Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Limited or no connectivity. Can't renew IP address.


  • This topic is locked This topic is locked
16 replies to this topic

#1 firemantcook

firemantcook

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 24 December 2011 - 10:57 PM

Hello,

Not sure what happened but i had some pop ups on my computer and afterwards i could not connect to the internet. I noticed that my IP address had nothing in it and when i tried to renew it I couldn't. I'm having to post all this from a different computer since I can't get on the one infected.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25
Run by Tim at 14:34:25 on 2011-12-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2221 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
E:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
E:\Program Files\Microsoft Security Essentials\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
E:\WINDOWS\system32\spoolsv.exe
C:\Pensoft\KeyBtn.Exe
svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Canon\MyPrinter\BJMyPrt.exe
E:\WINDOWS\system32\atwtusb.exe
E:\Program Files\Lexmark Z2400 Series\lxdqMsdMon.exe
E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft Security Essentials\msseces.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\DivX\DivX Update\DivXUpdate.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\Documents and Settings\Tim\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
E:\Program Files\Common Files\Command Software\dvpapi.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\lxdqcoms.exe
E:\Program Files\Common Files\Motive\McciCMService.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\tcpsvcs.exe
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Research In Motion\BlackBerry Desktop\Rim.Desktop.AutoUpdate.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - e:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - e:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - e:\program files\divx\divx plus web player\npdivx32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - e:\program files\lexmark toolbar\toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] e:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SansaDispatch] e:\documents and settings\tim\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [HP Software Update] e:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] "e:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CanonSolutionMenu] e:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] e:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [atwtusb] atwtusb.exe beta
mRun: [lxdqmon.exe] "e:\program files\lexmark z2400 series\lxdqmon.exe"
mRun: [lxdqamon] "e:\program files\lexmark z2400 series\lxdqamon.exe"
mRun: [AdobeCS4ServiceManager] "e:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "e:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] e:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MSSE] "e:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [DivXUpdate] "e:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "e:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] e:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [RIMBBLaunchAgent.exe] e:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [APSDaemon] "e:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "e:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: e:\docume~1\tim\startm~1\programs\startup\adobeg~1.lnk - e:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - e:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Append to existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - e:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://gardner-webb.webex.com/client/T26L/nbr/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{5A0C1996-DDE0-429B-97AD-B2C68264C3E3} : DhcpNameServer = 192.168.1.254
Notify: !SASWinLogon - e:\program files\superantispyware\SASWINLO.dll
Notify: MsMsgSrv - MsMsgSrv.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\tim\application data\mozilla\firefox\profiles\35wvkxg9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;e:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;e:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R2 Iprip;RIP Listener;e:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 lxdq_device;lxdq_device;e:\windows\system32\lxdqcoms.exe -service --> e:\windows\system32\lxdqcoms.exe -service [?]
S1 aiptektp;HyperPen;e:\windows\system32\drivers\aiptektp.sys [2009-6-3 22272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2010-1-10 133104]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;e:\windows\system32\spool\drivers\w32x86\3\lxdqserv.exe [2009-7-13 98984]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;e:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\google\update\GoogleUpdate.exe [2010-1-10 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;e:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SASENUM;SASENUM;e:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;e:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-24 18:15:29 -------- d-----w- e:\documents and settings\tim\application data\LG Electronics
2011-12-24 18:11:00 40960 ----a-r- e:\documents and settings\tim\application data\microsoft\installer\{529a2355-efb9-4800-8655-aa319d3535a4}\ARPPRODUCTICON.exe
2011-12-24 18:10:56 -------- d-----w- e:\program files\LG Outlook Sync
2011-12-24 18:10:28 24960 ----a-w- e:\windows\system32\drivers\lgusbmodem.sys
2011-12-24 18:10:28 13056 ----a-w- e:\windows\system32\drivers\lgusbbus.sys
2011-12-24 18:10:28 -------- d-----w- e:\program files\LG Electronics
2011-12-23 21:42:47 56200 ----a-w- e:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddd0cc97-7631-43a3-b416-a8c2d07b54db}\offreg.dll
2011-12-23 01:59:07 -------- d-----w- e:\program files\iPod
2011-12-23 01:53:29 -------- d-----w- e:\program files\Bonjour
2011-12-23 01:18:12 -------- d-s---w- E:\ComboFix
2011-12-22 23:55:26 98816 ----a-w- e:\windows\sed.exe
2011-12-22 23:55:26 518144 ----a-w- e:\windows\SWREG.exe
2011-12-22 23:55:26 256000 ----a-w- e:\windows\PEV.exe
2011-12-22 23:55:26 208896 ----a-w- e:\windows\MBR.exe
2011-12-22 22:55:31 -------- d-----w- e:\windows\system32\wbem\repository\FS
2011-12-22 22:55:31 -------- d-----w- e:\windows\system32\wbem\Repository
2011-12-22 03:33:50 -------- d-----w- e:\program files\iPod(2)
2011-12-22 03:27:21 -------- d-----w- e:\program files\Bonjour(2)
2011-12-21 19:07:35 6823496 ----a-w- e:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddd0cc97-7631-43a3-b416-a8c2d07b54db}\mpengine.dll
2011-12-21 19:06:45 -------- d-----w- E:\0c69fae82c38cca9fdba2c18d1
2011-12-20 04:44:58 -------- d-----w- E:\a33ce7cb9ec3cbd6e233bfb9
2011-12-02 03:12:57 -------- d-----w- e:\program files\ASFTOAVI
2011-12-02 03:01:47 11137024 ----a-w- e:\windows\system32\libmfxsw32.dll
2011-12-02 01:44:10 77824 ----a-w- e:\windows\system32\xvid.ax
2011-12-02 01:44:10 761856 ----a-w- e:\windows\system32\xvidcore.dll
2011-12-02 01:44:10 413760 ----a-w- e:\windows\system32\MPG4c32.dll
2011-12-02 01:44:10 135168 ----a-w- e:\windows\system32\xvidvfw.dll
2011-12-02 01:44:08 -------- d-----w- e:\program files\SourceTec
2011-12-02 01:26:04 1700352 ----a-w- e:\windows\system32\GdiPlus.dll
2011-11-30 06:35:06 -------- d-----w- e:\documents and settings\all users\application data\6157
2011-11-25 02:12:11 -------- d-----w- e:\documents and settings\tim\local settings\application data\BearShare
2011-11-25 02:11:40 -------- d-----w- e:\program files\BearShare Applications
2011-11-25 02:11:40 -------- d-----w- e:\documents and settings\all users\application data\BearShare
2011-11-25 02:09:55 -------- dc-h--w- e:\documents and settings\all users\application data\{0B944FF9-D61F-4D53-99D1-CBD889A971D0}
2011-11-25 02:09:27 -------- d-----w- e:\documents and settings\tim\local settings\application data\PackageAware
.
==================== Find3M ====================
.
2011-12-22 01:00:10 162816 ----a-w- e:\windows\system32\drivers\netbt.sys
2011-10-15 02:29:27 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 14:35:11.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 29 December 2011 - 08:34 PM

Hi,

I see ComboFix was run earlier, please post the Log(s, the recent log will be at c:\combofix.txt, older logs will be at c:\qoobox\combofix2.txt

next

please download the following program, transfer over to the infected computer and run it > post the resulting log

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 31 December 2011 - 12:10 AM

I found the combofix2 file but could not find the combofix file after search. Here is the combofix2 log and the FSS log.

Combofix2:
ComboFix 11-12-22.04 - Tim 12/22/2011 19:03:16.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2350 [GMT -5:00]
Running from: I:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
e:\documents and settings\All Users\Application Data\TEMP
e:\documents and settings\NetworkService\Application Data\Adobe\sp.DLL
e:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
e:\program files\FunWebProducts
e:\program files\MyWebSearch
e:\program files\MyWebSearch\bar\1.bin\CHROME.MANIFEST
e:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
e:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
e:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
e:\program files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
e:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
e:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
e:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
e:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
e:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
e:\program files\MyWebSearch\bar\1.bin\F3REGHK.DLL
e:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
e:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
e:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
e:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
e:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
e:\program files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
e:\program files\MyWebSearch\bar\1.bin\M3DLGHK.DLL
e:\program files\MyWebSearch\bar\1.bin\M3FFTBPR.DLL
e:\program files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
e:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
e:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
e:\program files\MyWebSearch\bar\1.bin\M3IEOVR.DLL
e:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
e:\program files\MyWebSearch\bar\1.bin\M3MEDINT.EXE
e:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
e:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
e:\program files\MyWebSearch\bar\1.bin\M3PATCH.DLL
e:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
e:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
e:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
e:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
e:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
e:\program files\MyWebSearch\bar\1.bin\M3TPINST.DLL
e:\program files\MyWebSearch\bar\1.bin\M3UNPAT.DLL
e:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
e:\program files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL
e:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
e:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
e:\program files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
e:\program files\MyWebSearch\bar\1.bin\MWSSVC.EXE
e:\program files\MyWebSearch\bar\1.bin\MWSUABTN.DLL
e:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
e:\program files\MyWebSearch\bar\Cache\05420A5D.exe
e:\program files\MyWebSearch\bar\Cache\files.ini
e:\program files\MyWebSearch\bar\icons\CM.ICO
e:\program files\MyWebSearch\bar\icons\MFC.ICO
e:\program files\MyWebSearch\bar\icons\PSS.ICO
e:\program files\MyWebSearch\bar\icons\SMILEY.ICO
e:\program files\MyWebSearch\bar\icons\WB.ICO
e:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
e:\windows\$NtUninstallKB3771$
e:\windows\$NtUninstallKB3771$\2995130767
e:\windows\$NtUninstallKB3771$\3874023507\@
e:\windows\$NtUninstallKB3771$\3874023507\bckfg.tmp
e:\windows\$NtUninstallKB3771$\3874023507\cfg.ini
e:\windows\$NtUninstallKB3771$\3874023507\Desktop.ini
e:\windows\$NtUninstallKB3771$\3874023507\keywords
e:\windows\$NtUninstallKB3771$\3874023507\kwrd.dll
e:\windows\$NtUninstallKB3771$\3874023507\L\ayaiepqh
e:\windows\$NtUninstallKB3771$\3874023507\lsflt7.ver
e:\windows\$NtUninstallKB3771$\3874023507\U\00000001.@
e:\windows\$NtUninstallKB3771$\3874023507\U\00000002.@
e:\windows\$NtUninstallKB3771$\3874023507\U\00000004.@
e:\windows\$NtUninstallKB3771$\3874023507\U\80000000.@
e:\windows\$NtUninstallKB3771$\3874023507\U\80000004.@
e:\windows\$NtUninstallKB3771$\3874023507\U\80000032.@
e:\windows\dasetup.log
e:\windows\EventSystem.log
e:\windows\system32\drivers\etc\hosts.txt
e:\windows\system32\f3PSSavr.scr
e:\windows\system32\linkinfo(2).dll
e:\windows\system32\oobe\isperror
e:\windows\system32\oobe\isperror\ispcnerr.htm
e:\windows\system32\oobe\isperror\ispdtone.htm
e:\windows\system32\oobe\isperror\isphdshk.htm
e:\windows\system32\oobe\isperror\ispins.htm
e:\windows\system32\oobe\isperror\ispnoanw.htm
e:\windows\system32\oobe\isperror\isppberr.htm
e:\windows\system32\oobe\isperror\ispphbsy.htm
e:\windows\system32\oobe\isperror\ispsbusy.htm
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService
-------\Service_SPService
.
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-23 00:20 . 2011-12-23 00:20 56200 ----a-w- e:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DDD0CC97-7631-43A3-B416-A8C2D07B54DB}\offreg.dll
2011-12-22 23:47 . 2011-12-22 23:47 -------- d-----w- e:\program files\Bonjour
2011-12-22 23:47 . 2011-12-22 23:47 -------- d-----w- e:\program files\iPod
2011-12-22 22:55 . 2011-12-22 22:55 -------- d-----w- e:\windows\system32\wbem\Repository
2011-12-21 19:07 . 2011-11-21 10:47 6823496 ----a-w- e:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DDD0CC97-7631-43A3-B416-A8C2D07B54DB}\mpengine.dll
2011-12-21 19:06 . 2011-12-21 19:08 -------- d-----w- E:\0c69fae82c38cca9fdba2c18d1
2011-12-20 04:44 . 2011-12-21 18:53 -------- d-----w- E:\a33ce7cb9ec3cbd6e233bfb9
2011-12-02 03:12 . 2011-12-02 03:12 -------- d-----w- e:\program files\ASFTOAVI
2011-12-02 03:01 . 2011-09-16 21:05 11137024 ----a-w- e:\windows\system32\libmfxsw32.dll
2011-12-02 01:44 . 2007-02-05 17:00 77824 ----a-w- e:\windows\system32\xvid.ax
2011-12-02 01:44 . 2007-02-05 17:00 761856 ----a-w- e:\windows\system32\xvidcore.dll
2011-12-02 01:44 . 2007-02-05 17:00 413760 ----a-w- e:\windows\system32\MPG4c32.dll
2011-12-02 01:44 . 2007-02-05 17:00 135168 ----a-w- e:\windows\system32\xvidvfw.dll
2011-12-02 01:44 . 2011-12-02 01:44 -------- d-----w- e:\program files\SourceTec
2011-12-02 01:26 . 2007-02-27 23:36 1700352 ----a-w- e:\windows\system32\GdiPlus.dll
2011-11-30 06:35 . 2011-11-30 06:35 -------- d-----w- e:\documents and settings\All Users\Application Data\6157
2011-11-25 02:12 . 2011-11-30 06:35 -------- d-----w- e:\documents and settings\Tim\Local Settings\Application Data\BearShare
2011-11-25 02:11 . 2011-11-25 02:11 -------- d-----w- e:\documents and settings\All Users\Application Data\BearShare
2011-11-25 02:11 . 2011-11-25 02:11 -------- d-----w- e:\program files\BearShare Applications
2011-11-25 02:09 . 2011-11-25 02:12 -------- dc-h--w- e:\documents and settings\All Users\Application Data\{0B944FF9-D61F-4D53-99D1-CBD889A971D0}
2011-11-25 02:09 . 2011-11-25 02:09 -------- d-----w- e:\documents and settings\Tim\Local Settings\Application Data\PackageAware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-22 01:00 . 2006-02-28 12:00 162816 ----a-w- e:\windows\system32\drivers\netbt.sys
2011-10-15 02:29 . 2011-10-15 02:29 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-07 03:48 . 2010-01-10 22:21 6668624 ----a-w- e:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-16 04:17 . 2011-09-19 01:49 142296 ----a-w- e:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="e:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-03 2424192]
"SansaDispatch"="e:\documents and settings\Tim\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-05-20 79872]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe beta" [X]
"HP Software Update"="e:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2008-04-13 13529088]
"nwiz"="nwiz.exe" [2008-04-13 1630208]
"TkBellExe"="e:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-27 185896]
"CanonSolutionMenu"="e:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-04-04 644696]
"CanonMyPrinter"="e:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"lxdqmon.exe"="e:\program files\Lexmark Z2400 Series\lxdqmon.exe" [2008-03-27 656040]
"lxdqamon"="e:\program files\Lexmark Z2400 Series\lxdqamon.exe" [2008-03-27 16040]
"AdobeCS4ServiceManager"="e:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"MSSE"="e:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2008-04-13 86016]
"IntelliPoint"="e:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"DivXUpdate"="e:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-01-10 1230704]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AppleSyncNotifier"="e:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"iTunesHelper"="e:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"RIMBBLaunchAgent.exe"="e:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="e:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="e:\windows\system32\tscupgrd.exe" [2006-02-28 44544]
.
e:\documents and settings\Tim\Start Menu\Programs\Startup\
Adobe Gamma.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
e:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - e:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MsMsgSrv]
2008-04-14 00:11 54784 ----a-w- e:\windows\system32\MsMsgSrv.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"e:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"e:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"e:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"e:\\WINDOWS\\system32\\lxdqcoms.exe"=
"e:\\Program Files\\Lexmark Z2400 Series\\lxdqmon.exe"=
"e:\\WINDOWS\\system32\\lxdqcfg.exe"=
"e:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdqpswx.exe"=
"e:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdqtime.exe"=
"e:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdqjswx.exe"=
"e:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"e:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"e:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"e:\\Program Files\\Blubster\\Blubster.exe"=
"e:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"e:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 67656]
R2 Iprip;RIP Listener;e:\windows\System32\svchost.exe -k netsvcs [2/28/2006 7:00 AM 14336]
R2 lxdq_device;lxdq_device;e:\windows\system32\lxdqcoms.exe -service --> e:\windows\system32\lxdqcoms.exe -service [?]
S1 aiptektp;HyperPen;e:\windows\system32\drivers\aiptektp.sys [6/3/2009 5:45 PM 22272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);e:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 5:22 PM 133104]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;e:\windows\system32\spool\drivers\w32x86\3\lxdqserv.exe [7/13/2009 8:53 AM 98984]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;e:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 284016]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\Google\Update\GoogleUpdate.exe [1/10/2010 5:22 PM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;e:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;e:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-22 e:\windows\Tasks\AppleSoftwareUpdate.job
- e:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
2011-12-23 e:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 22:22]
.
2011-12-22 e:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- e:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 22:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - e:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - e:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\35wvkxg9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-22 19:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = e:\documents and settings\Tim\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe??m???l???a???e???z/???}??????????????????????????????(D??b????k??B|??j???l???j???r-??/?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1801674531-1957994488-2147047481-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Pro\1.5\DefaultPreset]
@DACL=(02 0000)
@="e:\\Program Files\\Adobe\\Premiere Pro 1.5\\Settings\\DV - NTSC\\Standard 48kHz.prpreset"
.
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Pro\1.5\Help]
@DACL=(02 0000)
"AdobeMediaEncoder"="e:\\Program Files\\Adobe\\Premiere Pro 1.5\\Help\\1_0_0_0.html"
"Contents"="e:\\Program Files\\Adobe\\Premiere Pro 1.5\\Help\\1_0_0_0.html"
"ExportToDVD"="e:\\Program Files\\Adobe\\Premiere Pro 1.5\\Help\\1_19_2_0.html"
"HowToUse"="e:\\Program Files\\Adobe\\Premiere Pro 1.5\\Help\\0_0_0_0.html"
"Keyboard"="e:\\Program Files\\Adobe\\Premiere Pro 1.5\\Help\\1_21_0_0.html"
"Search"="e:\\Program Files\\Adobe\\Premiere Pro 1.5\\Help\\search.html"
"Support"="http://www.adobe.com/support/products/premiere.html"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(984)
e:\program files\SUPERAntiSpyware\SASWINLO.dll
e:\windows\system32\WININET.dll
e:\windows\system32\MsMsgSrv.DLL
e:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
e:\windows\system32\ACTIVEDS.dll
.
- - - - - - - > 'explorer.exe'(112)
e:\windows\system32\WININET.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\pensoft\KeyBtn.Exe
e:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
e:\program files\Bonjour\mDNSResponder.exe
e:\program files\Common Files\Command Software\dvpapi.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\system32\lxdqcoms.exe
e:\program files\Common Files\Motive\McciCMService.exe
e:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
e:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
e:\windows\system32\nvsvc32.exe
e:\windows\system32\tcpsvcs.exe
e:\windows\System32\snmp.exe
e:\documents and settings\Tim\Application Data\Real\Update\UpgradeHelper\RealPlayer\9.01\rnupgagent.exe
e:\program files\Lexmark Z2400 Series\lxdqMsdMon.exe
e:\windows\system32\RUNDLL32.EXE
e:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-22 19:25:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-23 00:25
.
Pre-Run: 7,200,698,368 bytes free
Post-Run: 8,298,713,088 bytes free
.
- - End Of File - - 217DC6A99EC9910CAE63FFE4872B1CC3


FSS log:

Farbar Service Scanner
Ran by Tim (administrator) on 31-12-2011 at 00:01:03
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Demand. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


File Check:
========
E:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
E:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\netbt.sys
[2006-02-28 07:00] - [2011-12-21 20:00] - 0162816 ____A () AB42C297088777F264502B42376F3924

E:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
E:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
E:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
E:\WINDOWS\system32\netman.dll => MD5 is legit
E:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
E:\WINDOWS\system32\srsvc.dll => MD5 is legit
E:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
E:\WINDOWS\system32\svchost.exe => MD5 is legit
E:\WINDOWS\system32\rpcss.dll => MD5 is legit
E:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(10) WSIMD(8)
0x0A0000000500000009000000010000000200000003000000040000000600000007000000080000000A000000

**** End of log ****

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 31 December 2011 - 12:38 AM

Hi

Please re-run the Farbar Service Scanner

type the following into the Search Window:

netbt.sys


now press the search files button

please post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 01 January 2012 - 10:31 PM

Farbar Service Scanner
Ran by Tim (administrator) on 01-01-2012 at 22:28:43
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Demand. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
E:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
E:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\netbt.sys
[2006-02-28 07:00] - [2011-12-21 20:00] - 0162816 ____A () AB42C297088777F264502B42376F3924

E:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
E:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
E:\WINDOWS\system32\svchost.exe => MD5 is legit
E:\WINDOWS\system32\rpcss.dll => MD5 is legit
E:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(10) WSIMD(8)
0x0A0000000500000009000000010000000200000003000000040000000600000007000000080000000A000000

**** End of log ****

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 02 January 2012 - 12:00 AM

Hi, can you please re-run that and click the "search files" button

the scanner will search for all the netbt.sys on your system as the one that is in place at the moment is infected

thanks

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 02 January 2012 - 10:07 AM

Sorry about that!! Try this one.

Farbar Service Scanner
Ran by Tim (administrator) on 02-01-2012 at 09:58:26
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "netbt.sys" ===================

E:\WINDOWS\system32\drivers\netbt.sys
[2006-02-28 07:00] - [2011-12-21 20:00] - 0162816 ____A () AB42C297088777F264502B42376F3924

E:\WINDOWS\ServicePackFiles\i386\netbt.sys
[2008-04-13 14:21] - [2008-04-13 14:21] - 0162816 ____N (Microsoft Corporation) 74B2B2F5BEA5E9A3DC021D685551BD3D

E:\WINDOWS\$NtServicePackUninstall$\netbt.sys
[2010-01-24 14:44] - [2006-02-28 07:00] - 0162816 ____C (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

====== End Of Search ======

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 02 January 2012 - 02:40 PM

Hi,

Please run the following:

Please go to Start >> Run >> type cmd into the open run box >> press OK to open a command window :

Copy/paste the following command at the command prompt >> press ENTER

ren E:\WINDOWS\system32\drivers\netbt.sys netbt.vir
copy /y E:\WINDOWS\$NtServicePackUninstall$\netbt.sys E:\WINDOWS\SYSTEM32\DRIVERS
dir E:\WINDOWS\SYSTEM32\DRIVERS\netbt*>log.txt
start notepad log.txt



a log will open > post the contents of log.txt into your next reply,

let me know if you are able to connect now > please post a fresh scan with Farbar Service Scanner

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 02 January 2012 - 07:34 PM

I am able to connect now!!!

Volume in drive E is XP
Volume Serial Number is 002C-6102

Directory of E:\WINDOWS\SYSTEM32\DRIVERS

02/28/2006 07:00 AM 162,816 netbt.sys
12/21/2011 08:00 PM 162,816 netbt.vir
2 File(s) 325,632 bytes
0 Dir(s) 4,295,127,040 bytes free


Farbar Service Scanner
Ran by Tim (administrator) on 02-01-2012 at 19:28:56
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Demand. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


File Check:
========
E:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
E:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\netbt.sys
[2006-02-28 07:00] - [2006-02-28 07:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

E:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
E:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
E:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
E:\WINDOWS\system32\svchost.exe => MD5 is legit
E:\WINDOWS\system32\rpcss.dll => MD5 is legit
E:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) Tcpip6(10) WSIMD(8)
0x0A0000000500000009000000010000000200000003000000040000000600000007000000080000000A000000

**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 02 January 2012 - 07:48 PM

That's great to hear,

we still have a bit more work to do

from the FSS log
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Demand. The default start type is Auto.


Please go into Services > scroll down to the Dnscache Service and start the service > set the service to Automatic

Press the WinKey +R to open a run box >> copy paste the following command into the open run box to open the Services window:

services.msc


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Edited by CatByte, 02 January 2012 - 07:49 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 03 January 2012 - 08:54 AM

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.02.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Tim :: COOK-LAPTOP [administrator]

1/2/2012 9:23:23 PM
mbam-log-2012-01-02 (21-23-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226120
Time elapsed: 8 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 11
HKCR\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Typelib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Typelib\{F42228FB-E84E-479E-B922-FBBD096E792C} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\MyWebSearch.ThirdPartyInstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources|f3PopularScreensavers (Adware.MyWebSearch) -> Data: E:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)









E:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\6.0\28\43c3d05c-2ac0d8b0 multiple threats
E:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\6.0\38\34dec226-3aea234c a variant of Win32/Kryptik.XLF trojan
E:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\6.0\39\3d30f927-64bc6550 multiple threats
E:\Documents and Settings\Tim\Application Data\Sun\Java\Deployment\cache\6.0\7\6cd0b247-5b4c70df Java/TrojanDownloader.OpenConnection.AR trojan
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Win32/Adware.FunWeb application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Win32/Adware.FunWeb application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL.vir Win32/Toolbar.MyWebSearch.G application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Win32/Toolbar.MyWebSearch.B application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Win32/Adware.FunWeb application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL.vir Win32/Toolbar.MyWebSearch.G application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Win32/Toolbar.MyWebSearch.D application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Win32/Adware.FunWeb application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Win32/Toolbar.MyWebSearch.P application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Win32/FunWeb application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3AUXSTB.DLL.vir Win32/Toolbar.MyWebSearch.H application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3DLGHK.DLL.vir Win32/Toolbar.MyWebSearch.I application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Win32/Toolbar.MyWebSearch.F application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Win32/Toolbar.MyWebSearch.P application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3IEOVR.DLL.vir Win32/Toolbar.MyWebSearch.P application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Win32/Toolbar.MyWebSearch.J application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir Win32/Toolbar.MyWebSearch.P application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Win32/Toolbar.MyWebSearch.J application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Win32/Toolbar.MyWebSearch.I application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3TPINST.DLL.vir Win32/Toolbar.MyWebSearch.I application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\M3UNPAT.DLL.vir a variant of Win32/Toolbar.MyWebSearch.I application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Win32/Toolbar.MyWebSearch.K application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\MWSMLBTN.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Win32/Toolbar.MyWebSearch.J application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\MWSUABTN.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Win32/Toolbar.MyWebSearch application
E:\Qoobox\Quarantine\E\Program Files\MyWebSearch\bar\Cache\05420A5D.exe.vir a variant of Win32/Toolbar.MyWebSearch.K application
E:\Qoobox\Quarantine\E\WINDOWS\system32\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP157\A0063658.exe a variant of Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP157\A0063660.exe a variant of Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP157\A0063675.exe a variant of Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP168\A0071846.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP168\A0071870.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP168\A0071887.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP168\A0071911.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP168\A0071934.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP168\A0072934.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP169\A0073224.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073552.new a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073573.EXE Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073574.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073575.DLL Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073576.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073578.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073579.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073580.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073581.DLL Win32/Toolbar.MyWebSearch.G application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073582.DLL Win32/Toolbar.MyWebSearch.B application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073583.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073584.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073585.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073586.SCR Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073587.DLL Win32/Toolbar.MyWebSearch.G application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073588.DLL Win32/Toolbar.MyWebSearch.D application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073589.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073590.EXE Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073591.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073592.DLL Win32/FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073593.DLL Win32/Toolbar.MyWebSearch.H application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073594.DLL Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073597.DLL Win32/Toolbar.MyWebSearch.F application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073598.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073599.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073600.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073602.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073603.DLL Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073605.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073606.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073607.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073608.EXE Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073609.DLL Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073610.DLL a variant of Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073611.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073612.DLL Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073613.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073614.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073615.exe a variant of Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP170\A0073623.scr Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0076950.new a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0077626.EXE Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0077627.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0077628.DLL Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078626.DLL Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078627.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078629.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078630.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078631.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078632.DLL Win32/Toolbar.MyWebSearch.G application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078633.DLL Win32/Toolbar.MyWebSearch.B application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078634.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078635.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078636.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078637.SCR Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078638.DLL Win32/Toolbar.MyWebSearch.G application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078639.DLL Win32/Toolbar.MyWebSearch.D application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078640.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078641.EXE Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078642.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078643.DLL Win32/FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078644.DLL Win32/Toolbar.MyWebSearch.H application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078645.DLL Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078648.DLL Win32/Toolbar.MyWebSearch.F application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078649.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078650.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078651.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078653.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078654.DLL Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078656.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078657.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078658.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078659.EXE Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078660.DLL Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078661.DLL a variant of Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078662.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078663.DLL Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078664.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078665.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078666.exe a variant of Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP171\A0078674.scr Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP172\A0079897.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP172\A0079932.new a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP173\A0080266.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP173\A0080294.new a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP174\A0080595.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP174\A0080623.new a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081214.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081229.EXE Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081230.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081231.DLL Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081232.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081234.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081235.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081236.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081237.DLL Win32/Toolbar.MyWebSearch.G application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081238.DLL Win32/Toolbar.MyWebSearch.B application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081239.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081240.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081241.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081242.SCR Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081243.DLL Win32/Toolbar.MyWebSearch.G application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081244.DLL Win32/Toolbar.MyWebSearch.D application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081245.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081246.EXE Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081247.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081248.DLL Win32/FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081249.DLL Win32/Toolbar.MyWebSearch.H application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081250.DLL Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081253.DLL Win32/Toolbar.MyWebSearch.F application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081254.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081255.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081256.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081258.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081259.DLL Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081261.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081262.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081263.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081264.EXE Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081265.DLL Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081266.DLL a variant of Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081267.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081268.DLL Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081269.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081270.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081271.exe a variant of Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081278.scr Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081293.new a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081541.sys a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081561.new a variant of Win32/Rootkit.Kryptik.GY trojan
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081634.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081635.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081636.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081637.DLL Win32/Toolbar.MyWebSearch.G application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081638.DLL Win32/Toolbar.MyWebSearch.B application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081639.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081640.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081641.DLL Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081642.SCR Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081643.DLL Win32/Toolbar.MyWebSearch.G application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081644.DLL Win32/Toolbar.MyWebSearch.D application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081645.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081646.EXE Win32/Adware.FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081647.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081648.DLL Win32/FunWeb application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081649.DLL Win32/Toolbar.MyWebSearch.H application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081650.DLL Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081653.DLL Win32/Toolbar.MyWebSearch.F application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081654.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081655.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081656.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081658.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081659.DLL Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081661.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081662.DLL Win32/Toolbar.MyWebSearch.P application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081663.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081664.EXE Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081665.EXE Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081666.DLL Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081667.DLL a variant of Win32/Toolbar.MyWebSearch.I application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081668.DLL Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081669.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081670.DLL Win32/Toolbar.MyWebSearch.J application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081671.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081672.EXE Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081673.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081674.DLL Win32/Toolbar.MyWebSearch application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081675.exe a variant of Win32/Toolbar.MyWebSearch.K application
E:\System Volume Information\_restore{6A013DE4-E66D-4C4A-A355-10EFAA8EE9A0}\RP175\A0081683.scr Win32/Toolbar.MyWebSearch application

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 03 January 2012 - 04:56 PM

Hi,

Most of those detections are in quarantine or old restore points which we will be cleaning up shortly, the other detections are in Java cache which we will take care of now,

please do the following:

Posted Image Your Java is out of date.
Java™ 6 Update 20 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 03 January 2012 - 07:20 PM

Everything seems to be running great!!!


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Tim at 19:18:13 on 2012-01-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2075 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
E:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
E:\Program Files\Microsoft Security Essentials\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Pensoft\KeyBtn.Exe
E:\WINDOWS\system32\spoolsv.exe
svchost.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Common Files\Command Software\dvpapi.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\lxdqcoms.exe
E:\Program Files\Common Files\Motive\McciCMService.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\tcpsvcs.exe
E:\WINDOWS\System32\snmp.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Canon\MyPrinter\BJMyPrt.exe
E:\WINDOWS\system32\atwtusb.exe
E:\Program Files\Lexmark Z2400 Series\lxdqMsdMon.exe
E:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft Security Essentials\msseces.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\DivX\DivX Update\DivXUpdate.exe
E:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
E:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Documents and Settings\Tim\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\WINDOWS\system32\msiexec.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - e:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - e:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - e:\program files\divx\divx plus web player\npdivx32.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - e:\program files\lexmark toolbar\toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] e:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SansaDispatch] e:\documents and settings\tim\application data\sandisk\sansa updater\SansaDispatch.exe
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
mRun: [HP Software Update] e:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE e:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] "e:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CanonSolutionMenu] e:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] e:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [atwtusb] atwtusb.exe beta
mRun: [lxdqmon.exe] "e:\program files\lexmark z2400 series\lxdqmon.exe"
mRun: [lxdqamon] "e:\program files\lexmark z2400 series\lxdqamon.exe"
mRun: [AdobeCS4ServiceManager] "e:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "e:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] e:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [MSSE] "e:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [NvMediaCenter] RUNDLL32.EXE e:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelliPoint] "e:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [DivXUpdate] "e:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "e:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] e:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [RIMBBLaunchAgent.exe] e:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [APSDaemon] "e:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "e:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "e:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: e:\docume~1\tim\startm~1\programs\startup\adobeg~1.lnk - e:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - e:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Append to existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - e:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - e:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://gardner-webb.webex.com/client/T26L/nbr/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
TCP: Interfaces\{5A0C1996-DDE0-429B-97AD-B2C68264C3E3} : DhcpNameServer = 24.178.162.3 66.189.0.100 24.217.201.67
Notify: !SASWinLogon - e:\program files\superantispyware\SASWINLO.dll
Notify: MsMsgSrv - MsMsgSrv.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - e:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\tim\application data\mozilla\firefox\profiles\35wvkxg9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: e:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: e:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: e:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: e:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\google\picasa3\npPicasa3.dll
FF - plugin: e:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;e:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]
R1 SASDIFSV;SASDIFSV;e:\program files\superantispyware\SASDIFSV.SYS [2010-1-5 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 67656]
R2 Iprip;RIP Listener;e:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 lxdq_device;lxdq_device;e:\windows\system32\lxdqcoms.exe -service --> e:\windows\system32\lxdqcoms.exe -service [?]
S1 aiptektp;HyperPen;e:\windows\system32\drivers\aiptektp.sys [2009-6-3 22272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;e:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2010-1-10 133104]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;e:\windows\system32\spool\drivers\w32x86\3\lxdqserv.exe [2009-7-13 98984]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;e:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 gupdatem;Google Update Service (gupdatem);e:\program files\google\update\GoogleUpdate.exe [2010-1-10 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;e:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 SASENUM;SASENUM;e:\program files\superantispyware\SASENUM.SYS [2010-1-5 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;e:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-03 02:34:51 56200 ----a-w- e:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddd0cc97-7631-43a3-b416-a8c2d07b54db}\offreg.dll
2012-01-03 02:21:02 20464 ----a-w- e:\windows\system32\drivers\mbam.sys
2011-12-31 18:23:09 -------- d-----w- e:\documents and settings\tim\local settings\application data\WMTools Downloaded Files
2011-12-24 18:15:29 -------- d-----w- e:\documents and settings\tim\application data\LG Electronics
2011-12-24 18:11:00 40960 ----a-r- e:\documents and settings\tim\application data\microsoft\installer\{529a2355-efb9-4800-8655-aa319d3535a4}\ARPPRODUCTICON.exe
2011-12-24 18:10:56 -------- d-----w- e:\program files\LG Outlook Sync
2011-12-24 18:10:28 24960 ----a-w- e:\windows\system32\drivers\lgusbmodem.sys
2011-12-24 18:10:28 13056 ----a-w- e:\windows\system32\drivers\lgusbbus.sys
2011-12-24 18:10:28 -------- d-----w- e:\program files\LG Electronics
2011-12-23 01:59:07 -------- d-----w- e:\program files\iPod
2011-12-23 01:53:29 -------- d-----w- e:\program files\Bonjour
2011-12-23 01:18:12 -------- d-s---w- E:\ComboFix
2011-12-22 23:55:26 98816 ----a-w- e:\windows\sed.exe
2011-12-22 23:55:26 518144 ----a-w- e:\windows\SWREG.exe
2011-12-22 23:55:26 256000 ----a-w- e:\windows\PEV.exe
2011-12-22 23:55:26 208896 ----a-w- e:\windows\MBR.exe
2011-12-22 22:55:31 -------- d-----w- e:\windows\system32\wbem\repository\FS
2011-12-22 22:55:31 -------- d-----w- e:\windows\system32\wbem\Repository
2011-12-22 03:33:50 -------- d-----w- e:\program files\iPod(2)
2011-12-22 03:27:21 -------- d-----w- e:\program files\Bonjour(2)
2011-12-21 19:07:35 6823496 ----a-w- e:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ddd0cc97-7631-43a3-b416-a8c2d07b54db}\mpengine.dll
2011-12-21 19:06:45 -------- d-----w- E:\0c69fae82c38cca9fdba2c18d1
2011-12-20 04:44:58 -------- d-----w- E:\a33ce7cb9ec3cbd6e233bfb9
.
==================== Find3M ====================
.
2011-12-22 01:00:10 162816 ----a-w- e:\windows\system32\drivers\netbt.vir
2011-11-10 10:54:13 472808 ----a-w- e:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- e:\windows\system32\javacpl.cpl
2011-10-15 02:29:27 414368 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 19:18:55.07 ===============

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:56 AM

Posted 03 January 2012 - 07:36 PM

Hi,

Just some housekeeping to do now

Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "e:\windows\system32\drivers\netbt.vir"



NEXT



You can delete the Farbar Service Scanner, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 firemantcook

firemantcook
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 03 January 2012 - 08:05 PM

Thank you for everything. It seems to be working great!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users