Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect /Random Audio Virus! Please help!


  • This topic is locked This topic is locked
35 replies to this topic

#1 elocinlynn

elocinlynn

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 10 July 2011 - 12:40 PM

Hello. I have an annoying Google Redirect Virus. I also hear random audio in the background at times which can only be stopped if I end the iexplore.exe process (a file that apparently duplicates after deletion). This is my first virus that hasn't been able to be cleaned by Malwarebytes & Symantec. I have also tried running Super AntiSpyware and Sophos Anti-Root Kit. These programs are consistently picking up threats and "cleaning" them, but the same threats show up after a reboot. I'm fairly good at "using" computers, but getting rid of viruses and interpreting these logs is an entirely different story! I would like to avoid wiping it and starting over, so any help you could give me would be amazing! DDS and GMER logs are attached. Thanks so so SO much!
Nicole

*Note: I posted this about a month ago and never got a notification that someone responded, even though the email notification setting was turned on, so the topic was closed. SOOOOO sorry about that!


.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Run by Nicole at 0:33:52 on 2011-06-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1030 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wavemsp32.exe
C:\WINDOWS\system32\msscb32.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\mprui32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\mqad32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {0f3fd382-7fbd-4706-b763-0af3489d237e} - c:\windows\system32\audiodev32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: acf7ef6e: {bad7b1de-947f-7917-0209-040d707ea180} - c:\windows\system32\msdtctm32.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{97A96B86-DA3B-490E-8935-2DE7A4C6F5D8} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\msdtctm32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nicole\application data\mozilla\firefox\profiles\3nlypp9u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\nicole\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\nicole\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-6-16 18816]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 LmHosts32;TCP/IP NetBIOS Helper ;c:\windows\system32\wavemsp32.exe [2011-6-13 774144]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 TapiSrv32;Telephony ;c:\windows\system32\mprui32.exe [2011-6-13 774144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-22 24652]
R2 wscsvc32;Security Center ;c:\windows\system32\mqad32.exe [2011-6-13 774144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-13 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110617.003\naveng.sys [2011-6-17 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110617.003\navex15.sys [2011-6-17 1542392]
S2 gupdate1c93fa5c13acde0;Google Update Service (gupdate1c93fa5c13acde0);c:\program files\google\update\GoogleUpdate.exe [2008-11-5 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-11-5 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-13 39984]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5b.tmp --> c:\windows\system32\5B.tmp [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
.
=============== Created Last 30 ================
.
2011-06-16 19:20:24 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-06-15 02:05:41 -------- d-----w- c:\program files\Sophos
2011-06-14 00:59:16 -------- d--h--w- c:\windows\PIF
2011-06-13 15:49:44 -------- d-----w- c:\documents and settings\nicole\application data\SUPERAntiSpyware.com
2011-06-13 15:49:44 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-13 15:49:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-13 12:34:52 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-13 12:34:02 0 ---ha-w- c:\documents and settings\nicole\mizfuxiobs.tmp
2011-06-13 10:02:19 774144 ----a-w- c:\windows\system32\msscb32.exe
2011-06-13 10:02:18 774144 ----a-w- c:\windows\system32\mqad32.exe
2011-06-13 10:02:18 774144 ----a-w- c:\windows\system32\mprui32.exe
2011-06-13 10:02:18 167936 ----a-w- c:\windows\system32\msdtctm32.dll
2011-06-13 10:02:12 774144 ----a-w- c:\windows\system32\wavemsp32.exe
2011-06-13 10:02:10 365056 ----a-w- c:\windows\system32\audiodev32.dll
2011-06-13 06:52:21 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-13 06:52:21 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-07 22:09:51 -------- d-----w- c:\program files\iPod
2011-06-07 22:09:28 -------- d-----w- c:\program files\iTunes
2011-06-07 21:23:27 -------- d-----w- c:\documents and settings\nicole\local settings\application data\Yahoo!
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 0:36:16.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:17 PM

Posted 10 July 2011 - 05:08 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 elocinlynn

elocinlynn
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 10 July 2011 - 05:56 PM

Hi, thank you for getting back to me so quickly! I did as you requested and the ComboFix log is pasted below. Computer seems to be running normally. Let me know if you need any other information.

Thanks again,
Nicole



ComboFix 11-07-10.03 - Nicole 07/10/2011 18:34:08.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1392 [GMT -4:00]
Running from: c:\documents and settings\Nicole\Desktop\CF.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Application Data\020000005f5a4aa21270C.manifest
c:\documents and settings\LocalService\Application Data\020000005f5a4aa21270O.manifest
c:\documents and settings\LocalService\Application Data\020000005f5a4aa21270P.manifest
c:\documents and settings\LocalService\Application Data\020000005f5a4aa21270S.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{0a1ebb08-f7de-49ab-9c57-6423fd3a94cc}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{0a1ebb08-f7de-49ab-9c57-6423fd3a94cc}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{0a1ebb08-f7de-49ab-9c57-6423fd3a94cc}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{0a1ebb08-f7de-49ab-9c57-6423fd3a94cc}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{0a1ebb08-f7de-49ab-9c57-6423fd3a94cc}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{16cea32b-3436-4528-b64d-a9ff4b8b98a6}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{16cea32b-3436-4528-b64d-a9ff4b8b98a6}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{16cea32b-3436-4528-b64d-a9ff4b8b98a6}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{16cea32b-3436-4528-b64d-a9ff4b8b98a6}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{16cea32b-3436-4528-b64d-a9ff4b8b98a6}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{2026d38a-5b25-4cc5-9381-153a8da8823c}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{2026d38a-5b25-4cc5-9381-153a8da8823c}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{2026d38a-5b25-4cc5-9381-153a8da8823c}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{2026d38a-5b25-4cc5-9381-153a8da8823c}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{2026d38a-5b25-4cc5-9381-153a8da8823c}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{352b863b-7345-4afd-8a23-e465b566bbe8}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{352b863b-7345-4afd-8a23-e465b566bbe8}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{352b863b-7345-4afd-8a23-e465b566bbe8}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{352b863b-7345-4afd-8a23-e465b566bbe8}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{352b863b-7345-4afd-8a23-e465b566bbe8}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{60a34252-4d28-4fbb-ac5e-ad96be3fb08b}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{60a34252-4d28-4fbb-ac5e-ad96be3fb08b}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{60a34252-4d28-4fbb-ac5e-ad96be3fb08b}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{60a34252-4d28-4fbb-ac5e-ad96be3fb08b}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{60a34252-4d28-4fbb-ac5e-ad96be3fb08b}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{68511ac6-9d60-4995-bd72-e86028860338}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{68511ac6-9d60-4995-bd72-e86028860338}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{68511ac6-9d60-4995-bd72-e86028860338}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{68511ac6-9d60-4995-bd72-e86028860338}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{68511ac6-9d60-4995-bd72-e86028860338}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6c54d814-9289-4325-b1e6-8a9b19e68240}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6c54d814-9289-4325-b1e6-8a9b19e68240}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6c54d814-9289-4325-b1e6-8a9b19e68240}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6c54d814-9289-4325-b1e6-8a9b19e68240}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6c54d814-9289-4325-b1e6-8a9b19e68240}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6e800944-2236-4e8d-b6ed-87157650baf3}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6e800944-2236-4e8d-b6ed-87157650baf3}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6e800944-2236-4e8d-b6ed-87157650baf3}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6e800944-2236-4e8d-b6ed-87157650baf3}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6e800944-2236-4e8d-b6ed-87157650baf3}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{a4e2e596-2229-4668-bff3-463703958c20}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{a4e2e596-2229-4668-bff3-463703958c20}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{a4e2e596-2229-4668-bff3-463703958c20}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{a4e2e596-2229-4668-bff3-463703958c20}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{a4e2e596-2229-4668-bff3-463703958c20}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{ccf9dd55-dba2-449c-81d7-37001632a1c0}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{ccf9dd55-dba2-449c-81d7-37001632a1c0}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{ccf9dd55-dba2-449c-81d7-37001632a1c0}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{ccf9dd55-dba2-449c-81d7-37001632a1c0}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{ccf9dd55-dba2-449c-81d7-37001632a1c0}\install.rdf
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{cdf74cf5-f3f9-4e5c-8841-c19783a94141}
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{cdf74cf5-f3f9-4e5c-8841-c19783a94141}\chrome.manifest
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{cdf74cf5-f3f9-4e5c-8841-c19783a94141}\chrome\xulcache.jar
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{cdf74cf5-f3f9-4e5c-8841-c19783a94141}\defaults\preferences\xulcache.js
c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{cdf74cf5-f3f9-4e5c-8841-c19783a94141}\install.rdf
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\vb.ini
.
Infected copy of c:\windows\system32\ctfmon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\ctfmon.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
.
.
2011-06-25 16:39 . 2011-06-25 16:39 -------- d-----r- c:\documents and settings\Nicole\Application Data\Brother
2011-06-21 20:35 . 2011-06-21 20:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-21 20:34 . 2011-06-21 20:34 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-21 20:34 . 2011-06-21 20:34 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-16 19:20 . 2010-05-26 14:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-06-15 02:05 . 2011-06-15 02:05 -------- d-----w- c:\program files\Sophos
2011-06-14 00:59 . 2011-06-14 00:59 -------- d--h--w- c:\windows\PIF
2011-06-13 15:49 . 2011-06-13 15:49 -------- d-----w- c:\documents and settings\Nicole\Application Data\SUPERAntiSpyware.com
2011-06-13 15:49 . 2011-06-13 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-13 15:49 . 2011-06-13 15:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-13 12:34 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-13 12:34 . 2011-06-13 12:34 0 ---ha-w- c:\documents and settings\Nicole\mizfuxiobs.tmp
2011-06-13 10:02 . 2011-06-13 10:02 774144 ----a-w- c:\windows\system32\msscb32.exe
2011-06-13 10:02 . 2011-06-13 10:02 774144 ----a-w- c:\windows\system32\mqad32.exe
2011-06-13 10:02 . 2011-06-13 10:02 774144 ----a-w- c:\windows\system32\mprui32.exe
2011-06-13 10:02 . 2011-06-13 10:02 774144 ----a-w- c:\windows\system32\wavemsp32.exe
2011-06-13 06:52 . 2011-06-13 06:52 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-21 20:34 . 2011-04-03 15:17 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-23 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-05 421160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^Nicole^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Nicole\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
1 [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\MSPUB.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\mqad32.exe"=
"c:\\WINDOWS\\system32\\mprui32.exe"=
"c:\\WINDOWS\\system32\\wavemsp32.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/16/2011 3:20 PM 18816]
R2 LmHosts32;TCP/IP NetBIOS Helper ;c:\windows\system32\wavemsp32.exe [6/13/2011 6:02 AM 774144]
R2 TapiSrv32;Telephony ;c:\windows\system32\mprui32.exe [6/13/2011 6:02 AM 774144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/22/2008 5:39 PM 24652]
R2 wscsvc32;Security Center ;c:\windows\system32\mqad32.exe [6/13/2011 6:02 AM 774144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [5/13/2011 8:08 PM 105592]
S2 gupdate1c93fa5c13acde0;Google Update Service (gupdate1c93fa5c13acde0);c:\program files\Google\Update\GoogleUpdate.exe [11/5/2008 8:22 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/5/2008 8:22 PM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/13/2011 8:34 AM 39984]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5B.tmp --> c:\windows\system32\5B.tmp [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 1:40 AM 115952]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-11 07:29]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-06 00:22]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-11-06 00:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-10 18:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5B.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'explorer.exe'(6204)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
c:\windows\system32\msscb32.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-10 18:50:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-10 22:50
.
Pre-Run: 45,490,450,432 bytes free
Post-Run: 45,846,286,336 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 70A8F56B86334FC4B304A4331135303A

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:17 PM

Posted 11 July 2011 - 02:19 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Will you also throw in a fresh DDS log and let me know how the PC is behaving.

So long, and thanks for all the fish.

 

 


#5 elocinlynn

elocinlynn
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 11 July 2011 - 06:57 PM

I pasted the ESET log below and attached new dds.txt and attach.txt files. Computer (especially Firefox while attempting to access search engines) is slow, but behaving normally. thank you again for all your help.



C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{0a1ebb08-f7de-49ab-9c57-6423fd3a94cc}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{0a1ebb08-f7de-49ab-9c57-6423fd3a94cc}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{16cea32b-3436-4528-b64d-a9ff4b8b98a6}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{16cea32b-3436-4528-b64d-a9ff4b8b98a6}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{2026d38a-5b25-4cc5-9381-153a8da8823c}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{2026d38a-5b25-4cc5-9381-153a8da8823c}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{352b863b-7345-4afd-8a23-e465b566bbe8}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{352b863b-7345-4afd-8a23-e465b566bbe8}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{60a34252-4d28-4fbb-ac5e-ad96be3fb08b}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{60a34252-4d28-4fbb-ac5e-ad96be3fb08b}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{68511ac6-9d60-4995-bd72-e86028860338}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{68511ac6-9d60-4995-bd72-e86028860338}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6c54d814-9289-4325-b1e6-8a9b19e68240}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6c54d814-9289-4325-b1e6-8a9b19e68240}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6e800944-2236-4e8d-b6ed-87157650baf3}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{6e800944-2236-4e8d-b6ed-87157650baf3}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{a4e2e596-2229-4668-bff3-463703958c20}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{a4e2e596-2229-4668-bff3-463703958c20}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{ccf9dd55-dba2-449c-81d7-37001632a1c0}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{ccf9dd55-dba2-449c-81d7-37001632a1c0}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{cdf74cf5-f3f9-4e5c-8841-c19783a94141}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{cdf74cf5-f3f9-4e5c-8841-c19783a94141}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\WINDOWS\system32\mprui32.exe a variant of Win32/Kryptik.OYY trojan
C:\WINDOWS\system32\mqad32.exe a variant of Win32/Kryptik.OYY trojan
C:\WINDOWS\system32\msscb32.exe a variant of Win32/Kryptik.OYY trojan
C:\WINDOWS\system32\wavemsp32.exe a variant of Win32/Kryptik.OYY trojan
Operating memory a variant of Win32/Kryptik.OYY trojan

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Run by Nicole at 19:49:54 on 2011-07-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.444 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\WINDOWS\system32\wavemsp32.exe
C:\WINDOWS\system32\msscb32.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\mprui32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\mqad32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{97A96B86-DA3B-490E-8935-2DE7A4C6F5D8} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nicole\application data\mozilla\firefox\profiles\3nlypp9u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\documents and settings\nicole\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\nicole\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-6-16 18816]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 LmHosts32;TCP/IP NetBIOS Helper ;c:\windows\system32\wavemsp32.exe [2011-6-13 774144]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 TapiSrv32;Telephony ;c:\windows\system32\mprui32.exe [2011-6-13 774144]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-22 24652]
R2 wscsvc32;Security Center ;c:\windows\system32\mqad32.exe [2011-6-13 774144]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-13 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110708.001\naveng.sys [2011-7-8 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110708.001\navex15.sys [2011-7-8 1542392]
S2 gupdate1c93fa5c13acde0;Google Update Service (gupdate1c93fa5c13acde0);c:\program files\google\update\GoogleUpdate.exe [2008-11-5 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-11-5 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-13 39984]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5b.tmp --> c:\windows\system32\5B.tmp [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
.
=============== Created Last 30 ================
.
2011-07-11 20:57:39 -------- d-----w- c:\program files\ESET
2011-07-10 22:27:38 -------- d-sha-r- C:\cmdcons
2011-07-10 22:25:28 98816 ----a-w- c:\windows\sed.exe
2011-07-10 22:25:28 518144 ----a-w- c:\windows\SWREG.exe
2011-07-10 22:25:28 256000 ----a-w- c:\windows\PEV.exe
2011-07-10 22:25:28 208896 ----a-w- c:\windows\MBR.exe
2011-06-25 16:39:20 -------- d-----r- c:\documents and settings\nicole\application data\Brother
2011-06-21 20:35:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-21 20:34:46 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-21 20:34:45 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-16 19:20:24 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-06-15 02:05:41 -------- d-----w- c:\program files\Sophos
2011-06-14 00:59:16 -------- d--h--w- c:\windows\PIF
2011-06-13 15:49:44 -------- d-----w- c:\documents and settings\nicole\application data\SUPERAntiSpyware.com
2011-06-13 15:49:44 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-13 15:49:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-13 12:34:52 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-13 12:34:02 0 ---ha-w- c:\documents and settings\nicole\mizfuxiobs.tmp
2011-06-13 10:02:19 774144 ----a-w- c:\windows\system32\msscb32.exe
2011-06-13 10:02:18 774144 ----a-w- c:\windows\system32\mqad32.exe
2011-06-13 10:02:18 774144 ----a-w- c:\windows\system32\mprui32.exe
2011-06-13 10:02:12 774144 ----a-w- c:\windows\system32\wavemsp32.exe
2011-06-13 06:52:21 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-13 06:52:21 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
.
============= FINISH: 19:50:35.24 ===============

Attached Files


Edited by Noviciate, 12 July 2011 - 02:30 PM.


#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:17 PM

Posted 12 July 2011 - 02:33 PM

Good evening. :)

Copy and paste the following into Notepad (Start > All Programs > Accessories > Notepad):

File::
c:\documents and settings\nicole\mizfuxiobs.tmp
c:\windows\system32\msscb32.exe
c:\windows\system32\mqad32.exe
c:\windows\system32\mprui32.exe
c:\windows\system32\wavemsp32.exe


Save it to your Desktop with the following filename: CFScript
Drag and drop CFScript.txt onto your copy of Combofix and let it do it's thing.
Let me have the log produced, as before.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download TFC by OldTimer from here and save it to your Desktop.

  • You will need to close all open programs and save any work as TFC will require a reboot.
  • Double-click TFC.exe to run it. (Note: If you are using Vista, right-click the file and select Run As Administrator from the menu that appears).
  • Click the Start button to begin. Depending on how often you clean temp files, execution time could be anywhere from a few seconds to a minute or two - just sit back and enjoy the view.
  • Once it has finished it should reboot your PC all by itself. If it does not, please manually reboot.
  • Once rebooted your PC will run like a Cray supercomputer, or at least have less junk on the hard drive - OT's not a miracle worker you know!
  • Please note that this tool will empty the Recycle Bin as part of it's actions. If you have anything in there that you haven't finished with, move it first.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Defragment your hard drive. A tutorial for disc defragmentation is available here.

I happen to prefer a third-party defrag tool to the one that Windows offers. You can read about it, and find a linky, here - it's free too!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Once you've run through the above, take the PC for a tour and then tell me how it's behaving.

So long, and thanks for all the fish.

 

 


#7 elocinlynn

elocinlynn
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 12 July 2011 - 06:13 PM

Hi :) ComboFix froze while it was running, about 5 minutes into the process. I wasn't sure if I should try it again? I pasted the actions it preformed before freezing below. Thanks!

Output folder: C:\32788R22FWJFW
Extract: 023.dat
Extract: 023v.dat
Extract: 023w7.dat
Extract: AWF.cmd
Extract: AppDataFile.cfx
Extract: AppDataFolder.cfx
Extract: Assoc.cmd
Extract: Auto-RC.cmd
Extract: Boot-Rk.cmd
Extract: Boot.bat
Extract: BootDrv.vbs
Extract: CF-Script.cmd
Extract: CSet.cmd
Extract: Catch-sub.cmd
Extract: Combo-Fix.sys
Extract: ComboFix-Download.cfxxe
Extract: Combobatch.bat
Extract: Create.cmd
Extract: Creg.dat
Extract: CregC.cmd
Extract: CregC.dat
Extract: DPF.str
Extract: DelClsid.bat
Extract: DelClsid64.bat
Extract: DesktopFile.cfx
Extract: Dnl.dat
Extract: DrvRun.vbs
Extract: ERDNT.e_e
Extract: ERDNTDOS.LOC
Extract: ERDNTWIN.LOC
Extract: ERUNT.LOC
Extract: ERUNT.cfxxe
Extract: Exe.reg
Extract: FD-SV.cmd
Extract: FIND3M.bat
Extract: FIXLSP.bat
Extract: FKMGen.cmd
Extract: FavoriteFolder.cfx
Extract: FavoritesFile.cfx
Extract: FileKill.cfxxe
Extract: Fin.dat
Extract: GetHive.cmd
Extract: HDPEInfo.cfxxe
Extract: Imefile.dat
Extract: Install-RC.cmd
Extract: Kill-All.cmd
Extract: Ksvchost.vbs
Extract: Lang.bat
Extract: List-B.bat
Extract: List-C.bat
Extract: List-D.bat
Extract: List.bat
Extract: LocalAppDataFile.cfx
Extract: LocalAppDataFolder.cfx
Extract: LocalService.dat
Extract: LocalServiceNetworkRestricted.dat
Extract: LocalSettingsFile.cfx
Extract: LocalSystemNetworkRestricted.dat
Extract: MoveIt.bat
Extract: ND_.bat
Extract: ND_64.bat
Extract: NT-OS.cmd
Extract: NetworkService.dat
Extract: NirCmd.cfxxe
Extract: NirCmd.chm
Extract: NirCmdC.cfxxe
Extract: OSid.vbs
Extract: P.cmd
Extract: PersonalFile.cfx
Extract: PersonalFolder.cfx
Extract: Policies.dat
Extract: Prep.inf
Extract: ProfilesFile.cfx
Extract: ProfilesFolder.cfx
Extract: ProgramsFile.cfx
Extract: ProgramsFolder.cfx
Extract: Purity.dat
Extract: RCLink.dat
Extract: REGDACL.sed
Extract: RegDo.sed
Extract: RegScan.cmd
Extract: RegScan64.cmd
Extract: Rkey.cmd
Extract: Rust.str
Extract: SRestore.cmd
Extract: Safeboot.def.w7.dat
Extract: SetEnvmt.bat
Extract: SnapShot.cmd
Extract: StartMenuFile.cfx
Extract: StartMenuFolder.cfx
Extract: StartUpFile.cfx
Extract: SuppScan.cmd
Extract: SvcDrv.vbs
Extract: TemplatesFile.cfx
Extract: TemplatesFolder.cfx
Extract: Update-CF.cmd
Extract: VINFO3
Extract: VInfo
Extract: VInfo2
Extract: Vipev.dat
Extract: VwinTemp.dacl
Extract: Wmi_rem.vbs
Extract: XPSBoot.reg
Extract: appinit.bad
Extract: asp.str
Extract: av.cmd
Extract: av.vbs
Extract: badclsid.c
Extract: c.bat
Extract: catchme.cfxxe
Extract: clsid.c
Extract: dd.cfxxe
Extract: ddsDo.sed
Extract: dumphive.cfxxe
Extract: embedded.sed
Extract: extract.cfxxe
Extract: ffdefstr.dll
Extract: files.pif
Extract: firefox.exe
Extract: grep.cfxxe
Extract: gsar.cfxxe
Extract: handle.cfxxe
Extract: hidec.cfxxe
Extract: history.bat
Extract: hwid.pif
Extract: iexplore.exe
Extract: image001.gif
Extract: katch.cmd
Extract: lnkread.vbs
Extract: mbr.cfxxe
Extract: mbr.chk
Extract: md5sum.pif
Extract: md5sum00.pif
Extract: mtee.cfxxe
Extract: mynul.dat
Extract: n.pif
Extract: ncmd.com
Extract: ndis_combofix.dat
Extract: netsvc.bad.dat
Extract: netsvc.dat
Extract: netsvc.vista.dat
Extract: netsvc.xp.dat
Extract: pausep.cfxxe
Extract: pev.cfxxe
Extract: pevb.cfxxe
Extract: powp.dat
Extract: pv.com
Extract: region.dat
Extract: restore_pt.vbs
Extract: rmbr.cfxxe
Extract: rogues.dat
Extract: run2.sed
Extract: s0rt.cfxxe
Extract: safeboot.dat
Extract: safeboot.def.dat
Extract: safeboot.def.vista.dat
Extract: sed.cfxxe
Extract: setpath.cfxxe
Extract: srizbi.md5
Extract: svc_wht.dat
Extract: svchost.dat
Extract: svchost.vista.dat
Extract: svchost.vista.x64.dat
Extract: svchost.w7.dat
Extract: svchost.w7.x64.dat
Extract: swreg.cfxxe
Extract: swsc.cfxxe
Extract: swxcacls.cfxxe
Extract: system_ini.dat
Extract: tail.cfxxe
Extract: toolbar.sed
Extract: vistaMcode.dat
Extract: vistareg.dat
Extract: vun.dat
Extract: w2k_sock.dll
Extract: w2kreg.dat
Extract: w7Mcode.dat
Extract: w7reg.dat
Extract: w_sock.dll
Extract: xpmcode.dat
Extract: xpreg.dat
Extract: zDomain.dat
Extract: zhsvc.dat
Extract: zip.cfxxe
Output folder: C:\32788R22FWJFW\EN-US
Output folder: C:\32788R22FWJFW\License
Extract: Curl - license.txt
Extract: EXTRACT.TXT
Extract: FI - license.txt
Extract: UnxUtilsDist.com
Extract: UnxUtilsDist.html
Extract: UnxUtilsDist.pif
Extract: Zip - license.txt
Extract: dumphive-license.txt
Extract: firefox.exe
Extract: iexplore.exe
Extract: mtee.txt
Extract: ncmd.cfxxe
Extract: pv_5_2_2.zip
Extract: streamtools.zip
Output folder: C:\32788R22FWJFW\N_
Output folder: C:\32788R22FWJFW

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:17 PM

Posted 13 July 2011 - 02:04 PM

Good evening. :)

Skip ComboFix for now and try something else:

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.

So long, and thanks for all the fish.

 

 


#9 elocinlynn

elocinlynn
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 13 July 2011 - 03:11 PM

Okay, here they are. Thanks again!

OTL logfile created on: 7/13/2011 4:04:40 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Nicole\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.21 Gb Available Physical Memory | 10.30% Memory free
3.85 Gb Paging File | 2.25 Gb Available in Paging File | 58.58% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 43.03 Gb Free Space | 28.88% Space Free | Partition Type: NTFS

Computer Name: DELL | User Name: Nicole | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/13 16:04:21 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicole\My Documents\Downloads\OTL.scr
PRC - [2011/06/21 16:34:44 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/06/13 06:02:15 | 000,774,144 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\mqad32.exe
PRC - [2011/06/13 06:02:13 | 000,774,144 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\mprui32.exe
PRC - [2011/06/13 06:02:09 | 000,774,144 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\wavemsp32.exe
PRC - [2011/06/13 06:02:09 | 000,774,144 | ---- | M] (CrypKey Inc.) -- C:\WINDOWS\system32\msscb32.exe
PRC - [2011/06/01 13:14:20 | 000,140,952 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
PRC - [2010/01/15 08:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/04/20 00:56:28 | 000,060,416 | ---- | M] () -- C:\32788R22FWJFW\iexplore.exe
PRC - [2008/12/20 08:50:34 | 002,656,528 | ---- | M] () -- C:\Program Files\Logitech\QuickCam\Quickcam.exe
PRC - [2008/12/20 08:46:58 | 000,558,864 | ---- | M] () -- C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
PRC - [2008/12/16 22:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/02 16:48:00 | 000,098,304 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/06/15 01:40:34 | 000,124,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/06/15 01:40:24 | 001,805,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/06/15 01:40:16 | 000,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2006/03/24 17:14:58 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/03/24 17:14:52 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/03/24 17:14:48 | 000,053,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/03/20 16:00:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (SafeList) ==========

MOD - [2011/07/13 16:04:21 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nicole\My Documents\Downloads\OTL.scr
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/06/13 06:02:15 | 000,774,144 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\mqad32.exe -- (wscsvc32)
SRV - [2011/06/13 06:02:13 | 000,774,144 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\mprui32.exe -- (TapiSrv32)
SRV - [2011/06/13 06:02:09 | 000,774,144 | ---- | M] (CrypKey Inc.) [Auto | Running] -- C:\WINDOWS\system32\wavemsp32.exe -- (LmHosts32)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/12/16 22:59:50 | 000,150,040 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/06/15 01:40:28 | 000,115,952 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/06/15 01:40:24 | 001,805,552 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/06/15 01:40:16 | 000,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/04/11 17:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/03/24 17:14:58 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/03/24 17:14:52 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/06/15 04:00:00 | 001,542,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110708.001\navex15.sys -- (NAVEX15)
DRV - [2011/06/15 04:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110708.001\naveng.sys -- (NAVENG)
DRV - [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/05/16 04:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\eeCtrl.sys -- (eeCtrl)
DRV - [2011/05/13 04:00:00 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/05/26 10:45:04 | 000,018,816 | ---- | M] (Sophos Plc) [Kernel | System | Running] -- C:\WINDOWS\system32\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2008/12/17 02:02:08 | 000,023,832 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvcflt.sys -- (FilterService)
DRV - [2008/12/17 02:01:44 | 006,364,440 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 9000(UVC)
DRV - [2008/12/17 02:01:22 | 000,041,752 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2008/12/17 02:00:14 | 000,768,024 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2008/12/16 22:58:54 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2006/10/04 22:42:42 | 000,002,560 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2006/10/04 22:42:42 | 000,002,432 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2006/05/05 16:19:50 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/04/11 17:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/03/20 16:06:04 | 001,156,648 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/01/24 20:06:36 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/01/24 20:06:32 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/12/19 20:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/12/19 20:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2004/01/27 23:40:26 | 000,284,928 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2004/01/27 23:39:56 | 000,023,680 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\dvd_2k.sys -- (dvd_2K)
DRV - [2004/01/27 23:34:56 | 000,140,416 | ---- | M] (Windows ® 2000 DDK provider) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2004/01/27 23:29:44 | 000,023,680 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\mmc_2k.sys -- (mmc_2K)
DRV - [2004/01/27 23:29:40 | 000,197,632 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\Udfreadr.sys -- (UDFReadr)
DRV - [2004/01/27 23:16:38 | 000,117,248 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\Pwd_2k.sys -- (pwd_2k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll File not found
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Nicole\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13: C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Nicole\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Documents and Settings\Nicole\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/06 01:09:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/21 16:34:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/18 00:59:58 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Nicole\Application Data\Move Networks [2009/12/10 01:23:58 | 000,000,000 | ---D | M]

[2009/03/08 12:00:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nicole\Application Data\Mozilla\Extensions
[2009/03/08 12:00:01 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nicole\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2011/07/10 18:40:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions
[2009/09/14 12:17:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/28 09:15:09 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/06/27 17:45:11 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Nicole\Application Data\Mozilla\Firefox\Profiles\3nlypp9u.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/04/03 11:17:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/06/21 16:34:46 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npViewpoint.dll
[2011/06/21 16:34:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/07/10 18:45:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Nicole\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Nicole\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/24 08:25:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/12 17:18:21 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
[2011/07/11 16:57:39 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/07/10 18:27:38 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/07/10 18:25:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/07/10 18:25:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/07/10 18:25:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/07/10 18:25:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/07/10 18:25:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/07/10 18:22:07 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/07/10 18:20:54 | 004,138,980 | R--- | C] (Swearware) -- C:\Documents and Settings\Nicole\Desktop\CF.exe
[2011/07/09 09:45:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Nicole\Desktop\Morgan
[2011/07/01 12:13:06 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Nicole\Desktop\.picasaoriginals
[2011/06/25 12:39:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Nicole\Application Data\Brother
[2011/06/18 00:23:28 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Nicole\Start Menu\Programs\Administrative Tools
[2011/06/16 15:20:24 | 000,018,816 | ---- | C] (Sophos Plc) -- C:\WINDOWS\System32\SAVRKBootTasks.sys
[2011/06/16 08:33:07 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Nicole\Recent
[2011/06/14 22:05:41 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011/06/14 22:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sophos
[2011/06/13 20:59:16 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Nicole\*.tmp files -> C:\Documents and Settings\Nicole\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/13 15:22:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/13 14:36:10 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/07/13 13:22:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/12 15:13:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/07/10 18:45:28 | 000,186,097 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/07/10 18:45:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/07/10 18:42:58 | 000,000,094 | ---- | M] () -- C:\WINDOWS\System32\640329804
[2011/07/10 18:42:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/10 18:42:07 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\lvuvc.hs
[2011/07/10 18:42:04 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\logiflt.iad
[2011/07/10 18:27:46 | 000,000,325 | RHS- | M] () -- C:\boot.ini
[2011/07/10 18:21:04 | 004,138,980 | R--- | M] (Swearware) -- C:\Documents and Settings\Nicole\Desktop\CF.exe
[2011/07/04 14:41:56 | 000,054,399 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\untitled3.jpg
[2011/07/01 12:13:06 | 000,076,855 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\untitled1.jpg
[2011/06/27 17:44:59 | 000,000,081 | ---- | M] () -- C:\WINDOWS\System32\c04b83c
[2011/06/27 16:38:39 | 000,100,473 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\Certificate of Participation-John Colak-1238924.pdf
[2011/06/26 20:25:01 | 000,096,507 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\khine.jpg
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2011/06/18 00:59:58 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/18 00:22:49 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Nicole\defogger_reenable
[2011/06/17 20:51:56 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\Microsoft Office Outlook 2007.lnk
[2011/06/17 16:19:02 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/15 14:29:53 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Nicole\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/06/15 14:27:46 | 000,000,230 | ---- | M] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/06/14 20:08:37 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/06/14 10:13:27 | 001,007,120 | ---- | M] () -- C:\Documents and Settings\Nicole\Desktop\rkill.scr
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Nicole\*.tmp files -> C:\Documents and Settings\Nicole\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/10 18:27:46 | 000,000,208 | ---- | C] () -- C:\Boot.bak
[2011/07/10 18:27:42 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/07/10 18:25:28 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/07/10 18:25:28 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/07/10 18:25:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/07/10 18:25:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/07/10 18:25:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/07/04 14:41:56 | 000,054,399 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\untitled3.jpg
[2011/07/01 12:13:06 | 000,076,855 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\untitled1.jpg
[2011/06/27 16:38:39 | 000,100,473 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\Certificate of Participation-John Colak-1238924.pdf
[2011/06/26 20:25:01 | 000,096,507 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\khine.jpg
[2011/06/18 00:59:58 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/18 00:59:58 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader X.lnk
[2011/06/18 00:22:49 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Nicole\defogger_reenable
[2011/06/16 08:29:15 | 000,000,081 | ---- | C] () -- C:\WINDOWS\System32\c04b83c
[2011/06/15 14:27:46 | 000,000,230 | ---- | C] () -- C:\WINDOWS\System32\spupdsvc.inf
[2011/06/14 10:13:27 | 001,007,120 | ---- | C] () -- C:\Documents and Settings\Nicole\Desktop\rkill.scr
[2011/06/13 01:07:17 | 000,017,074 | -HS- | C] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\deow1vg58852bdtc3g62w37712kpxb620d03722ipd
[2011/06/13 01:07:17 | 000,017,074 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\deow1vg58852bdtc3g62w37712kpxb620d03722ipd
[2011/05/17 17:45:42 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2011/05/17 17:45:42 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2011/05/17 17:44:08 | 000,000,225 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2011/05/17 17:44:08 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2011/05/17 17:44:08 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf07a.dat
[2011/05/17 17:42:36 | 000,000,086 | ---- | C] () -- C:\WINDOWS\Brfaxrx.ini
[2011/05/17 17:42:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2011/05/17 17:42:34 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/12/03 15:23:33 | 000,081,110 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/10/07 01:44:18 | 000,063,224 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/06/15 14:12:01 | 000,000,021 | ---- | C] () -- C:\WINDOWS\atid.ini
[2009/04/01 08:42:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/12/16 22:58:54 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2008/12/16 22:50:56 | 000,013,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\iKeyLgFT.dll
[2008/10/14 18:23:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/07/29 16:15:37 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2008/07/25 14:24:33 | 000,003,072 | ---- | C] () -- C:\Documents and Settings\Nicole\Application Data\dvd.bmk
[2008/07/25 12:44:38 | 000,000,057 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/07/25 12:07:38 | 000,000,251 | ---- | C] () -- C:\Program Files\wt3d.ini
[2008/07/25 07:58:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/07/24 14:44:41 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2008/07/24 14:44:40 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2008/07/24 14:37:47 | 000,016,896 | ---- | C] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/24 12:14:01 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Nicole\Local Settings\Application Data\fusioncache.dat
[2008/07/24 08:27:39 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/07/24 08:22:20 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/07/24 04:16:03 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/07/24 04:15:04 | 000,298,848 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/05/16 14:01:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 001,630,208 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2008/05/16 14:01:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 14:01:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2008/05/16 14:01:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 14:01:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/16 14:01:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2008/05/16 14:01:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2008/05/16 14:01:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/12/06 14:39:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/03/22 19:38:24 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/03/22 19:38:24 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/10 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/10 08:00:00 | 000,465,072 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/10 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/10 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/10 08:00:00 | 000,078,958 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/10 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/10 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/10 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/10 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/10 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2008/08/22 17:39:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2008/07/24 12:14:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2008/07/24 16:26:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Otto
[2011/01/20 20:21:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Titanium
[2009/06/15 14:11:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2010/04/22 10:06:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/09 23:08:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/09 09:57:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2008/08/22 17:39:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\acccore
[2011/01/02 21:03:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\FrostWire
[2009/06/29 14:53:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\KompoZer
[2009/12/03 15:24:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Leadertech
[2008/07/30 16:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Opera
[2008/07/24 16:26:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Otto
[2009/06/16 18:32:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\OverDrive
[2011/01/20 20:20:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Titanium
[2008/11/04 18:52:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Viewpoint
[2009/06/27 19:07:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Windows Desktop Search
[2009/06/29 17:05:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Nicole\Application Data\Windows Search

========== Purity Check ==========



< End of report >

OTL Extras logfile created on: 7/13/2011 4:04:40 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Nicole\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 0.21 Gb Available Physical Memory | 10.30% Memory free
3.85 Gb Paging File | 2.25 Gb Available in Paging File | 58.58% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 43.03 Gb Free Space | 28.88% Space Free | Partition Type: NTFS

Computer Name: DELL | User Name: Nicole | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\wavemsp32.exe" = C:\WINDOWS\system32\wavemsp32.exe:*:Enabled:Windows Update Service -- (CrypKey Inc.)
"C:\WINDOWS\system32\mqad32.exe" = C:\WINDOWS\system32\mqad32.exe:*:Enabled:Windows Update Service -- (CrypKey Inc.)
"C:\WINDOWS\system32\mprui32.exe" = C:\WINDOWS\system32\mprui32.exe:*:Enabled:Windows Update Service -- (CrypKey Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\mqad32.exe" = C:\WINDOWS\system32\mqad32.exe:*:Enabled:Windows Update Service -- (CrypKey Inc.)
"C:\WINDOWS\system32\mprui32.exe" = C:\WINDOWS\system32\mprui32.exe:*:Enabled:Windows Update Service -- (CrypKey Inc.)
"C:\WINDOWS\system32\wavemsp32.exe" = C:\WINDOWS\system32\wavemsp32.exe:*:Enabled:Windows Update Service -- (CrypKey Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{13E86C2B-FF38-418A-A448-A2933AFFA2E5}" = OverDrive Media Console
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{332CC6BF-E6C7-48EE-BA3D-435E576AD67F}" = PaperPort Image Printer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5B63871D-150D-4351-B533-96C733D3F9FF}" = WinZip
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6AF5CAB9-FD0A-494F-8AA6-784D4B5D06C5}" = Microsoft Baseline Security Analyzer 2.1
"{6C1E7AA1-44E9-446D-AAB2-0DE6D9EFEAB1}" = Safari
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{78D891EF-9E2D-4FC8-A71F-E6F897BA1B21}" = Symantec AntiVirus
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{937B232D-9776-471E-92BD-D424E514EF14}" = Logitech QuickCam
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3FEC306-FBFF-4B0D-95B9-F9C67C65079E}" = Brother MFL-Pro Suite
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB4544EA-C189-41FE-9E3A-76591DDB852B}" = Roxio Easy Media Creator 7
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6B5B017-7643-46A5-AC4D-E58A7B4798A0}" = iTunes
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EEFEBB48-329E-46F6-AEB8-929A5BAFDB2F}" = Intel® Viiv™ Software
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FCD9CD52-7222-4672-94A0-A722BA702FD0}" = Dell Resource CD
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"BroadJump Client Foundation" = BroadJump Client Foundation
"CCleaner" = CCleaner (remove only)
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ESET Online Scanner" = ESET Online Scanner v3
"ESPNMotion" = ESPNMotion
"FLV to WMV Convert_is1" = FLV to WMV Convert 2.7
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"lvdrivers_11.90" = Logitech QuickCam Driver Package
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US)
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PROSet" = Intel® PRO Network Connections Drivers
"SBC.MCCInstall" = AT&T Self Support Tool
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.4
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Mail" = AT&T Yahoo! Internet Mail
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320
"Move Media Player" = Move Media Player
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/13/2011 3:22:22 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Bloodhound.MalPE in File: c:\WINDOWS\Temp\logishrd\lvprcinj01.dll
by: Auto-Protect scan. Action: Reboot Required. Action Description: The file
was quarantined successfully.

Error - 7/13/2011 3:22:22 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Bloodhound.MalPE in File: C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
by: Auto-Protect scan. Action: Reboot Required. Action Description: The file
was quarantined successfully.

Error - 7/13/2011 4:05:16 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Bloodhound.MalPE in File: C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 7/13/2011 4:05:17 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Bloodhound.MalPE in File: C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 7/13/2011 4:05:18 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Bloodhound.MalPE in File: c:\WINDOWS\Temp\logishrd\lvprcinj01.dll
by: Auto-Protect scan. Action: Reboot Required. Action Description: The file
was quarantined successfully.

Error - 7/13/2011 4:05:18 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Bloodhound.MalPE in File: C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
by: Auto-Protect scan. Action: Reboot Required. Action Description: The file
was quarantined successfully.

Error - 7/13/2011 4:05:31 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Bloodhound.MalPE in File: C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 7/13/2011 4:05:31 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Bloodhound.MalPE in File: C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 7/13/2011 4:05:31 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Bloodhound.MalPE in File: c:\WINDOWS\Temp\logishrd\lvprcinj01.dll
by: Auto-Protect scan. Action: Reboot Required. Action Description: The file
was quarantined successfully.

Error - 7/13/2011 4:05:31 PM | Computer Name = DELL | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Bloodhound.MalPE in File: C:\WINDOWS\Temp\logishrd\LVPrcInj01.dll
by: Auto-Protect scan. Action: Reboot Required. Action Description: The file
was quarantined successfully.

[ OSession Events ]
Error - 7/11/2010 2:03:17 PM | Computer Name = DELL | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 521312
seconds with 1860 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 6/17/2011 12:21:47 AM | Computer Name = DELL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/17/2011 12:22:46 AM | Computer Name = DELL | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 6/17/2011 4:20:22 PM | Computer Name = DELL | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 6/20/2011 11:44:53 AM | Computer Name = DELL | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 6/21/2011 12:00:25 PM | Computer Name = DELL | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 6/27/2011 4:48:23 PM | Computer Name = DELL | Source = Service Control Manager | ID = 7034
Description = The TCP/IP NetBIOS Helper service terminated unexpectedly. It has
done this 1 time(s).

Error - 6/28/2011 10:23:04 AM | Computer Name = DELL | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 7/2/2011 10:58:29 AM | Computer Name = DELL | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 7/10/2011 6:22:00 PM | Computer Name = DELL | Source = Service Control Manager | ID = 7034
Description = The Process Monitor service terminated unexpectedly. It has done
this 1 time(s).

Error - 7/10/2011 6:43:08 PM | Computer Name = DELL | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058


< End of report >

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:17 PM

Posted 14 July 2011 - 02:13 PM

Good evening. :)

You have a couple of entries in your log that point to files on your PC that I would like to have checked - if they are still present.

Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

c:\documents and settings\nicole\mizfuxiobs.tmp
c:\windows\system32\msscb32.exe
c:\windows\system32\mqad32.exe
c:\windows\system32\mprui32.exe
c:\windows\system32\wavemsp32.exe
C:\32788R22FWJFW\iexplore.exe


When all the scans have been completed, for each file in turn, please copy and paste the "Permalink" that you'll find in the "Jotti's malware scan" box in the upper left hand part of the page into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*

So long, and thanks for all the fish.

 

 


#11 elocinlynn

elocinlynn
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 14 July 2011 - 07:11 PM

Hello! Here's the information you requested! Thank you!


c:\documents and settings\nicole\mizfuxiobs.tmp
File is there, but Jotti says 'File is Empty!'


c:\windows\system32\msscb32.exe
http://virusscan.jotti.org/en/scanresult/72bcdc93ab2f0e081cafcc7f2aefe421044aa827/93b98ce1f41e707faea5e59aff99abb62659f357


c:\windows\system32\mqad32.exe
http://virusscan.jotti.org/en/scanresult/72bcdc93ab2f0e081cafcc7f2aefe421044aa827/69114ab51c66984a9985db6fa58334d25037e0b7


c:\windows\system32\mprui32.exe
http://virusscan.jotti.org/en/scanresult/72bcdc93ab2f0e081cafcc7f2aefe421044aa827/71dd2bd376d7f6d6a0b876a649e751aa65608196


c:\windows\system32\wavemsp32.exe
http://virusscan.jotti.org/en/scanresult/72bcdc93ab2f0e081cafcc7f2aefe421044aa827/e38cc7d1dc835d06572a81aa34d627ee1211182b


C:\32788R22FWJFW\iexplore.exe
This is showing up as a "computer icon" (see attached image). I'm pretty sure the "iexplore.exe" program is the one that's giving me a lot of trouble. It's ALWAYS running when I have issues, and closing it briefly stops the random audio problems I was having.

Attached Files



#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:17 PM

Posted 15 July 2011 - 02:38 PM

Good evening. :)

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :dir
    C:\32788R22FWJFW
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

So long, and thanks for all the fish.

 

 


#13 elocinlynn

elocinlynn
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 15 July 2011 - 04:32 PM

Hello :) Here are the results of the SystemLook Scan:

SystemLook 04.09.10 by jpshortstuff
Log created at 17:31 on 15/07/2011 by Nicole
Administrator - Elevation successful

========== dir ==========

C:\32788R22FWJFW - Parameters: "(none)"

---Files---
023.dat --a---- 40797 bytes [18:54 01/10/2010] [18:54 01/10/2010]
023v.dat --a---- 2181 bytes [19:07 26/11/2010] [19:07 26/11/2010]
023w7.dat --a---- 660 bytes [17:55 12/02/2010] [17:55 12/02/2010]
AppDataFile.cfx --a---- 61869 bytes [15:02 10/07/2011] [15:02 10/07/2011]
AppDataFolder.cfx --a---- 16830 bytes [15:00 10/07/2011] [15:00 10/07/2011]
appinit.bad --a---- 6760 bytes [00:00 31/08/2000] [00:00 31/08/2000]
asp.str --a---- 602 bytes [15:09 13/07/2009] [15:09 13/07/2009]
Assoc.cmd --a---- 4144 bytes [14:11 15/04/2010] [14:11 15/04/2010]
Auto-RC.cmd --a---- 5168 bytes [12:54 19/04/2011] [12:54 19/04/2011]
av.cmd --a---- 4526 bytes [03:31 06/07/2011] [03:31 06/07/2011]
av.vbs --a---- 2933 bytes [15:02 15/12/2010] [15:02 15/12/2010]
AWF.cmd --a---- 666 bytes [15:15 26/06/2011] [15:15 26/06/2011]
badclsid.c --a---- 1007585 bytes [15:19 10/07/2011] [15:19 10/07/2011]
Boot-Rk.cmd --a---- 5024 bytes [16:01 10/06/2011] [16:01 10/06/2011]
Boot.bat --a---- 8412 bytes [16:39 30/05/2011] [16:39 30/05/2011]
BootDrv.vbs --a---- 875 bytes [08:55 27/07/2010] [08:55 27/07/2010]
c.bat --a---- 62922 bytes [04:19 08/07/2011] [04:19 08/07/2011]
Catch-sub.cmd --a---- 1080 bytes [08:45 21/10/2010] [08:45 21/10/2010]
catchme.cfxxe --a---- 147456 bytes [09:37 17/04/2009] [09:37 17/04/2009]
CF-Script.cmd --a---- 30027 bytes [15:17 26/06/2011] [15:17 26/06/2011]
clsid.c --a---- 268606 bytes [15:19 10/07/2011] [15:19 10/07/2011]
Combo-Fix.sys --a---- 1024 bytes [15:16 19/08/2010] [15:16 19/08/2010]
Combobatch.bat --a---- 7725 bytes [09:38 03/06/2011] [09:38 03/06/2011]
ComboFix-Download.cfxxe --a---- 236032 bytes [00:00 31/08/2000] [00:00 31/08/2000]
Create.cmd --a---- 19308 bytes [16:57 09/07/2011] [16:57 09/07/2011]
Creg.dat --a---- 559414 bytes [14:56 10/07/2011] [14:56 10/07/2011]
CregC.cmd --a---- 3697 bytes [11:01 07/05/2011] [11:01 07/05/2011]
CregC.dat --a---- 472 bytes [09:21 17/04/2010] [09:21 17/04/2010]
CSet.cmd --a---- 1723 bytes [09:43 03/06/2011] [09:43 03/06/2011]
dd.cfxxe --a---- 101376 bytes [09:52 06/06/2011] [09:52 06/06/2011]
ddsDo.sed --a---- 7983 bytes [01:59 25/05/2009] [01:59 25/05/2009]
DelClsid.bat --a---- 1948 bytes [11:25 07/05/2011] [11:25 07/05/2011]
DelClsid64.bat --a---- 1957 bytes [11:25 07/05/2011] [11:25 07/05/2011]
desktop.ini --a---- 115 bytes [21:18 12/07/2011] [21:18 12/07/2011]
DesktopFile.cfx --a---- 10066 bytes [17:28 08/07/2011] [17:28 08/07/2011]
Dnl.dat --a---- 46 bytes [05:17 23/01/2010] [05:17 23/01/2010]
DPF.str --a---- 746 bytes [00:00 31/08/2000] [00:00 31/08/2000]
DrvRun.vbs --a---- 650 bytes [18:44 18/04/2010] [18:44 18/04/2010]
dumphive.cfxxe --a---- 51200 bytes [00:00 31/08/2000] [00:00 31/08/2000]
embedded.sed --a---- 303 bytes [00:00 31/08/2000] [00:00 31/08/2000]
ERDNT.e_e --a---- 163328 bytes [12:02 20/10/2005] [12:02 20/10/2005]
ERDNTDOS.LOC --a---- 2815 bytes [00:00 31/08/2000] [00:00 31/08/2000]
ERDNTWIN.LOC --a---- 3275 bytes [00:00 31/08/2000] [00:00 31/08/2000]
ERUNT.cfxxe --a---- 394752 bytes [12:00 20/10/2005] [12:00 20/10/2005]
ERUNT.LOC --a---- 4090 bytes [00:00 31/08/2000] [00:00 31/08/2000]
Exe.reg --a---- 15016 bytes [18:56 13/05/2011] [18:56 13/05/2011]
extract.cfxxe --a---- 52736 bytes [00:00 31/08/2000] [00:00 31/08/2000]
FavoriteFolder.cfx --a---- 20 bytes [08:52 05/09/2010] [08:52 05/09/2010]
FavoritesFile.cfx --a---- 6834 bytes [15:12 10/07/2011] [15:12 10/07/2011]
FD-SV.cmd --a---- 9074 bytes [15:27 26/06/2011] [15:27 26/06/2011]
ffdefstr.dll --a---- 38901 bytes [20:45 29/08/2010] [20:45 29/08/2010]
FileKill.cfxxe --a---- 145920 bytes [00:00 31/08/2000] [00:00 31/08/2000]
files.pif --a---- 3186 bytes [15:19 10/07/2011] [15:19 10/07/2011]
Fin.dat --a---- 677 bytes [20:32 09/08/2010] [20:32 09/08/2010]
FIND3M.bat --a---- 34183 bytes [18:23 03/07/2011] [18:23 03/07/2011]
firefox.exe --a---- 60416 bytes [04:56 20/04/2009] [04:56 20/04/2009]
FIXLSP.bat --a---- 5926 bytes [18:54 09/06/2011] [18:54 09/06/2011]
FKMGen.cmd --a---- 1088 bytes [15:29 26/06/2011] [15:29 26/06/2011]
GetHive.cmd --a---- 6090 bytes [09:43 03/06/2011] [09:43 03/06/2011]
grep.cfxxe --a---- 80412 bytes [00:00 31/08/2000] [00:00 31/08/2000]
gsar.cfxxe --a---- 15360 bytes [00:00 31/08/2000] [00:00 31/08/2000]
handle.cfxxe --a---- 417136 bytes [05:15 18/11/2008] [05:15 18/11/2008]
HDPEInfo.cfxxe --a---- 15872 bytes [12:11 11/12/2008] [12:11 11/12/2008]
hidec.cfxxe --a---- 1536 bytes [17:54 15/08/2005] [17:54 15/08/2005]
history.bat --a---- 954 bytes [09:25 20/10/2009] [09:25 20/10/2009]
hwid.pif --a---- 74529 bytes [16:44 14/07/2010] [16:44 14/07/2010]
iexplore.exe --a---- 60416 bytes [04:56 20/04/2009] [04:56 20/04/2009]
image001.gif --a---- 1057 bytes [00:00 31/08/2000] [00:00 31/08/2000]
Imefile.dat --a---- 224 bytes [23:07 04/09/2010] [23:07 04/09/2010]
Install-RC.cmd --a---- 8096 bytes [22:06 02/06/2011] [22:06 02/06/2011]
katch.cmd --a---- 1374 bytes [01:49 09/03/2011] [01:49 09/03/2011]
Kill-All.cmd --a---- 1896 bytes [09:43 03/06/2011] [09:43 03/06/2011]
Ksvchost.vbs --a---- 315 bytes [16:52 18/12/2010] [16:52 18/12/2010]
Lang.bat --a---- 250104 bytes [18:38 29/06/2011] [18:38 29/06/2011]
List-B.bat --a---- 20988 bytes [14:57 10/07/2011] [14:57 10/07/2011]
List-C.bat --a---- 251777 bytes [01:13 07/07/2011] [01:13 07/07/2011]
List-D.bat --a---- 112032 bytes [18:55 08/07/2011] [18:55 08/07/2011]
List.bat --a---- 1651360 bytes [15:19 10/07/2011] [15:19 10/07/2011]
lnkread.vbs --a---- 3246 bytes [17:49 15/12/2010] [17:49 15/12/2010]
LocalAppDataFile.cfx --a---- 5851 bytes [15:23 09/07/2011] [15:23 09/07/2011]
LocalAppDataFolder.cfx --a---- 3098 bytes [15:23 09/07/2011] [15:23 09/07/2011]
LocalService.dat --a---- 225 bytes [00:00 31/08/2000] [00:00 31/08/2000]
LocalServiceNetworkRestricted.dat --a---- 91 bytes [00:00 31/08/2000] [00:00 31/08/2000]
LocalSettingsFile.cfx --a---- 2911 bytes [20:11 07/07/2011] [20:11 07/07/2011]
LocalSystemNetworkRestricted.dat --a---- 198 bytes [00:00 31/08/2000] [00:00 31/08/2000]
mbr.cfxxe --a---- 184320 bytes [22:11 24/10/2009] [22:11 24/10/2009]
mbr.chk --a---- 2141 bytes [03:30 29/08/2010] [03:30 29/08/2010]
md5sum.pif --a---- 6630 bytes [15:19 10/07/2011] [15:19 10/07/2011]
md5sum00.pif --a---- 34 bytes [15:19 10/07/2011] [15:19 10/07/2011]
MoveIt.bat --a---- 2856 bytes [20:57 06/05/2011] [20:57 06/05/2011]
mtee.cfxxe --a---- 11264 bytes [00:00 31/08/2000] [00:00 31/08/2000]
mynul.dat --a---- 0 bytes [00:00 31/08/2000] [00:00 31/08/2000]
n.pif --a---- 60416 bytes [04:56 20/04/2009] [04:56 20/04/2009]
ncmd.com --a---- 8523 bytes [07:35 16/02/2011] [07:35 16/02/2011]
ndis_combofix.dat --a---- 283 bytes [08:12 24/12/2009] [08:12 24/12/2009]
ND_.bat --a---- 65283 bytes [15:33 26/06/2011] [15:33 26/06/2011]
ND_64.bat --a---- 17757 bytes [18:52 23/06/2011] [18:52 23/06/2011]
netsvc.bad.dat --a---- 520 bytes [10:21 14/04/2010] [10:21 14/04/2010]
netsvc.dat --a---- 159 bytes [00:00 31/08/2000] [00:00 31/08/2000]
netsvc.vista.dat --a---- 481 bytes [00:00 31/08/2000] [00:00 31/08/2000]
netsvc.xp.dat --a---- 525 bytes [00:00 31/08/2000] [00:00 31/08/2000]
NetworkService.dat --a---- 88 bytes [00:00 31/08/2000] [00:00 31/08/2000]
NirCmd.cfxxe --a---- 60416 bytes [04:56 20/04/2009] [04:56 20/04/2009]
NirCmd.chm --a---- 32317 bytes [00:00 31/08/2000] [00:00 31/08/2000]
NirCmdC.cfxxe --a---- 58880 bytes [04:56 20/04/2009] [04:56 20/04/2009]
NT-OS.cmd --a---- 42910 bytes [15:07 10/07/2011] [15:07 10/07/2011]
OSid.vbs --a---- 977 bytes [00:00 31/08/2000] [00:00 31/08/2000]
P.cmd --a---- 21869 bytes [15:03 10/07/2011] [15:03 10/07/2011]
pausep.cfxxe --a---- 180224 bytes [05:01 29/09/2002] [05:01 29/09/2002]
PersonalFile.cfx --a---- 4047 bytes [08:15 27/06/2011] [08:15 27/06/2011]
PersonalFolder.cfx --a---- 158 bytes [16:46 05/06/2011] [16:46 05/06/2011]
pev.cfxxe --a---- 256000 bytes [06:45 26/06/2011] [06:45 26/06/2011]
pevb.cfxxe --a---- 102400 bytes [01:28 28/01/2011] [01:28 28/01/2011]
Policies.dat --a---- 2992 bytes [19:51 05/07/2009] [19:51 05/07/2009]
powp.dat --a---- 64 bytes [08:57 13/05/2010] [08:57 13/05/2010]
Prep.inf --a---- 3006 bytes [19:09 13/05/2011] [19:09 13/05/2011]
ProfilesFile.cfx --a---- 17037 bytes [15:23 09/07/2011] [15:23 09/07/2011]
ProfilesFolder.cfx --a---- 1195 bytes [18:51 08/07/2011] [18:51 08/07/2011]
ProgramsFile.cfx --a---- 4498 bytes [02:32 07/07/2011] [02:32 07/07/2011]
ProgramsFolder.cfx --a---- 14372 bytes [17:32 08/07/2011] [17:32 08/07/2011]
Purity.dat --a---- 404 bytes [00:00 31/08/2000] [00:00 31/08/2000]
pv.com --a---- 73728 bytes [15:42 02/03/2006] [15:42 02/03/2006]
RCLink.dat --a---- 7478 bytes [00:00 31/08/2000] [00:00 31/08/2000]
REGDACL.sed --a---- 3558 bytes [00:00 31/08/2000] [00:00 31/08/2000]
RegDo.sed --a---- 9203 bytes [00:00 31/08/2000] [00:00 31/08/2000]
region.dat --a---- 1153 bytes [20:03 16/09/2010] [20:03 16/09/2010]
RegScan.cmd --a---- 53833 bytes [15:35 26/06/2011] [15:35 26/06/2011]
RegScan64.cmd --a---- 20178 bytes [16:13 03/05/2011] [16:13 03/05/2011]
restore_pt.vbs --a---- 587 bytes [14:26 01/05/2009] [14:26 01/05/2009]
Rkey.cmd --a---- 442 bytes [21:35 14/11/2009] [21:35 14/11/2009]
rmbr.cfxxe --a---- 208896 bytes [17:20 07/11/2010] [17:20 07/11/2010]
rogues.dat --a---- 820 bytes [00:00 31/08/2000] [00:00 31/08/2000]
run2.sed --a---- 287 bytes [00:00 31/08/2000] [00:00 31/08/2000]
Rust.str --a---- 30 bytes [03:38 10/06/2009] [03:38 10/06/2009]
s0rt.cfxxe --a---- 38400 bytes [16:00 10/11/1999] [16:00 10/11/1999]
safeboot.dat --a---- 329 bytes [00:00 31/08/2000] [00:00 31/08/2000]
safeboot.def.dat --a---- 1464 bytes [18:25 09/06/2009] [18:25 09/06/2009]
safeboot.def.vista.dat --a---- 482 bytes [18:53 26/11/2010] [18:53 26/11/2010]
Safeboot.def.w7.dat --a---- 585 bytes [04:00 18/10/2009] [04:00 18/10/2009]
sed.cfxxe --a---- 98816 bytes [00:00 31/08/2000] [00:00 31/08/2000]
SetEnvmt.bat --a---- 17077 bytes [15:35 26/06/2011] [15:35 26/06/2011]
setpath.cfxxe --a---- 66172 bytes [00:00 31/08/2000] [00:00 31/08/2000]
SnapShot.cmd --a---- 4634 bytes [18:52 23/06/2011] [18:52 23/06/2011]
SRestore.cmd --a---- 2147 bytes [18:52 23/06/2011] [18:52 23/06/2011]
srizbi.md5 --a---- 307957 bytes [14:45 10/07/2011] [14:45 10/07/2011]
StartMenuFile.cfx --a---- 5341 bytes [17:32 08/07/2011] [17:32 08/07/2011]
StartMenuFolder.cfx --a---- 465 bytes [15:16 10/07/2011] [15:16 10/07/2011]
StartUpFile.cfx --a---- 10609 bytes [07:40 10/07/2011] [07:40 10/07/2011]
SuppScan.cmd --a---- 20667 bytes [15:35 26/06/2011] [15:35 26/06/2011]
SvcDrv.vbs --a---- 2176 bytes [00:00 31/08/2000] [00:00 31/08/2000]
svchost.dat --a---- 555 bytes [00:00 31/08/2000] [00:00 31/08/2000]
svchost.vista.dat --a---- 668 bytes [00:00 31/08/2000] [00:00 31/08/2000]
svchost.vista.x64.dat --a---- 749 bytes [05:12 27/11/2010] [05:12 27/11/2010]
svchost.w7.dat --a---- 956 bytes [04:14 18/10/2009] [04:14 18/10/2009]
svchost.w7.x64.dat --a---- 1306 bytes [04:19 27/11/2010] [04:19 27/11/2010]
svc_wht.dat --a---- 11987 bytes [22:42 28/11/2009] [22:42 28/11/2009]
swreg.cfxxe --a---- 518144 bytes [00:00 31/08/2000] [00:00 31/08/2000]
swsc.cfxxe --a---- 406528 bytes [00:00 31/08/2000] [00:00 31/08/2000]
swxcacls.cfxxe --a---- 212480 bytes [00:00 31/08/2000] [00:00 31/08/2000]
system_ini.dat --a---- 276 bytes [00:00 31/08/2000] [00:00 31/08/2000]
tail.cfxxe --a---- 35328 bytes [00:00 10/11/1999] [00:00 10/11/1999]
TemplatesFile.cfx --a---- 6162 bytes [17:35 08/07/2011] [17:35 08/07/2011]
TemplatesFolder.cfx --a---- 90 bytes [12:53 22/02/2011] [12:53 22/02/2011]
toolbar.sed --a---- 633 bytes [05:26 30/10/2009] [05:26 30/10/2009]
Update-CF.cmd --a---- 3945 bytes [18:52 23/06/2011] [18:52 23/06/2011]
VInfo --a---- 3819 bytes [08:40 22/06/2011] [08:40 22/06/2011]
VInfo2 --a---- 15690 bytes [14:45 10/07/2011] [14:45 10/07/2011]
VINFO3 --a---- 557 bytes [08:40 22/06/2011] [08:40 22/06/2011]
Vipev.dat --a---- 308 bytes [15:30 10/05/2010] [15:30 10/05/2010]
vistaMcode.dat --a---- 440 bytes [19:17 26/07/2010] [19:17 26/07/2010]
vistareg.dat --a---- 15802 bytes [14:37 23/05/2011] [14:37 23/05/2011]
vun.dat --a---- 7584 bytes [20:05 20/06/2010] [20:05 20/06/2010]
VwinTemp.dacl --a---- 244 bytes [09:05 31/07/2010] [09:05 31/07/2010]
w2kreg.dat --a---- 40997 bytes [14:37 23/05/2011] [14:37 23/05/2011]
w2k_sock.dll --a---- 90202 bytes [07:34 21/06/2009] [07:34 21/06/2009]
w7Mcode.dat --a---- 440 bytes [20:20 23/07/2010] [20:20 23/07/2010]
w7reg.dat --a---- 15908 bytes [14:37 23/05/2011] [14:37 23/05/2011]
Wmi_rem.vbs --a---- 1127 bytes [19:38 11/12/2010] [19:38 11/12/2010]
w_sock.dll --a---- 98948 bytes [06:45 21/06/2009] [06:45 21/06/2009]
xpmcode.dat --a---- 440 bytes [14:14 22/07/2010] [14:14 22/07/2010]
xpreg.dat --a---- 61815 bytes [14:36 23/05/2011] [14:36 23/05/2011]
XPSBoot.reg --a---- 13090 bytes [10:41 02/02/2010] [10:41 02/02/2010]
zDomain.dat --a---- 23773 bytes [00:00 31/08/2000] [00:00 31/08/2000]
zhsvc.dat --a---- 50019 bytes [14:52 10/07/2011] [14:52 10/07/2011]
zip.cfxxe --a---- 68096 bytes [00:00 31/08/2000] [00:00 31/08/2000]

---Folders---
EN-US d------ [21:18 12/07/2011]
License d------ [21:18 12/07/2011]
N_ d------ [21:18 12/07/2011]

-= EOF =-

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:07:17 PM

Posted 16 July 2011 - 04:11 PM

Good evening. :)

Download Malwarebytes' Anti-Malware from here and save it to your Desktop - unless you already have it, in which case skip to the "updating" bit below.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Ensure a checkmark is placed next to both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware and then click Finish.
  • If an update is found, it will download and install the latest version - you'll need to clear it with your firewall.
  • Once the program has loaded, select Perform full scan and then Scan.
  • When the scan has finished, click OK and then Show Results to view the results - no surprise there!
  • If MBAM finds anything, check the box(es) and click Remove Selected.
  • Please note - Leave unchecked any boxes that have \System Volume Information\ in the filepath. These pose no immediate risk to your PC unless you use System Restore and will be dealt with later.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Let me have the MBAM log, a fresh DDS log AND a description of how your PC is behaving.

So long, and thanks for all the fish.

 

 


#15 elocinlynn

elocinlynn
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 18 July 2011 - 09:34 AM

Hello :) Here are the results of the MBAM scan. I have had this program for a few years now, and used it quite a few times while trying to fix these issues I've been having. Every time I preformed a scan, it would find about 10 infections, clean them, and then they would show up again with the next reboot. Also attached is a fresh DDS. Computer is behaving relatively normal. Slow, especially search engines. Hope you had a nice weekend! Thanks again!

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7180

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/18/2011 10:30:41 AM
mbam-log-2011-07-18 (10-30-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 320533
Time elapsed: 1 hour(s), 43 minute(s), 4 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
c:\WINDOWS\system32\wavemsp32.exe (Trojan.Tracur) -> 760 -> Unloaded process successfully.
c:\WINDOWS\system32\msscb32.exe (Trojan.Tracur) -> 2116 -> Unloaded process successfully.
c:\WINDOWS\system32\mprui32.exe (Trojan.Tracur) -> 2512 -> Unloaded process successfully.
c:\WINDOWS\system32\mqad32.exe (Trojan.Tracur) -> 2680 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts32 (Trojan.Tracur) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv32 (Trojan.Tracur) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc32 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\wavemsp32.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\msscb32.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mprui32.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\mqad32.exe (Trojan.Tracur) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a0754029-8d5d-499c-bb8d-1ec98c0ae2b2}\RP1013\A0072150.exe (Trojan.Tracur) -> Not selected for removal.
c:\system volume information\_restore{a0754029-8d5d-499c-bb8d-1ec98c0ae2b2}\RP1013\A0072151.exe (Trojan.Tracur) -> Not selected for removal.
c:\system volume information\_restore{a0754029-8d5d-499c-bb8d-1ec98c0ae2b2}\RP1013\A0072152.exe (Trojan.Tracur) -> Not selected for removal.
c:\system volume information\_restore{a0754029-8d5d-499c-bb8d-1ec98c0ae2b2}\RP1013\A0072153.exe (Trojan.Tracur) -> Not selected for removal.
c:\WINDOWS\system32\020000005f5a4aa21270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000005f5a4aa21270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000005f5a4aa21270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\020000005f5a4aa21270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------------

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Run by Nicole at 10:31:43 on 2011-07-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.430 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Nicole\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\BrowserPlusCore.exe
C:\Documents and Settings\Nicole\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\BrowserPlusService.exe
C:\Documents and Settings\Nicole\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\BrowserPlusService.exe
C:\Documents and Settings\Nicole\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\BrowserPlusService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{97A96B86-DA3B-490E-8935-2DE7A4C6F5D8} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nicole\application data\mozilla\firefox\profiles\3nlypp9u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\documents and settings\nicole\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\nicole\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-6-16 18816]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-22 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-13 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110715.004\naveng.sys [2011-7-15 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110715.004\navex15.sys [2011-7-15 1542392]
S2 gupdate1c93fa5c13acde0;Google Update Service (gupdate1c93fa5c13acde0);c:\program files\google\update\GoogleUpdate.exe [2008-11-5 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-11-5 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-13 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5b.tmp --> c:\windows\system32\5B.tmp [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
SUnknown LmHosts32;LmHosts32; [x]
SUnknown TapiSrv32;TapiSrv32; [x]
SUnknown wscsvc32;wscsvc32; [x]
.
=============== Created Last 30 ================
.
2011-07-18 14:31:07 54016 ----a-w- c:\windows\system32\drivers\ogvafy.sys
2011-07-18 02:15:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-11 20:57:39 -------- d-----w- c:\program files\ESET
2011-07-10 22:27:38 -------- d-sha-r- C:\cmdcons
2011-07-10 22:25:28 98816 ----a-w- c:\windows\sed.exe
2011-07-10 22:25:28 518144 ----a-w- c:\windows\SWREG.exe
2011-07-10 22:25:28 256000 ----a-w- c:\windows\PEV.exe
2011-07-10 22:25:28 208896 ----a-w- c:\windows\MBR.exe
2011-06-25 16:39:20 -------- d-----r- c:\documents and settings\nicole\application data\Brother
2011-06-21 20:35:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-21 20:34:46 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-21 20:34:45 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-13 12:34:02 0 ---ha-w- c:\documents and settings\nicole\mizfuxiobs.tmp
.
============= FINISH: 10:32:25.05 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users