Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplore.exe opens twice


  • This topic is locked This topic is locked
6 replies to this topic

#1 willtheoct

willtheoct

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 30 July 2011 - 01:42 PM

Right, so i have been inflicted with waves of malware this year, and im thinking theres one thing downloading them.

currently, ive noticed that two instances of iexplore.exe(from the actual IE directory) have been launching, and when i end them, they open up later. i tried deleting the file, but it recreates it. then i replaced it with a dummy file but then it gets re-replaced with IE. by the way the iexplore.exe is not infected, i uploaded it to virustotal.com, its clean.

and on occasion i do get a "do you wish to navigate away from this page?" popup randomly. not only that but chrome asks me to set it as the default browser every time it starts, so i guess something is setting it back to IE.

i used Process Explorer to see what is launching IE and its svchost.exe.

One thing troubling me is that in a DDS log i read, my RunServices registry folder contains one key, which is valued "service.exe". not services, just service.

i currently have killbox auto-ending iexplore.exe every time it opens.

here is my DDS log:

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by user at 10:11:28 on 2011-07-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.236 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: ZoneAlarm Security Suite Antivirus *Enabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
AV: avast! antivirus 4.8.1368 [VPS 110402-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Security Suite Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdxserv.exe
C:\WINDOWS\system32\lxdxcoms.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\USBDLM\USBDLM.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TeamViewer\Version6\TeamViewer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Lexmark 3600-4600 Series\ezprint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\1.3.21.57\GoogleCrashHandler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SetRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LayoutM] KLayMgr.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 3600-4600 series\ezprint.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [BtTray] "c:\program files\ivt corporation\bluesoleil\BtTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunServices: [Service App] service.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - c:\program files\mass downloader\massdown.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267150347015
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267150331609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{29525BA3-99F3-4BBA-9E1A-D7E34D8C6C19} : DhcpNameServer = 172.30.11.33 172.30.11.1
TCP: Interfaces\{66E1CA68-D103-4DD2-A3DF-065593485DF5} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\WINDOW scecli
Hosts: 74.208.10.249 gs.apple.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\xe0kd4ue.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.newgrounds.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\xe0kd4ue.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\xe0kd4ue.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\xe0kd4ue.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-7 20616]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-6-30 64512]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-13 114768]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2010-12-16 22312]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-1-13 148496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-13 353680]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-13 20560]
R2 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2008-8-1 143467]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-8-24 98984]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-5-27 104000]
R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-4-15 2285432]
R2 USBDLM;USBDLM;c:\program files\usbdlm\USBDLM.exe [2008-4-20 156672]
R3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [2009-8-24 434688]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2010-5-21 57440]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [2010-7-4 28160]
R3 MonitorFunction;Driver for Monitor;c:\windows\system32\drivers\TVMonitor.sys [2011-1-12 13304]
S1 face;face;\??\c:\windows\system32\face.sys --> c:\windows\system32\face.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-6 136176]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-1 366640]
S3 apf001;apf001;\??\f:\games\rakionis\bin\apf001.sys --> f:\games\rakionis\bin\apf001.sys [?]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
S3 cpuz135;cpuz135;\??\c:\windows\temp\cpuz135\cpuz135_x32.sys --> c:\windows\temp\cpuz135\cpuz135_x32.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-11-6 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-11-6 8456]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\common files\futuremark shared\futuremark systeminfo\FMSISvc.exe [2011-1-28 129440]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-6 136176]
S3 HPKBCCID;HP Keyboard Smart Card Driver;c:\windows\system32\drivers\HPKBCCID.sys [2008-5-27 46976]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-5-27 36608]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\d-link xtreme n dual band dwa-160\jswutil\jswpsapi.exe [2010-5-21 356434]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-6-20 15232]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-1 41272]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys --> c:\windows\system32\drivers\netaapl.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [2009-9-30 443776]
S3 STC2DFU;STCII DFU Adapter;c:\windows\system32\drivers\Stc2Dfu.sys [2004-10-25 7796]
S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-13 138680]
S4 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-13 352920]
S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-5-25 1336712]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-6-20 2151640]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\autodesk\3ds max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [2008-3-10 65536]
.
=============== Created Last 30 ================
.
2011-07-28 15:08:12 -------- d-----w- c:\documents and settings\user\local settings\application data\GayMaker 8.1
2011-07-28 15:06:45 -------- d-----w- c:\documents and settings\user\local settings\application data\GameMaker8.1
2011-07-28 15:05:55 -------- d-----w- c:\program files\Game Maker 8.1
2011-07-28 15:05:55 -------- d-----w- c:\documents and settings\user\application data\GameMaker
2011-07-24 20:49:43 -------- d-----w- c:\program files\AmazingMIDI
2011-07-24 20:34:49 -------- d-----w- c:\program files\WIDI 3.3 Pro
2011-07-24 20:24:17 -------- d-----w- c:\documents and settings\user\application data\dream-mp3-to-midi-converter
2011-07-24 20:24:16 -------- d-----w- c:\program files\Dream MP3 to MIDI Converter
2011-07-21 22:20:28 -------- d-----w- c:\program files\Port Forwarding Wizard
2011-07-18 23:54:35 -------- d-----w- c:\program files\AutoHotkey
2011-07-18 23:41:04 -------- d-----w- c:\program files\AC Tool
2011-07-18 19:10:46 -------- d-----w- c:\program files\CamStudio
2011-07-16 23:16:23 10915840 ----a-w- c:\windows\system32\libmfxhw32.dll
2011-07-16 23:16:23 10833920 ----a-w- c:\windows\system32\libmfxsw32.dll
2011-07-15 19:52:52 -------- d-----w- c:\documents and settings\user\application data\MiK
2011-07-15 19:51:17 -------- d-----w- c:\documents and settings\all users\application data\MiK
2011-07-15 19:51:16 -------- d-----w- c:\program files\ExifPro
2011-07-14 21:36:22 -------- d-----r- c:\program files\Skype
2011-07-11 22:26:44 -------- d-----w- c:\program files\iPod
2011-07-11 17:33:57 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2011-07-11 16:02:16 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-07-11 12:59:25 -------- d-----w- c:\program files\drahtwerk
2011-07-01 19:42:03 997888 ----a-w- c:\program files\mozilla firefox\SmashAttacks.exe
2011-07-01 19:11:40 -------- d-----w- C:\RiiFS
2011-07-01 16:33:16 1811848 ----a-w- c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
2011-07-01 14:06:11 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2011-07-01 14:06:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-01 14:06:03 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-01 14:05:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-01 03:02:11 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-30 20:22:26 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-30 20:09:31 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-06-30 20:08:48 -------- d-----w- c:\program files\Lavasoft
2011-06-30 20:06:11 -------- d-----w- c:\documents and settings\user\application data\SUPERAntiSpyware.com
2011-06-30 20:06:11 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-30 20:06:01 -------- d-----w- c:\program files\SUPERAntiSpyware
.
==================== Find3M ====================
.
2011-06-30 00:56:38 54016 ----a-w- c:\windows\system32\drivers\xpgg.sys
2011-06-28 11:33:08 0 ----a-w- c:\windows\Vzebobuzogazi.bin
2011-06-16 11:48:44 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 12:06:08 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06:08 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 10:11:53.46 ===============


my current window becomes inactive whenever IE is launched.
iexplore is taking up 30%+ of my CPU.
if you see two "explorer.exe"s running, thats because killbox was renamed to that, to bypass the windows defender virus which i got 3 times this year.

ive also attached the second DDS log, and a gmer and a HJT(although i guess HJT is unnecessary)

Attached Files


Edited by Noviciate, 30 July 2011 - 03:46 PM.
Removed Code tags


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:59 AM

Posted 30 July 2011 - 03:50 PM

Good evening. :)

Please don't use Code tags when posting as it makes the data more difficult to read.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The golden rule is one firewall and one anti-virus per machine. Your log shows three AVs, so you need to pick your favourite and uninstall the other two. I suggest you stick with ZoneAlarm Security Suite unless it is no longer able to be updated as it saves installing a replacement firewall for now.

Please deal with this befog you continue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 willtheoct

willtheoct
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 30 July 2011 - 05:03 PM

sorry about the code tags.

i have many firewalls/AVs, however every single one of them is inactive. they dont boot on startup(my choice, except for mbam which doesnt work)

on reboot, after the log was created, IE opened in this page automatically:
http://www.facebook.com/directory/people
however after closing that, both instances of iexplore have disappeared and have not opened for the last 5 minutes. After i typed that they opened again.

here is my combofix log:

ComboFix 11-07-31.01 - user 30/07/2011 17:26:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.414 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 110402-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: ZoneAlarm Security Suite Antivirus *Enabled/Outdated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\SPL22.tmp
c:\documents and settings\user\Application Data\Adobe\plugs
c:\documents and settings\user\Application Data\Adobe\shed
c:\documents and settings\user\Application Data\facemoods.com
c:\documents and settings\user\Application Data\Microsoft\engine_vx.dll
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@123bounce[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@38419.123bounce[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@5secondfilms[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@64.111.211[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@66.230.138[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.36[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[10].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[11].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[4].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[5].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[6].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[7].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[8].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@67.201.62[9].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@a1.interclick[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@abmr[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@aboutads[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@acuityplatform[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ad.yieldmanager[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ad.yieldmanager[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adadvisor[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adbrite[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@addthis[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@addthis[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adinterax[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@admarketplace[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@admonkey.dapper[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adnxs[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adnxs[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adnxs[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adnxs[4].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ads.lzjl[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ads.pgatour[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ads.pointroll[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adserver.adtechus[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adserving.ezanga[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adserving.localpages[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adsrvr[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@advertise[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@advertising.newsweekshowcase[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@advertising.yahoo[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@adxpose[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@afy11[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@agkn[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@amazon-cornerstone[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@amazon[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@apex-ad[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@api.access.openroadmedia[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@apmebf[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@artform[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@associatedcontent.112.2o7[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@associatedcontent[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@atdmt.combing[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@atdmt[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@au.vizisense[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@audienceiq[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@aux[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@barnesandnoble[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@barnesandnoble[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bellcan.adbureau[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bellcan.adbureau[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bidsystem[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bidsystem[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@biketree[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bing[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bite[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bite[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@blekko[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@blip[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bluekai[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bnmla[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bonappetit[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@break[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bridge2.admarketplace[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@brightdeal[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@brilig[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@bs.serving-sys[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@btrll[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@burstnet[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@c.live[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@c.live[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@c.msn[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@c.msn[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ca.yahoo[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@canpages[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@canpages[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@casalemedia[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@cdn.jemamedia[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@cdn.simtel[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@chango[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ck.ads.affinity[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@clicksor[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@clkads[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@clkads[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@cnet[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@cnfg.facemoods[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@com[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@content.yieldmanager[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@content.yieldmanager[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@content.yieldmanager[4].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@content.yieldmanager[5].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@contextweb[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@contributor.yahoo[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@cpvtgt[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@craigslist[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@crosspixel.demdex[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@crwdcntrl[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@d.gossipcenter[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@dailyxy[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@demdex[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@derdritte.soup[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@deviantart[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@disqus[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@dmtry[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@domdex[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@doubleclick[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@download.cnet[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@everesttech[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@everesttech[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@exelator[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@eyereturn[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@eyereturn[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@eyereturn[4].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@eyereturn[5].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@facebook[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@flickr[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@funnyjunk[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@fwmrm[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@gettyimages[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@gettyimages[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@gettyimages[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@gettyimages[4].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@gg.adocean[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@gizmodo[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@glam[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@glassbox[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@go[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@gokartss.weebly[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@google.com[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@google[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@google[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@gossipcenter[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@health[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@help.yahoo[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@hit.gemius[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@i-funbox[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@i-funbox[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ih8sn0w[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ih8sn0w[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@imageshack[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@imageshack[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@imrworldwide[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@indieclick[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@indieclick[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@info.break[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@interclick[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@invitemedia[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@invitemedia[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@invitemedia[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@keithwhite[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@kyon[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@launcher.softnyx[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@live[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@live[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@liveperson[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@liveperson[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@log.optimizely[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@lolsnaps[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@lucidmedia[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@marinsm[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@mathtag[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@mathtag[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@media.wholesite[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@media6degrees[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@media6degrees[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@mediabrandsww[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@mediaplex[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@meebo[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@messenger.msn[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@metacafe[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@microsoft[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@microsoft[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@mm.chitika[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@mmismm[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@mookie1[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@msn[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@msn[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@mygeek[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@myroitracking[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@myspace[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@newsweek[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@newsweekshowcase[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@nexac[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@nmwrdr[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@nytimes[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@omg.yahoo[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@onlinestores.metaservices.microsoft[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@onlinestores.metaservices.microsoft[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@openroadmedia[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@openx[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@optimize.indieclick[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@optimize.indieclick[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@outbrain[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@p-td[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@pandonetworks[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@pda.mv.bidsystem[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@pgatour[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@pixel.rubiconproject[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@player.vimeo[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@pointroll[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@pro-market[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@pubmatic[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@quantserve[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@quantserve[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@quantserve[4].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@questionmarket[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@questionmarket[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@rad.microsoft[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@realmedia[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@relestar[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@rescuehumor[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@revsci[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@rightmedia[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@rightmediablog[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@roosterteeth[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@rtst.122.2o7[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@rubiconproject[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@rudefinder[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@runesofmagic[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@sales.liveperson[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@scorecardresearch[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@scorecardresearch[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@scorecardresearch[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@scotiabank[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.happythat[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.localseeks[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.mooaroo[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.orsmile[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.plentyseek[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.primoseek[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.search-galaxy[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.search-hero[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.seekslocal[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@search.wantsthat[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@seg.sharethis[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@servedby.adxpower[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@serving-sys[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@sharethis[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@simpli[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@skimresources[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@skype[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@sports.yahoo[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@start.facemoods[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@static.addtoany[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@statse.webtrendslive[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@suitesmart[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@surveystopweb[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tag.admeld[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tidaltv[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tlbron.facemoods[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tocforme[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@toromagazine[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@traileraddict[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@travelanyways[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@travelanyways[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tribalfusion[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tribalfusion[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tubemogul[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@turn[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@turn[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@turn[4].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tweetmeme[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@twitter[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@tynt[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@unlimitedtelevision.weebly[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@upliftsearch[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@us.runesofmagic[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@vidmax[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@voicefive[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@w55c[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@w55c[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@w55c[4].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@weebly[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@windowsmarketplace[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@windowsmarketplace[3].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@winzip[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@wpni.112.2o7[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@wtp101[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.answered-questions[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.associatedcontent[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.atom[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.blueseek[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.break[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.brightdeal[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.burstnet[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.dailymotion[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.dailyxy[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.dsnextgen[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.endless[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.expandsearchanswers[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.extremely-sharp[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.filestube[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.gossipcenter[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.health[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.iab[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.kiwicollection[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.makemymood[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.metacafe[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.microsoft[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.newsweek[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.pickuplinegen[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.pixeltrack66[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.primosearch[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.rightmediablog[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.rules4men[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.soup[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.stringsavvy[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.toromagazine[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.traileraddict[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.yahoo[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@www.yourtango[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@xml.happytofind[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@xml.prostreammedia[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@yahoo[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@yahoo[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@yieldmanager[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@yourtango[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@youtube[1].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@ypintelligence[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@zerocashdownloan[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@zune[2].txt
c:\documents and settings\user\Local Settings\Temporary Internet Files\user@zune[3].txt
c:\documents and settings\user\WINDOWS
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\documents and settings\user\Local Settings\Temporary Internet Files\index.dat . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-30 )))))))))))))))))))))))))))))))
.
.
2011-07-30 18:04 . 2011-07-30 19:06 -------- d-----w- C:\Hotspot Shield
2011-07-28 15:08 . 2011-07-28 15:08 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\GayMaker 8.1
2011-07-28 15:06 . 2011-07-28 15:06 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\GameMaker8.1
2011-07-28 15:05 . 2011-07-28 15:06 -------- d-----w- c:\documents and settings\user\Application Data\GameMaker
2011-07-28 15:05 . 2011-07-28 15:05 -------- d-----w- c:\program files\Game Maker 8.1
2011-07-24 20:49 . 2011-07-24 20:56 -------- d-----w- c:\program files\AmazingMIDI
2011-07-24 20:35 . 2011-07-24 20:35 -------- d-----w- c:\documents and settings\user\Application Data\Music Recognition
2011-07-24 20:34 . 2011-07-24 20:34 -------- d-----w- c:\program files\WIDI 3.3 Pro
2011-07-24 20:24 . 2011-07-24 20:24 -------- d-----w- c:\documents and settings\user\Application Data\dream-mp3-to-midi-converter
2011-07-24 20:24 . 2011-07-24 20:24 -------- d-----w- c:\program files\Dream MP3 to MIDI Converter
2011-07-21 22:20 . 2011-07-21 22:20 -------- d-----w- c:\program files\Port Forwarding Wizard
2011-07-18 23:54 . 2011-07-18 23:54 -------- d-----w- c:\program files\AutoHotkey
2011-07-18 23:41 . 2011-07-18 23:42 -------- d-----w- c:\program files\AC Tool
2011-07-18 19:10 . 2011-07-18 19:32 -------- d-----w- c:\program files\CamStudio
2011-07-16 23:16 . 2011-06-22 20:13 10915840 ----a-w- c:\windows\system32\libmfxhw32.dll
2011-07-16 23:16 . 2011-06-22 20:13 10833920 ----a-w- c:\windows\system32\libmfxsw32.dll
2011-07-15 19:52 . 2011-07-15 19:52 -------- d-----w- c:\documents and settings\user\Application Data\MiK
2011-07-15 19:51 . 2011-07-15 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\MiK
2011-07-15 19:51 . 2011-07-15 19:52 -------- d-----w- c:\program files\ExifPro
2011-07-14 21:37 . 2011-07-16 19:45 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2011-07-01 19:11 . 2011-07-08 22:30 -------- d-----w- C:\RiiFS
2011-07-01 16:33 . 2011-07-01 16:33 1811848 ----a-w- c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
2011-07-01 14:06 . 2011-07-01 14:06 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-07-01 14:06 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-01 14:06 . 2011-07-01 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-01 14:05 . 2011-07-29 06:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-01 03:02 . 2011-06-30 20:22 16432 ----a-w- c:\windows\system32\lsdelete.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-30 20:22 . 2011-06-30 20:22 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-30 00:56 . 2011-06-30 00:56 54016 ----a-w- c:\windows\system32\drivers\xpgg.sys
2011-06-20 14:31 . 2011-06-30 20:09 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-06-16 11:48 . 2011-05-18 13:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 12:06 . 2011-04-24 01:51 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 12:06 . 2011-04-24 01:51 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-02 15:31 . 2008-05-27 13:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-16 04:17 . 2011-06-30 04:59 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 13:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-07-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-07-01 118784]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-07 137752]
"LayoutM"="KLayMgr.exe" [2004-08-26 45056]
"nwiz"="nwiz.exe" [2007-07-21 1626112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-21 8466432]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]
"EzPrint"="c:\program files\Lexmark 3600-4600 Series\ezprint.exe" [2008-06-13 107176]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2008-08-04 226816]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^zipwcd32.exe]
path=c:\documents and settings\user\Start Menu\Programs\Startup\zipwcd32.exe
backup=c:\windows\pss\zipwcd32.exeStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
2009-11-24 22:51 81000 ----a-w- c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link D-Link Xtreme N Dual Band DWA-160]
2008-07-11 19:19 1679360 ------w- c:\program files\D-Link\D-Link Xtreme N Dual Band DWA-160\AirNCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-05-25 21:29 1951112 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-07-06 23:52 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 02:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ohukeli]
2008-04-14 00:12 274432 ----a-w- c:\windows\icoyawev.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ServUTrayIcon]
2011-05-03 13:11 580384 ----a-w- c:\program files\RhinoSoft.com\Serv-U\Serv-U-Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McAfeeFramework"=2 (0x2)
"mi-raysat_3dsMax2009_32"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"Hamachi2Svc"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2009\\3dsmax.exe"=
"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdxcoms.exe"=
"c:\\WINDOWS\\system32\\lxdxcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxtime.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdxwbgw.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\ezprint.exe"=
"c:\\Program Files\\Lexmark 3600-4600 Series\\lxdxlscn.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TightVNC\\vncviewer.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\user\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold Crusader\\Stronghold Crusader.exe"=
"c:\\Documents and Settings\\user\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\RhinoSoft.com\\Serv-U\\Serv-U.exe"=
"c:\\RiiFS\\riifs.exe"=
"c:\\Program Files\\drahtwerk\\iWebcamera\\iWebcameraApp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\user\\Desktop\\XW\\Server\\Server.exe"=
"c:\\Program Files\\Port Forwarding Wizard\\bin\\Port Forwarding Wizard.exe"=
"c:\\Program Files\\Simple Port Forwarding\\spf.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56187:TCP"= 56187:TCP:Pando Media Booster
"56187:UDP"= 56187:UDP:Pando Media Booster
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"58642:TCP"= 58642:TCP:Pando Media Booster
"58642:UDP"= 58642:UDP:Pando Media Booster
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [07/01/2009 11:39 PM 20616]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [30/06/2011 4:09 PM 64512]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/11/2009 11:27 AM 691696]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13/11/2009 5:00 PM 114768]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [16/12/2010 6:11 PM 22312]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 2:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13/11/2009 5:00 PM 20560]
R2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [01/08/2008 3:55 PM 143467]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
R2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [24/08/2009 9:41 PM 98984]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [15/04/2011 6:08 AM 2285432]
R2 USBDLM;USBDLM;c:\program files\USBDLM\USBDLM.exe [20/04/2008 7:43 PM 156672]
R3 arusb(Atheros);Atheros Wireless Network Adapter Service(Atheros);c:\windows\system32\drivers\arusb.sys [24/08/2009 2:59 PM 434688]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [02/07/2008 2:58 PM 26248]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [21/05/2010 10:31 PM 57440]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.2;c:\windows\system32\drivers\libusb0.sys [04/07/2010 5:00 PM 28160]
R3 MonitorFunction;Driver for Monitor;c:\windows\system32\drivers\TVMonitor.sys [12/01/2011 5:42 AM 13304]
S1 face;face;\??\c:\windows\system32\face.sys --> c:\windows\system32\face.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/06/2010 10:18 AM 136176]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [01/07/2011 10:06 AM 366640]
S3 apf001;apf001;\??\f:\games\RakionIS\Bin\apf001.sys --> f:\games\RakionIS\Bin\apf001.sys [?]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [07/12/2008 12:44 PM 30088]
S3 cpuz135;cpuz135;\??\c:\windows\TEMP\cpuz135\cpuz135_x32.sys --> c:\windows\TEMP\cpuz135\cpuz135_x32.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [06/11/2010 10:18 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [06/11/2010 10:18 PM 8456]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [28/01/2011 8:54 PM 129440]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/06/2010 10:18 AM 136176]
S3 HPKBCCID;HP Keyboard Smart Card Driver;c:\windows\system32\drivers\HPKBCCID.sys [27/05/2008 10:38 AM 46976]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [27/05/2008 10:27 AM 36608]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\D-Link Xtreme N Dual Band DWA-160\JSWUtil\jswpsapi.exe [21/05/2010 10:31 PM 356434]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [20/06/2011 10:31 AM 15232]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [01/07/2011 10:06 AM 41272]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys --> c:\windows\system32\DRIVERS\netaapl.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/11/2007 4:22 PM 34064]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [30/09/2009 9:46 PM 443776]
S3 STC2DFU;STCII DFU Adapter;c:\windows\system32\drivers\Stc2Dfu.sys [25/10/2004 12:04 AM 7796]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 2:16 PM 753504]
S4 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [25/05/2011 5:29 PM 1336712]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [20/06/2011 10:31 AM 2151640]
S4 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [10/03/2008 1:04 AM 65536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 11:19]
.
2011-07-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-06 14:18]
.
2011-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-06 14:18]
.
2011-07-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1538417202-3725260815-359561344-1004Core.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 16:45]
.
2011-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1538417202-3725260815-359561344-1004UA.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 16:45]
.
2010-05-25 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-05-25 03:35]
.
2010-05-25 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-05-25 03:35]
.
2011-07-24 c:\windows\Tasks\switchSevenDays.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-07-24 20:50]
.
2011-07-27 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2011-07-24 20:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\xe0kd4ue.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.newgrounds.com/
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-arhxhdek - c:\documents and settings\user\Local Settings\Application Data\evrihf\bgoksftav.exe
MSConfigStartUp-Bandook - C:\anything.exe
MSConfigStartUp-broxoawe - c:\documents and settings\user\Local Settings\Application Data\wjhrgx\bxkmsftav.exe
MSConfigStartUp-conhost - c:\documents and settings\user\Application Data\Microsoft\conhost.exe
MSConfigStartUp-D-Link AirPlus G - c:\program files\D-Link\AirPlus G\AirGCFG.exe
MSConfigStartUp-facemoods - c:\program files\facemoods.com\facemoods\1.4.17.3\facemoodssrv.exe
MSConfigStartUp-Mxegecofe - c:\windows\kbgkbns.dll
MSConfigStartUp-rqXVbWdmgcT - c:\documents and settings\All Users\Application Data\rqXVbWdmgcT.exe
MSConfigStartUp-Security essentials 2010 - c:\program files\Securityessentials2010\SE2010.exe
MSConfigStartUp-Service App - service.exe
MSConfigStartUp-smss32 - c:\windows\system32\smss32.exe
MSConfigStartUp-Spyware Protection - c:\documents and settings\user\Application Data\defender.exe
MSConfigStartUp-Steam - c:\program files\steam\steam.exe
AddRemove-FINAL FANTASY VIII - c:\program files\Eidos Interactive\Square Soft
AddRemove-Game Maker - c:\winnt\uninst.exe
AddRemove-Halo - g:\microsoft games\Halo\UNINSTAL.EXE
AddRemove-Halo CE - g:\microsoft games\HCE\Uninstal.exe
AddRemove-Halo Trial - g:\microsoft games\Halo Trial\UNINSTAL.EXE
AddRemove-HijackThis - c:\documents and settings\user\Desktop\HijackThis.exe
AddRemove-Portal - g:\games\Portalbckup\uninstall.exe
AddRemove-Postal 2_is1 - g:\games\Portal 2\unins000.exe
AddRemove-Rakion International_is1 - f:\games\RakionIS\unins000.exe
AddRemove-Steam App 4000 - g:\games\Steam\steam.exe
AddRemove-{A2F166A0-F031-4E27-A057-C69733219434}_is1 - f:\games\Runes of Magic\unins000.exe
AddRemove-{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA} - c:\documents and settings\user\Local Settings\Application Data\{17A03471-20EB-4604-8E72-66EF7398750D}\setup_blazemp.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-30 17:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\iqouqsrtnxwbvfw]
"imagepath"="\??\c:\windows\TEMP\1D.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1538417202-3725260815-359561344-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1538417202-3725260815-359561344-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1AB660A9-52D7-F930-895C-C53481A15CEA}*]
"haacnjoahkmgfhnm"=hex:6a,61,6b,63,69,6f,6e,69,70,66,66,6b,63,67,61,62,6a,6a,
69,65,00,01
"iaobanibhciphlgala"=hex:6a,61,6b,63,69,6f,6e,69,70,66,66,6b,63,67,61,62,6a,6a,
69,65,00,8b
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1536)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\BsMobileSDK.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\crypserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdxcoms.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\TeamViewer\Version6\TeamViewer.exe
c:\program files\IVT Corporation\BlueSoleil\BsHelpCS.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2011-07-30 17:55:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-30 21:55
.
Pre-Run: 14,104,223,744 bytes free
Post-Run: 14,767,517,696 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 0D5146D4263E1DE46241FEB6707F936B

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:59 AM

Posted 30 July 2011 - 05:38 PM

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#5 willtheoct

willtheoct
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 30 July 2011 - 06:52 PM

so i have Alureon... undetectable by any of my AVs.

i dont like messing around with anything involving the MBR, so, should i click Fix MBR? ill wait for you to give me the go.

here is my aswMBR log:

aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-07-30 18:59:11
-----------------------------
18:59:11.390 OS Version: Windows 5.1.2600 Service Pack 3
18:59:11.390 Number of processors: 2 586 0x403
18:59:11.390 ComputerName: WILLIAM UserName: user
18:59:12.750 Initialize success
19:04:23.078 AVAST engine defs: 11073001
19:04:38.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:04:38.375 Disk 0 Vendor: HDS728080PLA380______________40Y9028LEN PF2OA65A Size: 76324MB BusType: 3
19:04:40.406 Disk 0 MBR read successfully
19:04:40.406 Disk 0 MBR scan
19:04:40.484 Disk 0 Windows VISTA default MBR code
19:04:40.484 Disk 0 scanning sectors +156309504
19:04:40.562 Disk 0 scanning C:\WINDOWS\system32\drivers
19:04:59.046 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
19:05:00.062 Service scanning
19:05:00.953 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
19:05:00.984 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
19:05:00.984 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
19:05:01.515 Modules scanning
19:05:02.390 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
19:05:10.843 Disk 0 trace - called modules:
19:05:10.859 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8726a1ed]<<
19:05:10.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87306ab8]
19:05:10.859 3 CLASSPNP.SYS[f7554fd7] -> nt!IofCallDriver -> \Device\00000099[0x872acf18]
19:05:10.859 5 ACPI.sys[f73c0620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87337d98]
19:05:10.859 \Driver\atapi[0x87302030] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8726a1ed
19:05:11.812 AVAST engine scan C:\WINDOWS
19:05:13.859 File: C:\WINDOWS\icoyawev.dll **INFECTED** Win32:MalOb-GL [Cryp]
19:05:24.171 AVAST engine scan C:\WINDOWS\system32
19:08:12.109 AVAST engine scan C:\WINDOWS\system32\drivers
19:08:34.359 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
19:08:37.000 AVAST engine scan C:\Documents and Settings\user
19:23:52.906 File: C:\Documents and Settings\user\Desktop\Stuff\NWC\bn135\Bandook v1.35.exe **INFECTED** Win32:Nuclear-AL [Trj]
19:23:53.000 File: C:\Documents and Settings\user\Desktop\Stuff\NWC\bn135\bandook.exe **INFECTED** Win32:Crypt-CFI [Trj]
19:23:54.734 File: C:\Documents and Settings\user\Desktop\Stuff\NWC\nuclearRAT\client.exe **INFECTED** Win32:Nuclear-AP [Trj]
19:23:54.921 File: C:\Documents and Settings\user\Desktop\Stuff\NWC\nuclearRAT\NuRAT.exe **INFECTED** Win32:Nuclear-AP [Trj]
19:45:37.687 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
19:45:37.828 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"


aswMBR version 0.9.8.978 Copyright© 2011 AVAST Software
Run date: 2011-07-30 19:47:40
-----------------------------
19:47:40.265 OS Version: Windows 5.1.2600 Service Pack 3
19:47:40.265 Number of processors: 2 586 0x403
19:47:40.265 ComputerName: WILLIAM UserName: user
19:47:41.718 Initialize success
19:47:50.812 AVAST engine defs: 11073001
19:47:54.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:47:54.421 Disk 0 Vendor: HDS728080PLA380______________40Y9028LEN PF2OA65A Size: 76324MB BusType: 3
19:47:56.468 Disk 0 MBR read successfully
19:47:56.468 Disk 0 MBR scan
19:47:56.500 Disk 0 Windows VISTA default MBR code
19:47:56.515 Disk 0 scanning sectors +156309504
19:47:56.718 Disk 0 scanning C:\WINDOWS\system32\drivers
19:48:50.718 File: C:\WINDOWS\system32\drivers\volsnap.sys **INFECTED** Win32:Alureon-PS
19:48:54.203 Service scanning
19:48:55.203 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
19:48:55.234 Service VolSnap C:\WINDOWS\System32\Drivers\VolSnap.sys **LOCKED** 32
19:48:55.234 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
19:48:55.781 Modules scanning
19:49:00.718 Module: C:\WINDOWS\System32\Drivers\VolSnap.sys **SUSPICIOUS**
19:49:38.656 Disk 0 trace - called modules:
19:49:38.687 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8726a1ed]<<
19:49:38.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87306ab8]
19:49:38.703 3 CLASSPNP.SYS[f7554fd7] -> nt!IofCallDriver -> \Device\00000099[0x872acf18]
19:49:38.703 5 ACPI.sys[f73c0620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87337d98]
19:49:38.703 \Driver\atapi[0x87302030] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8726a1ed
19:49:38.703 Scan finished successfully
19:49:46.000 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
19:49:46.000 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

#6 willtheoct

willtheoct
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 31 July 2011 - 08:04 AM

quick update: it has corrupted my printer driver, and opened MS outlook. i clicked "fix MBR" anyway but thats not the problem i guess. i downloaded a couple of other tools, which didnt fix anything.

i can easily replace the "volsnap.sys" file with killbox, but i cant find a clean one on the net, and im guessing all my system restore backups of it are infected too. i also dont have a WinXP install disk.

i dont know if its just a matter of replacing that one file, but if it is, where can i find it?


UPDATE: did more research, ran TDSSkiller, then scanned again with all those tools. it seems to be fixed(no more symptoms), but just in case, ive uploaded several logs to this post.

Attached Files


Edited by willtheoct, 31 July 2011 - 10:22 AM.


#7 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:59 AM

Posted 31 July 2011 - 02:38 PM

Good evening. :)

if you've fixed it, and I guess no symptoms means you have, you're done.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users