag.exe [2010-03-23 19:21]
.
2011-07-13 c:\windows\Tasks\COMODO Cloud Scanner Update.job
- c:\documents and settings\Kim Hawke\Desktop\CCS_SETUP_1.0.135930.9_xp_vista_server2003_win7_32bit\UpdateApplications.exe [2011-06-03 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadPro6\EditPadPro.exe" "%1"
.reg=Regedit.Document
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM-Run-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
HKLM-Run-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
HKLM-Run-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
AddRemove-a-squared Free_is1 - c:\program files\a-squared Free\unins000.exe
AddRemove-Absolute Uninstaller_is1 - c:\program files\Absolute Uninstaller\unins000.exe
AddRemove-Any Audio Converter_is1 - c:\program files\Any Audio Converter\unins000.exe
AddRemove-Any Video Converter_is1 - c:\program files\Any Video Converter\unins000.exe
AddRemove-Audacity_is1 - c:\program files\Audacity\unins000.exe
AddRemove-CamStudio - c:\program files\CamStudio\uninstall.exe
AddRemove-DVD Decrypter - c:\program files\DVD Decrypter\uninstall.exe
AddRemove-DVD Shrink_is1 - c:\program files\DVD Shrink\unins000.exe
AddRemove-Exact Audio Copy - c:\program files\Exact Audio Copy\uninst.exe
AddRemove-FastStone Photo Resizer - c:\program files\FastStone Photo Resizer\uninst.exe
AddRemove-Free Audio Converter_is1 - c:\program files\DVDVideoSoft\Free Audio Converter\unins000.exe
AddRemove-Free DVD Decrypter_is1 - c:\program files\DVDVideoSoft\Free DVD Decrypter\unins000.exe
AddRemove-Free Video Converter_is1 - c:\program files\Free Video Converter\unins000.exe
AddRemove-Free YouTube Download_is1 - c:\program files\DVDVideoSoft\Free YouTube Download\unins000.exe
AddRemove-Free YouTube to Mp3 Converter_is1 - c:\program files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe
AddRemove-LightBox Free Image Editor - c:\program files\19th Parallel\LightBox\UninstallFree.exe
AddRemove-MiniTool Power Data Recovery_is1 - i:\powerdatarecovery\unins000.exe
AddRemove-MyDefrag v4.2.0.Beta_is1 - c:\program files\MyDefrag v4.2.0.Beta\unins000.exe
AddRemove-RealAlt_is1 - c:\program files\Real Alternative\unins000.exe
AddRemove-Smart Defrag_is1 - c:\program files\IObit\IObit SmartDefrag\unins000.exe
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
AddRemove-{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1 - c:\program files\MPC HomeCinema\unins000.exe
AddRemove-{7E265513-8CDA-4631-B696-F40D983F3B07}_is1 - c:\program files\CDBurnerXP\unins000.exe
AddRemove-{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1 - c:\program files\Auslogics\Auslogics Disk Defrag\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 22:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2544)
c:\documents and settings\Kim Hawke\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-13 22:24:46
ComboFix-quarantined-files.txt 2011-07-14 04:24
ComboFix2.txt 2010-05-06 21:58
.
Pre-Run: 158,231,908,352 bytes free
Post-Run: 158,214,492,160 bytes free
.
- - End Of File - - E54B14A6ED38619341C04F9098BB42EA







DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by Kim Hawke at 23:57:18 on 2011-07-14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2015.1245 [GMT -6:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sunbelt Personal Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYSTEM~1\WScheduler.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Creative\Sound Blaster Play\Surround Mixer\CTSysVol.exe
C:\Program Files\ASUS Bluetooth XP Suite\BluetoothSuit.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\IpSharkk\IpSharkk.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\COMODO\COMODO livePCsupport\CLPS.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Documents and Settings\Kim Hawke\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\NlsSrv32.exe
C:\Program Files\Macrium backup imager\ReflectService.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: IEPlugin Class: {11222041-111B-46E3-BD29-EFB2449479B1} -
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [IpSharkk] "c:\program files\ipsharkk\IpSharkk.exe" /auto
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [WScheduler] c:\progra~1\system~1\WScheduler.exe /LOGON
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min/nosplash
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [CTSysVol] c:\program files\creative\sound blaster play\surround mixer\CTSysVol.exe /r
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [AtherosBtXpStack] c:\program files\asus bluetooth xp suite\BluetoothSuit.exe
mRun: [COMODO] c:\program files\comodo\comodo livepcsupport\CLPSLA.exe
mRun: [CPA] c:\program files\comodo\comodo livepcsupport\VALA.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-6A4L1.exe" /REG /REGSVRMODE
StartupFolder: c:\docume~1\kimhaw~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\kim hawke\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\kimhaw~1\startm~1\programs\startup\pandau~1.lnk - c:\program files\panda usb vaccine\USBVaccine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: LastPass - c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - c:\program files\lastpass\context.html?cmd=fillforms
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235694667031
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 172.16.1.254
TCP: Interfaces\{A528EC12-8AA2-4ED2-81EB-FF950F24F462} : DHCPNameServer = 172.16.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
============= SERVICES / DRIVERS ===============
.
R0 EnumProcessesDriver;EnumProcessesDriver;c:\windows\system32\drivers\EnumProcessesDriver.sys [2011-6-3 15888]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 anf0100.sys;anf0100.sys;c:\windows\system32\drivers\anf0100.sys [2011-3-25 9728]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-11 11608]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2009-3-2 270888]
R1 sbhips;Sunbelt HIPS Driver;c:\windows\system32\drivers\sbhips.sys [2008-6-21 66600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-11 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-11 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-24 56816]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2011-5-25 154432]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\NlsSrv32.exe [2010-4-7 61440]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium backup imager\ReflectService.exe [2008-8-6 216032]
R2 SbPF.Launcher;SbPF.Launcher;c:\program files\sunbelt software\personal firewall\SbPFLnch.exe [2008-10-31 95528]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\SbPFSvc.exe [2008-10-31 1365288]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2009-3-2 65576]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 a2free;a-squared Free Service;"g:\a-squared free\a2service.exe" --> g:\a-squared free\a2service.exe [?]
S2 AntiVirUpgradeService;Avira Upgrade Service;"c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\avupgsvc.exe" /tempstart:""c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\setup.exe" /notempcleanup /crossupgrade" --> c:\docume~1\kimhaw~1\locals~1\temp\avsetup_4b0b7d6c\basic\avupgsvc.exe [?]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
S3 AthDfu;Atheros Valkyrie USB BootROM;c:\windows\system32\drivers\AthDfu.sys [2011-4-6 38272]
S3 BTATHPROT;General Bluetooth Filter;c:\windows\system32\drivers\btathprot.sys [2011-4-6 604544]
S3 BTATHUSB;General Bluetooth Device;c:\windows\system32\drivers\btathusb.sys [2011-4-6 64640]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-12-26 30192]
S3 gwiopm;gwiopm;\??\c:\program files\unknown device identifier\gwiopm.sys --> c:\program files\unknown device identifier\gwiopm.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 2151128]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-13 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-14 41272]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2008-7-8 31712]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 vtcdrv;GoGear Recovery Mode;c:\windows\system32\drivers\vtcdrv.sys [2009-11-23 18560]
.
=============== File Associations ===============
.
FileExt: .reg: Regedit.Document=c:\winnt\Regedit.exe %1
FileExt: .txt: txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"
.
=============== Created Last 30 ================
.
2011-07-15 04:26:19 54016 ----a-w- c:\windows\system32\drivers\vefbup.sys
2011-07-14 23:15:10 709968 ----a-w- c:\windows\is-6A4L1.exe
2011-07-14 23:13:34 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-14 23:13:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-14 09:32:07 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-07-14 09:31:36 852480 -c----w- c:\windows\system32\dllcache\vgx.dll
2011-07-14 04:01:28 -------- d-----w- C:\deltaComboFix
2011-07-08 08:31:28 -------- d-sha-r- C:\cmdcons
2011-07-02 06:03:58 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-02 06:03:58 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 06:00:54 -------- d-----w- c:\program files\LTC
2011-07-02 06:00:40 -------- d-----w- c:\program files\WinHTTrack
2011-07-02 06:00:09 -------- d-----w- c:\program files\MuseScore 0.9
2011-07-02 05:57:06 -------- d-----w- c:\program files\JGsoft
2011-07-02 05:55:33 -------- d-----w- c:\program files\uTorrent
2011-07-02 05:55:25 -------- d-----w- c:\documents and settings\kim hawke\application data\.clamwin
2011-07-02 05:55:25 -------- d-----w- c:\documents and settings\all users\.clamwin
2011-07-02 05:54:34 -------- d-----w- c:\program files\Lavasoft
2011-07-02 05:54:29 -------- d-----w- c:\program files\ClamWin
2011-07-02 05:54:27 -------- d--h--w- c:\documents and settings\all users\application data\{65893B95-F47B-4483-B883-86BA181E9B54}
2011-06-22 07:21:40 -------- d-----w- c:\program files\common files\Java(2)
2011-06-18 08:50:57 -------- d-----w- c:\documents and settings\kim hawke\application data\ASCOMP Software
2011-06-18 08:50:34 -------- d-----w- c:\program files\ASCOMP Software
.
==================== Find3M ====================
.
2011-07-14 06:03:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-26 06:45:56 256000 ----a-w- c:\windows\PEV.exe
2011-06-03 10:21:54 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-06-03 10:21:54 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 14:47:19 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-04-25 14:47:19 667136 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 14:47:19 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-04-25 12:56:44 369664 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-01-27 05:38:43 8768200 ----a-w- c:\program files\common files\lpuninstall.exe
.
============= FINISH: 23:58:31.64 ===============

Clean Sun Java in the Internet Section

Notes
In CCleaner I don't see the Internet Section or Sun Java
CCleaner doesn't show K-Meleon or Maxthon browsers should I be worried?
My computer won't log off, shut down, or restart, and hasn't for at least a few days.

Automatic updates now work.

#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:04 PM

Posted 15 July 2011 - 01:33 PM

I still need to see a log from MalwareBytes' Anti-Malware. Please run a Quick Scan with MalwareBytes' and post its log in your next post/reply. Be sure to update MalwareBytes' first before running the scan. The latest version of MBAM is 1.51.1.1800 and the latest database (as of this typing) is 7151.


In CCleaner I don't see the Internet Section or Sun Java


That just means you don't have Java (or anything that would be in the Internet Section) installed on your computer.


CCleaner doesn't show K-Meleon or Maxthon browsers should I be worried?


Looking at CCleaner's website, they say they support both the K-Meleon and Maxthon browsers. Do you have the latest version of CCleaner, v3.08.1475? If not you can try upgrading to the latest version. You can also try uninstalling then reinstalling CCleaner to see if those two browsers show again. Finally, CCleaner could have removed support for those two browsers, but I haven't seen any information saying that they have.


My computer won't log off, shut down, or restart, and hasn't for at least a few days.


That's strange. When did this start happening? What happens/what messages pop-up when you try to log off, shut down or reboot your computer?

Edited by km2357, 15 July 2011 - 01:35 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 Cornetto

Cornetto
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 15 July 2011 - 03:47 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7141

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/14/2011 10:21:47 PM
mbam-log-2011-07-14 (22-21-47).txt

Scan type: Quick scan
Objects scanned: 159309
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\kim hawke\Desktop\xp antivirus 2011 trojan_qhost_lxe.htm (Rogue.XPantiVirus) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7152

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/15/2011 2:13:15 PM
mbam-log-2011-07-15 (14-13-15).txt

Scan type: Quick scan
Objects scanned: 159606
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7152

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/15/2011 2:13:15 PM
mbam-log-2011-07-15 (14-13-15).txt

Scan type: Quick scan
Objects scanned: 159606
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Log off
Pop up says usual "Are you sure you want to log off?"
Log off Cancel
I press Log Off and nothing happens at all - no message and no log off.

Shut Down
Popup says it's usual "Stand By Turn Off Cancel"
Cancel and Turn Off do nothing when selected,

But.."Stand By" does work correctly and immediately. I had't tried this option before.


CCleaner version
updated from 2.32.1165 to v3.08.1475


It doesn;t show Maxthon or K-Meleon

Edited by Cornetto, 15 July 2011 - 03:51 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users