Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP SP3 has some sort of redirector and unknown malware idendified by Trend Micro


  • This topic is locked This topic is locked
51 replies to this topic

#1 Smurf-Slayer

Smurf-Slayer

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 10 January 2012 - 08:17 AM

This is a followup thread as requested by Broni:

http://www.bleepingcomputer.com/forums/topic437071.html

This machine is Windows XP SP3. It has Trend Micro Titanium and SPyBot running on it as well as MalwareBytes Pro. We have run TDSSKiller and RKILL on it.

Trend Micro Identifies these files (among others):

TROJ_TRACUR.WC
TROJ_TRACUR.WD
Adware_MemWatcher
Adware_BHOT_SearchToolbar
Adware_BHOT_ImyonBar
Adware_180SOlutions.Seekmo
TROJ_GEN.RC1C2EI
TROJ_SPNR.0BKR11
JAVA_BLACOLE.VI
JAVA_DLOADR.AC
JAVA_AGENT.MKO
TROJ_AGENT.AVGI
Possible_AppLnk
TROJ_SASFIS.OP

This is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Owner at 20:30:08 on 2012-01-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1061 [GMT -6:00]
.
AV: Norton AntiVirus Online *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Trend Micro Titanium *Disabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\AOL\1137653079\ee\AOLSoftware.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe
C:\Program Files\Nuance\PaperPort\pptd40nt.exe
C:\Program Files\Nuance\PDF Viewer Plus\pdfpro5hook.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ControlCenter4\BrCtrlCntr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
svchost.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\ControlCenter4\BrCcUxSys.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mStart Page = hxxp://www.startsearcher.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=userinit.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
BHO: {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - No File
BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Qwest Toolbar: {a317cb83-299c-4fc8-9ed7-2d64117d98ee} - c:\program files\qwesttoolbar\qwesttoolbarDx.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Qwest Toolbar: {a317cb83-299c-4fc8-9ed7-2d64117d98ee} - c:\program files\qwesttoolbar\qwesttoolbarDx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RecordNow!]
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BackupNotify] c:\program files\hp\digital imaging\bin\backupnotify.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPHUPD05] c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [USRpdA]
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [3c1807pd] c:\windows\system32\3cmlink.exe runservices \device\3cpipe-3c1807pd
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HostManager] c:\program files\common files\aol\1137653079\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QwestTouchPointAgent] "c:\program files\qwest\desktop\QwestTouchPointAgent.exe" /autostart
mRun: [IndexSearch] "c:\program files\nuance\paperport\IndexSearch.exe"
mRun: [PaperPort PTD] "c:\program files\nuance\paperport\pptd40nt.exe"
mRun: [PPort12reminder] "c:\program files\nuance\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\12\config\ereg\Ereg.ini"
mRun: [PDFHook] c:\program files\nuance\pdf viewer plus\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] c:\program files\nuance\pdf viewer plus\RegistryController.exe
mRun: [ControlCenter4] c:\program files\controlcenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [Trend Micro Titanium] c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe -set Silent "1" SplashURL ""
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [RI2OTQEVZCMII] \OYJLKUD4B.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dExplorerRun: [RI2OTQEVZCMII] \OYJLKUD4B.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Open with PDF Viewer Plus - c:\program files\nuance\pdf viewer plus\bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181016788625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - hxxp://192.168.0.20:81/CSViewer.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{B08D17A1-2A30-4A87-8C1C-316A5E011043} : DhcpNameServer = 192.168.0.1 205.171.3.25
TCP: Interfaces\{B5BE33D2-0C8F-4317-A9CB-11A77AC3955B} : DhcpNameServer = 192.168.0.1 205.171.3.65
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\6.6.1010\6.6.1010\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\1.5.1504\6.6.1088\TmIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
Notify: mwusbw32 -
Notify: vmwusb -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\57sze76e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.startsearcher.com/?q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.myqwest.com/
FF - prefs.js: keyword.URL - hxxp://www.startsearcher.com/?src=kw&q=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2012-1-2 188272]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-19 54752]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-4 652872]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\nuance\paperport\PDFProFiltSrvPP.exe [2010-3-8 144672]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2012-1-2 64080]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-15 24652]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-5-28 245760]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-4 20464]
S2 Ias;Windows Logging Manager;c:\windows\system32\svchost.exe -k netsvcs [2004-5-20 14336]
S2 Iprip;Network Security;c:\windows\system32\svchost.exe -k netsvcs [2004-5-20 14336]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-5-20 14336]
S2 NAVAPEL;NAVAPEL;\??\c:\program files\symantec_client_security\symantec antivirus\navapel.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAPEL.SYS [?]
S3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\drivers\BrSerIb.sys [2011-5-28 71424]
S3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\drivers\BrUsbSib.sys [2011-5-28 11520]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-6-4 17149]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 NAVAP;NAVAP;\??\c:\program files\symantec_client_security\symantec antivirus\navap.sys --> c:\program files\symantec_client_security\symantec antivirus\NAVAP.sys [?]
S4 MDM32;Machine Debug Manager ; [x]
.
=============== Created Last 30 ================
.
2012-01-05 04:16:46 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-03 05:22:45 22032 ----a-w- c:\windows\DCEBoot.exe
2012-01-03 05:22:45 102400 ----a-w- c:\windows\RegBootClean.exe
2012-01-03 02:07:08 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2012-01-03 02:07:01 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2012-01-03 02:07:01 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2012-01-03 02:07:01 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-03 01:48:50 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro
2012-01-03 01:48:47 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-11-16 15:39:46 0 ----a-w- C:\LOG55.tmp
2011-11-16 15:38:10 0 ----a-w- C:\LOG4B.tmp
2011-11-09 02:10:46 1409 ----a-w- c:\windows\QTFont.for
.
============= FINISH: 20:31:20.99 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 10 January 2012 - 11:56 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 11 January 2012 - 09:37 PM

Gringo -

I ran combo fix, and the computer restarted. I found a directory called "Qoobox". I can't find any "logs" in there. There is a file in the Quarantine directory called "catchme" that says:



2012-01-11 20:08:23

driver loading error error: 6


Yes, error is in here twice.

Where is the log file that you would like me to post?

The computer seems to be okay, the yellow shield at the bottom popped up saying there were updates available. I went to the windows update website and it works now.

Thanks,
Smurf-Slayer

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 11 January 2012 - 09:48 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 11 January 2012 - 10:28 PM

Gringo -

In Safe Mode it says Trend Micro Titanium is running. But I don't know how to kill it because it is not in the system tray. And there are only a few files in the process table, and none look like Trend Micro.

How do I stop it?

Thanks,
Smurf-Slayer

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 11 January 2012 - 11:32 PM

go ahead and run it and see if it will make a report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 January 2012 - 09:16 PM

Gringo -

I'm still not sure where/which log you would like me to post. It seems to have run in SafeMode with Trend Micro Titanium running. It rebooted after running 50 or so phases, and came up in normal mode.

This is the log file I found:

Thanks,
Smurf-Slayer

ComboFix 12-01-11.01 - Owner 01/12/2012 19:37:45.2.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1664 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\My Documents\Downloads\ComboFix.exe
AV: Norton AntiVirus Online *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Trend Micro Titanium 2012 *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\chrome.manifest
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\chrome\xulcache.jar
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\defaults\preferences\xulcache.js
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\install.rdf
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\chrome.manifest
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\chrome\xulcache.jar
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\defaults\preferences\xulcache.js
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\install.rdf
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\chrome.manifest
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\chrome\xulcache.jar
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\defaults\preferences\xulcache.js
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\install.rdf
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\chrome.manifest
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\chrome\xulcache.jar
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\defaults\preferences\xulcache.js
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\install.rdf
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\chrome.manifest
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\chrome\xulcache.jar
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\defaults\preferences\xulcache.js
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\install.rdf
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\chrome.manifest
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\chrome\xulcache.jar
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\defaults\preferences\xulcache.js
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\install.rdf
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\chrome.manifest
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\chrome\xulcache.jar
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\defaults\preferences\xulcache.js
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\install.rdf
C:\Documents and Settings\Administrator\WINDOWS
C:\Documents and Settings\All Users\Application Data\pJZ7ied0HjmT74
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\Default User\WINDOWS
C:\Documents and Settings\NetworkService\Cookies\1357921na.t
C:\Documents and Settings\Owner\Application Data\inst.exe
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\chrome.manifest
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\chrome\xulcache.jar
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\defaults\preferences\xulcache.js
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\install.rdf
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\chrome.manifest
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\chrome\xulcache.jar
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\defaults\preferences\xulcache.js
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\install.rdf
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\chrome.manifest
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\chrome\xulcache.jar
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\defaults\preferences\xulcache.js
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\install.rdf
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\chrome.manifest
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\chrome\xulcache.jar
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\defaults\preferences\xulcache.js
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\install.rdf
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\chrome.manifest
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\chrome\xulcache.jar
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\defaults\preferences\xulcache.js
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\install.rdf
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\chrome.manifest
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\chrome\xulcache.jar
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\defaults\preferences\xulcache.js
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\install.rdf
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\chrome.manifest
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\chrome\xulcache.jar
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\defaults\preferences\xulcache.js
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\install.rdf
C:\Documents and Settings\Owner\lirdajxezj.tmp
C:\Documents and Settings\Owner\Start Menu\Programs\System Check\System Check.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\System Check\Uninstall System Check.lnk
C:\Documents and Settings\Owner\System
C:\Documents and Settings\Owner\System\win_qs8.jqx
C:\Documents and Settings\Owner\WINDOWS
C:\LOG1B2.tmp
C:\Program Files\Object
C:\Program Files\Object\config.ini
C:\Program Files\Object\facetheme\build.sh
C:\Program Files\Object\facetheme\chrome.manifest
C:\Program Files\Object\facetheme\config_build.sh
C:\Program Files\Object\facetheme\content\.DS_Store
C:\Program Files\Object\facetheme\content\firefoxOverlay.xul
C:\Program Files\Object\facetheme\content\installid.js
C:\Program Files\Object\facetheme\content\overlay.js
C:\Program Files\Object\facetheme\content\sudoku.js
C:\Program Files\Object\facetheme\defaults\.DS_Store
C:\Program Files\Object\facetheme\defaults\preferences\.DS_Store
C:\Program Files\Object\facetheme\defaults\preferences\sudoku.js
C:\Program Files\Object\facetheme\files
C:\Program Files\Object\facetheme\install.rdf
C:\Program Files\Object\facetheme\locale\.DS_Store
C:\Program Files\Object\facetheme\locale\en-US\.DS_Store
C:\Program Files\Object\facetheme\locale\en-US\sudoku.dtd
C:\Program Files\Object\facetheme\locale\en-US\sudoku.properties
C:\Program Files\Object\facetheme\readme.txt
C:\Program Files\Object\facetheme\skin\overlay.css
C:\Program Files\Object\facetheme_uninstall.exe
C:\WINDOWS\help\wmplayer.bak
C:\WINDOWS\jestertb.dll
C:\WINDOWS\system32\config\systemprofile\WINDOWS
C:\WINDOWS\system32\drivers\etc\hosts.ics
C:\WINDOWS\system32\kock
C:\WINDOWS\system32\kock\owner@quantserve[1].txt
C:\WINDOWS\system32\kock\owner@quantserve[2].txt
C:\WINDOWS\system32\kock\owner@quantserve[4].txt
C:\WINDOWS\system32\kock\owner@turn[1].txt
C:\WINDOWS\system32\kock\owner@turn[2].txt
C:\WINDOWS\system32\kock\owner@turn[3].txt
C:\WINDOWS\system32\kock\owner@turn[4].txt
C:\WINDOWS\system32\kock\owner@turn[5].txt
C:\WINDOWS\system32\kock\system@ads.undertone[1].txt
C:\WINDOWS\system32\kock\system@ads.undertone[2].txt
C:\WINDOWS\system32\kock\system@employment.wellsfargo[2].txt
C:\WINDOWS\system32\kock\system@quantserve[1].txt
C:\WINDOWS\system32\kock\system@quantserve[2].txt
C:\WINDOWS\system32\kock\system@quantserve[3].txt
C:\WINDOWS\system32\kock\system@ru4[1].txt
C:\WINDOWS\system32\kock\system@ru4[2].txt
C:\WINDOWS\system32\kock\system@scorecardresearch[1].txt
C:\WINDOWS\system32\kock\system@scorecardresearch[2].txt
C:\WINDOWS\system32\kock\system@sharethis[2].txt
C:\WINDOWS\system32\kock\system@turn[1].txt
C:\WINDOWS\system32\kock\system@turn[2].txt
C:\WINDOWS\system32\kock\system@undertone[1].txt
C:\WINDOWS\system32\ps2.bat
C:\WINDOWS\system32\SET52.tmp
C:\WINDOWS\system32\SET61.tmp
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_Ias
-------\Service_itlperf


((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))


2012-01-12 04:13:34 . 2012-01-12 03:59:02 92432 ----a-w- C:\WINDOWS\system32\drivers\tmtdi.sys
2012-01-12 04:13:28 . 2012-01-12 03:59:02 81168 ----a-w- C:\WINDOWS\system32\drivers\tmactmon.sys
2012-01-12 04:13:28 . 2012-01-12 03:59:02 68368 ----a-w- C:\WINDOWS\system32\drivers\tmevtmgr.sys
2012-01-12 04:13:28 . 2012-01-12 03:59:02 205072 ----a-w- C:\WINDOWS\system32\drivers\tmcomm.sys
2012-01-12 04:12:34 . 2012-01-12 04:12:34 56 ----a-w- C:\WINDOWS\system32\SupportTool.exe.bat
2012-01-12 03:51:52 . 2012-01-12 03:51:52 626688 ----a-w- C:\Program Files\Mozilla Firefox\msvcr80.dll
2012-01-12 03:51:52 . 2012-01-12 03:51:52 548864 ----a-w- C:\Program Files\Mozilla Firefox\msvcp80.dll
2012-01-12 03:51:52 . 2012-01-12 03:51:52 479232 ----a-w- C:\Program Files\Mozilla Firefox\msvcm80.dll
2012-01-12 03:51:52 . 2012-01-12 03:51:52 43992 ----a-w- C:\Program Files\Mozilla Firefox\mozutils.dll
2012-01-12 02:55:38 . 2012-01-12 03:19:16 -------- d-----w- C:\WINDOWS\SxsCaPendDel
2012-01-12 02:38:00 . 2011-06-24 14:10:36 139656 -c----w- C:\WINDOWS\system32\dllcache\rdpwd.sys
2012-01-12 02:37:58 . 2011-04-21 13:37:43 105472 -c----w- C:\WINDOWS\system32\dllcache\mup.sys
2012-01-12 02:30:30 . 2012-01-12 02:30:30 -------- d-----w- C:\WINDOWS\system32\winrm
2012-01-12 02:30:23 . 2012-01-12 02:30:40 -------- dc-h--w- C:\WINDOWS\$968930Uinstall_KB968930$
2012-01-12 02:27:51 . 2011-07-08 14:02:00 10496 -c----w- C:\WINDOWS\system32\dllcache\ndistapi.sys
2012-01-03 05:22:45 . 2012-01-04 09:48:10 22032 ----a-w- C:\WINDOWS\DCEBoot.exe
2012-01-03 05:22:45 . 2012-01-04 09:48:10 102400 ----a-w- C:\WINDOWS\RegBootClean.exe
2012-01-03 02:07:31 . 2012-01-03 02:07:31 -------- d-----w- C:\Documents and Settings\LocalService\Application Data\Trend Micro
2012-01-03 01:48:50 . 2012-01-12 04:14:47 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Trend Micro
2012-01-03 01:48:47 . 2012-01-12 04:18:07 -------- d-----w- C:\Program Files\Trend Micro
2011-12-31 19:10:42 . 2011-12-31 19:10:42 -------- d-----w- C:\Documents and Settings\LocalService\Application Data\Nuance
2011-12-30 15:44:38 . 2011-12-30 15:44:38 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Windows Search
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-11-25 21:57:19 . 2004-04-01 04:50:01 293376 ----a-w- C:\WINDOWS\system32\winsrv.dll
2011-11-23 13:25:32 . 2004-04-01 04:50:00 1859584 ----a-w- C:\WINDOWS\system32\win32k.sys
2011-11-18 12:35:08 . 2004-05-20 17:32:01 60416 ----a-w- C:\WINDOWS\system32\packager.exe
2011-11-09 02:10:46 . 2011-11-09 02:10:46 1409 ----a-w- C:\WINDOWS\QTFont.for
2011-11-04 19:20:51 . 2005-10-21 18:51:36 916992 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:20:51 . 2004-05-20 17:52:44 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-04 19:20:51 . 2004-05-20 17:52:10 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 11:23:59 . 2004-08-04 05:59:57 385024 ----a-w- C:\WINDOWS\system32\html.iec
2011-11-03 15:28:36 . 2005-08-30 15:14:00 1292288 ----a-w- C:\WINDOWS\system32\quartz.dll
2011-11-03 15:28:36 . 2003-05-31 00:00:02 386048 ----a-w- C:\WINDOWS\system32\qdvd.dll
2011-11-01 16:07:10 . 2005-07-26 04:31:13 1288704 ----a-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:48 . 2004-05-20 17:51:34 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2011-10-25 13:33:08 . 2004-04-01 04:49:55 2192768 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2011-10-25 12:52:03 . 2002-08-29 08:04:56 2069376 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
2011-10-18 11:13:22 . 2002-11-27 06:15:52 186880 ----a-w- C:\WINDOWS\system32\encdec.dll
2012-01-12 03:51:52 . 2011-04-06 14:06:31 121816 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll

#8 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 January 2012 - 09:23 PM

Gringo -

Rkill is still flagging this file:

C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe

Is that file a problem?

Thanks,
Smurf-Slayer

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 12 January 2012 - 09:47 PM

that is only part of the report can you send the whole report?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 January 2012 - 10:20 PM

Gringo -

That was all of that file. Is it in another file?

If not, should I run it again?

Thanks,
Smurf-Slayer

#11 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 12 January 2012 - 10:40 PM

Gringo -

Appears it finished normally the second time. This time the log popped up on the screen.

What about the file that rkill flagged a couple of posts up?

Smurf-Slayer

ComboFix 12-01-12.04 - Owner 01/12/2012 21:26:49.3.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1670 [GMT -6:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: Norton AntiVirus Online *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Trend Micro Titanium 2012 *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Start Menu\Programs\System Check
.
---- Previous Run -------
.
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\install.rdf
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\chrome.manifest
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\chrome\xulcache.jar
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\defaults\preferences\xulcache.js
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z62m1smo.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\install.rdf
c:\documents and settings\All Users\Application Data\pJZ7ied0HjmT74
c:\documents and settings\NetworkService\Cookies\1357921na.t
c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{3b6785be-65df-4865-8366-b1d04d4b1b2a}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{4bbc5868-64ea-49ed-acb5-dcfb5772782f}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{8991051a-15d1-4207-b904-3ae6706a7fc0}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{97577a5a-9018-4920-99b5-11c7998b8e78}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{a271891c-697f-42bc-8f57-ec0e20ddecaf}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{abdf356b-b6ae-4210-8e6b-b5b4c5efaaf8}\install.rdf
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\chrome.manifest
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\defaults\preferences\xulcache.js
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\extensions\{db01ecfa-f7d4-4ab0-9f77-4510c8aaf24e}\install.rdf
c:\documents and settings\Owner\lirdajxezj.tmp
c:\documents and settings\Owner\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Owner\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\Owner\System\win_qs8.jqx
C:\LOG1B2.tmp
c:\program files\Object\config.ini
c:\program files\Object\facetheme\build.sh
c:\program files\Object\facetheme\chrome.manifest
c:\program files\Object\facetheme\config_build.sh
c:\program files\Object\facetheme\content\.DS_Store
c:\program files\Object\facetheme\content\firefoxOverlay.xul
c:\program files\Object\facetheme\content\installid.js
c:\program files\Object\facetheme\content\overlay.js
c:\program files\Object\facetheme\content\sudoku.js
c:\program files\Object\facetheme\defaults\.DS_Store
c:\program files\Object\facetheme\defaults\preferences\.DS_Store
c:\program files\Object\facetheme\defaults\preferences\sudoku.js
c:\program files\Object\facetheme\files
c:\program files\Object\facetheme\install.rdf
c:\program files\Object\facetheme\locale\.DS_Store
c:\program files\Object\facetheme\locale\en-US\.DS_Store
c:\program files\Object\facetheme\locale\en-US\sudoku.dtd
c:\program files\Object\facetheme\locale\en-US\sudoku.properties
c:\program files\Object\facetheme\readme.txt
c:\program files\Object\facetheme\skin\overlay.css
c:\program files\Object\facetheme_uninstall.exe
c:\windows\help\wmplayer.bak
c:\windows\jestertb.dll
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\kock\owner@quantserve[1].txt
c:\windows\system32\kock\owner@quantserve[2].txt
c:\windows\system32\kock\owner@quantserve[4].txt
c:\windows\system32\kock\owner@turn[1].txt
c:\windows\system32\kock\owner@turn[2].txt
c:\windows\system32\kock\owner@turn[3].txt
c:\windows\system32\kock\owner@turn[4].txt
c:\windows\system32\kock\owner@turn[5].txt
c:\windows\system32\kock\system@ads.undertone[1].txt
c:\windows\system32\kock\system@ads.undertone[2].txt
c:\windows\system32\kock\system@employment.wellsfargo[2].txt
c:\windows\system32\kock\system@quantserve[1].txt
c:\windows\system32\kock\system@quantserve[2].txt
c:\windows\system32\kock\system@quantserve[3].txt
c:\windows\system32\kock\system@ru4[1].txt
c:\windows\system32\kock\system@ru4[2].txt
c:\windows\system32\kock\system@scorecardresearch[1].txt
c:\windows\system32\kock\system@scorecardresearch[2].txt
c:\windows\system32\kock\system@sharethis[2].txt
c:\windows\system32\kock\system@turn[1].txt
c:\windows\system32\kock\system@turn[2].txt
c:\windows\system32\kock\system@undertone[1].txt
c:\windows\system32\ps2.bat
c:\windows\system32\SET52.tmp
c:\windows\system32\SET61.tmp
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_Ias
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
.
.
2012-01-13 02:27 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-12 04:13 . 2012-01-12 03:59 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2012-01-12 04:13 . 2012-01-12 03:59 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2012-01-12 04:13 . 2012-01-12 03:59 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2012-01-12 04:13 . 2012-01-12 03:59 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-12 04:12 . 2012-01-12 04:12 56 ----a-w- c:\windows\system32\SupportTool.exe.bat
2012-01-12 03:51 . 2012-01-12 03:51 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-12 03:51 . 2012-01-12 03:51 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-12 03:51 . 2012-01-12 03:51 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-12 03:51 . 2012-01-12 03:51 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-01-12 02:55 . 2012-01-12 03:19 -------- d-----w- c:\windows\SxsCaPendDel
2012-01-12 02:38 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-01-12 02:37 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-01-12 02:30 . 2012-01-12 02:30 -------- d-----w- c:\windows\system32\winrm
2012-01-12 02:30 . 2012-01-12 02:30 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-01-12 02:27 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-03 05:22 . 2012-01-04 09:48 22032 ----a-w- c:\windows\DCEBoot.exe
2012-01-03 05:22 . 2012-01-04 09:48 102400 ----a-w- c:\windows\RegBootClean.exe
2012-01-03 02:07 . 2012-01-03 02:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\Trend Micro
2012-01-03 01:48 . 2012-01-12 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2012-01-03 01:48 . 2012-01-12 04:18 -------- d-----w- c:\program files\Trend Micro
2011-12-31 19:10 . 2011-12-31 19:10 -------- d-----w- c:\documents and settings\LocalService\Application Data\Nuance
2011-12-30 15:44 . 2011-12-30 15:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2004-04-01 04:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-04-01 04:50 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-05-20 17:32 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-09 02:10 . 2011-11-09 02:10 1409 ----a-w- c:\windows\QTFont.for
2011-11-04 19:20 . 2005-10-21 18:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-05-20 17:52 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-05-20 17:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2005-08-30 15:14 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-03 15:28 . 2003-05-31 00:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-01 16:07 . 2005-07-26 04:31 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-05-20 17:51 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-04-01 04:49 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 08:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2002-11-27 06:15 186880 ----a-w- c:\windows\system32\encdec.dll
2012-01-12 03:51 . 2011-04-06 14:06 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A317CB83-299C-4FC8-9ED7-2D64117D98EE}]
2009-11-17 17:33 81920 ----a-w- c:\program files\qwesttoolbar\qwesttoolbarDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A317CB83-299C-4FC8-9ED7-2D64117D98EE}"= "c:\program files\qwesttoolbar\qwesttoolbarDx.dll" [2009-11-17 81920]
.
[HKEY_CLASSES_ROOT\clsid\{a317cb83-299c-4fc8-9ed7-2d64117d98ee}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]
"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"VTTimer"="VTTimer.exe" [2005-03-08 53248]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-29 196608]
"HostManager"="c:\program files\Common Files\AOL\1137653079\ee\AOLSoftware.exe" [2006-05-10 50760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QwestTouchPointAgent"="c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe" [2011-01-25 45992]
"IndexSearch"="c:\program files\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]
"PaperPort PTD"="c:\program files\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]
"PPort12reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"ControlCenter4"="c:\program files\ControlCenter4\BrCcBoot.exe" [2010-10-28 139264]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-01-12 129304]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-05 1300672]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\U.S. Robotics\\ControlCenter\\Reminder.exe"=
"c:\\Program Files\\U.S. Robotics\\ControlCenter\\ctrlcntr.exe"=
"c:\\Program Files\\U.S. Robotics\\ControlCenter\\Temp\\ccftpclient.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137653079\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1137653079\\ee\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
S1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [1/11/2012 10:13 PM 68368]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [1/11/2012 10:12 PM 200632]
S2 Iprip;Network Security;c:\windows\System32\svchost.exe -k netsvcs [5/20/2004 11:32 AM 14336]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/12/2012 8:27 PM 652872]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\Nuance\PaperPort\PDFProFiltSrvPP.exe [3/8/2010 11:40 PM 144672]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/15/2007 11:03 AM 24652]
S3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\drivers\BrSerIb.sys [5/28/2011 10:44 AM 71424]
S3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\drivers\BrUsbSib.sys [5/28/2011 10:44 AM 11520]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [5/28/2011 10:39 AM 245760]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [6/4/2007 7:56 PM 17149]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/12/2012 8:27 PM 20464]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/3/2009 6:58 PM 47360]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [5/20/2004 11:32 AM 14336]
S4 MDM32;Machine Debug Manager ; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vmwareusb REG_MULTI_SZ vmusb
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3009598779-1698478881-4012263408-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
2012-01-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3009598779-1698478881-4012263408-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 08:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mStart Page = hxxp://www.startsearcher.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Open with PDF Viewer Plus - c:\program files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
DPF: {EFFDEEEC-F9E1-4461-91D2-DAEB8CC595F1} - hxxp://192.168.0.20:81/CSViewer.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.startsearcher.com/?q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.myqwest.com/
FF - prefs.js: keyword.URL - hxxp://www.startsearcher.com/?src=kw&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-RecordNow! - (no file)
HKLM-Run-USRpdA - (no file)
HKU-Default-Run-RI2OTQEVZCMII - \OYJLKUD4B.exe
HKU-Default-Explorer_Run-RI2OTQEVZCMII - \OYJLKUD4B.exe
Notify-itlntfy - (no file)
Notify-mwusbw32 - (no file)
Notify-vmwusb - (no file)
AddRemove-Facetheme - c:\program files\Object\facetheme_uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-12 21:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iprip]
"ServiceDll"=""
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MDM32]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(824)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-01-12 21:37:41
ComboFix-quarantined-files.txt 2012-01-13 03:37
.
Pre-Run: 69,337,034,752 bytes free
Post-Run: 69,287,305,216 bytes free
.
- - End Of File - - 6F4FA89D2C5C03DCD7C4DF4E5783109C

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 12 January 2012 - 11:45 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

Folder::
c:\program files\qwesttoolbar

FireFox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\57sze76e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.startsearcher.com/?q=
FF - prefs.js: browser.startup.homepage - hxxp://www.myqwest.com/
FF - prefs.js: keyword.URL - hxxp://www.startsearcher.com/?src=kw&q=


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 13 January 2012 - 08:44 PM

Gringo -

I got the script created. That was tough because the machine kept freezing. After about three times I was able to drag the script on to Combofix and it started. The original window ran and then went away, and the computer froze again.

I will keep trying to get it to finish.

Other thoughts?

Thanks,
Smurf-Slayer

#14 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:03:56 AM

Posted 13 January 2012 - 09:57 PM

Gringo -

I can't get it to finish properly. I tried several more times. I did run it in Safe Mode, and it restarted in regular and tried to make the log file but the system froze before it could finish.

Below is that log.

Thanks,
Smurf-Slayer


ComboFix 12-01-13.05 - Owner 01/13/2012 20:03:46.4.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1983.1668 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\My Documents\Downloads\CFScript.txt
AV: Norton AntiVirus Online *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Trend Micro Titanium 2012 *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\program files\qwesttoolbar
c:\program files\qwesttoolbar\chrome\content\about.xml
c:\program files\qwesttoolbar\chrome\content\data\search\engines.xml
c:\program files\qwesttoolbar\chrome\content\lib\about.xml
c:\program files\qwesttoolbar\chrome\content\lib\dtxpanelwin.xul
c:\program files\qwesttoolbar\chrome\content\lib\dtxprefwin.xul
c:\program files\qwesttoolbar\chrome\content\lib\dtxwin.xul
c:\program files\qwesttoolbar\chrome\content\lib\emailnotifierproviders.xml
c:\program files\qwesttoolbar\chrome\content\lib\external.js
c:\program files\qwesttoolbar\chrome\content\lib\neterror.xhtml
c:\program files\qwesttoolbar\chrome\content\lib\rsspreview.html
c:\program files\qwesttoolbar\chrome\content\lib\rsswin.xml
c:\program files\qwesttoolbar\chrome\content\lib\rsswin.xsl
c:\program files\qwesttoolbar\chrome\content\modules\datastore.jsm
c:\program files\qwesttoolbar\chrome\content\preferences.xml
c:\program files\qwesttoolbar\chrome\content\qwesttoolbar.js
c:\program files\qwesttoolbar\chrome\content\toolbar.htm
c:\program files\qwesttoolbar\chrome\content\toolbar.xul
c:\program files\qwesttoolbar\chrome\data\search\engines.xml
c:\program files\qwesttoolbar\chrome\elementattributes.xml
c:\program files\qwesttoolbar\chrome\skin\3d_multiplayer.png
c:\program files\qwesttoolbar\chrome\skin\about.png
c:\program files\qwesttoolbar\chrome\skin\about_toolbar.png
c:\program files\qwesttoolbar\chrome\skin\abroad_news.png
c:\program files\qwesttoolbar\chrome\skin\action_games.png
c:\program files\qwesttoolbar\chrome\skin\auto_news.png
c:\program files\qwesttoolbar\chrome\skin\bluelite.gif
c:\program files\qwesttoolbar\chrome\skin\bluesky.gif
c:\program files\qwesttoolbar\chrome\skin\btn-search-over.png
c:\program files\qwesttoolbar\chrome\skin\btn-search.png
c:\program files\qwesttoolbar\chrome\skin\ca.png
c:\program files\qwesttoolbar\chrome\skin\card_games.png
c:\program files\qwesttoolbar\chrome\skin\clear_cookies.png
c:\program files\qwesttoolbar\chrome\skin\clear_history.png
c:\program files\qwesttoolbar\chrome\skin\computer_news.png
c:\program files\qwesttoolbar\chrome\skin\divider.png
c:\program files\qwesttoolbar\chrome\skin\domestic_news.png
c:\program files\qwesttoolbar\chrome\skin\dtxlogo.png
c:\program files\qwesttoolbar\chrome\skin\economy_news.png
c:\program files\qwesttoolbar\chrome\skin\email.png
c:\program files\qwesttoolbar\chrome\skin\email_on.png
c:\program files\qwesttoolbar\chrome\skin\entertainment_celeb.png
c:\program files\qwesttoolbar\chrome\skin\entertainment_games.png
c:\program files\qwesttoolbar\chrome\skin\entertainment_movies.png
c:\program files\qwesttoolbar\chrome\skin\entertainment_strange.png
c:\program files\qwesttoolbar\chrome\skin\entertainment_tv.png
c:\program files\qwesttoolbar\chrome\skin\entertainment_videos.png
c:\program files\qwesttoolbar\chrome\skin\favbtn001.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn002.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn003.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn004.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn005.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn006.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn007.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn008.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn009.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn010.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn011.gif
c:\program files\qwesttoolbar\chrome\skin\favbtn012.gif
c:\program files\qwesttoolbar\chrome\skin\film_news.png
c:\program files\qwesttoolbar\chrome\skin\game_controller.png
c:\program files\qwesttoolbar\chrome\skin\game_controller.png.png
c:\program files\qwesttoolbar\chrome\skin\game_news.png
c:\program files\qwesttoolbar\chrome\skin\game_reviews.png
c:\program files\qwesttoolbar\chrome\skin\game_tournament.png
c:\program files\qwesttoolbar\chrome\skin\games.png
c:\program files\qwesttoolbar\chrome\skin\games_gallery.png
c:\program files\qwesttoolbar\chrome\skin\games_skill.png
c:\program files\qwesttoolbar\chrome\skin\games_youngest.png
c:\program files\qwesttoolbar\chrome\skin\grey.gif
c:\program files\qwesttoolbar\chrome\skin\headlines.png
c:\program files\qwesttoolbar\chrome\skin\help.png
c:\program files\qwesttoolbar\chrome\skin\highlight.png
c:\program files\qwesttoolbar\chrome\skin\ico-shield.png
c:\program files\qwesttoolbar\chrome\skin\images.png
c:\program files\qwesttoolbar\chrome\skin\lib\add.png
c:\program files\qwesttoolbar\chrome\skin\lib\aol.png
c:\program files\qwesttoolbar\chrome\skin\lib\arrow-dn.gif
c:\program files\qwesttoolbar\chrome\skin\lib\arrow-right.gif
c:\program files\qwesttoolbar\chrome\skin\lib\arrow-up.gif
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btn-divider.png
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btn-end.png
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btn-mdl.png
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btn-start.png
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btnover-divider.png
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btnover-end.png
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btnover-mdl.png
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btnover-mdl_ff.png
c:\program files\qwesttoolbar\chrome\skin\lib\bg-btnover-start.png
c:\program files\qwesttoolbar\chrome\skin\lib\blank.gif
c:\program files\qwesttoolbar\chrome\skin\lib\btnback-down-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\btnback-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\btnleft-down-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\btnleft-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\btnright-down-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\btnright-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\button-splitter-down-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\button-splitter-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\checkmark.png
c:\program files\qwesttoolbar\chrome\skin\lib\chevron.png
c:\program files\qwesttoolbar\chrome\skin\lib\collapse.png
c:\program files\qwesttoolbar\chrome\skin\lib\comcast.png
c:\program files\qwesttoolbar\chrome\skin\lib\dtx.css
c:\program files\qwesttoolbar\chrome\skin\lib\edit-back-hot.png
c:\program files\qwesttoolbar\chrome\skin\lib\edit-back.png
c:\program files\qwesttoolbar\chrome\skin\lib\expand.png
c:\program files\qwesttoolbar\chrome\skin\lib\found.png
c:\program files\qwesttoolbar\chrome\skin\lib\gmail.png
c:\program files\qwesttoolbar\chrome\skin\lib\highlight.png
c:\program files\qwesttoolbar\chrome\skin\lib\highlight_blue.png
c:\program files\qwesttoolbar\chrome\skin\lib\highlight_cyan.png
c:\program files\qwesttoolbar\chrome\skin\lib\highlight_lime.png
c:\program files\qwesttoolbar\chrome\skin\lib\highlight_magenta.png
c:\program files\qwesttoolbar\chrome\skin\lib\highlight_yellow.png
c:\program files\qwesttoolbar\chrome\skin\lib\hotmail.png
c:\program files\qwesttoolbar\chrome\skin\lib\imap.png
c:\program files\qwesttoolbar\chrome\skin\lib\lastsearch-thumb-back.gif
c:\program files\qwesttoolbar\chrome\skin\lib\loadingMid.gif
c:\program files\qwesttoolbar\chrome\skin\lib\lock.png
c:\program files\qwesttoolbar\chrome\skin\lib\mailcom.png
c:\program files\qwesttoolbar\chrome\skin\lib\menu_bg-basic.png
c:\program files\qwesttoolbar\chrome\skin\lib\menu_separator_bar.png
c:\program files\qwesttoolbar\chrome\skin\lib\menuitem-splitter.png
c:\program files\qwesttoolbar\chrome\skin\lib\menuitemback-down-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\menuitemback-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\menuitemleft-down-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\menuitemleft-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\menuitemright-down-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\menuitemright-vista.png
c:\program files\qwesttoolbar\chrome\skin\lib\modify.png
c:\program files\qwesttoolbar\chrome\skin\lib\move.gif
c:\program files\qwesttoolbar\chrome\skin\lib\movetarget.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\css\popupAbout.css
c:\program files\qwesttoolbar\chrome\skin\lib\panels\css\popupGames.css
c:\program files\qwesttoolbar\chrome\skin\lib\panels\css\popupRSS.css
c:\program files\qwesttoolbar\chrome\skin\lib\panels\css\popupWidgets.css
c:\program files\qwesttoolbar\chrome\skin\lib\panels\footer.htm
c:\program files\qwesttoolbar\chrome\skin\lib\panels\gamecategory.xsl
c:\program files\qwesttoolbar\chrome\skin\lib\panels\gameData.js
c:\program files\qwesttoolbar\chrome\skin\lib\panels\gameList.xsl
c:\program files\qwesttoolbar\chrome\skin\lib\panels\gametype.xsl
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\arrow-dn.gif
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\arrow-sml-drop.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\arrow-sml.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\arrow-up.gif
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\arrowr-bluew5.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\bg-aboutbox.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\bg-btnover.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\bg-pnl520x390.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-close-grey.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-close-greyover.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-drag.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-next-over.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-next.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-previous-over.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-previous.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm-over.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\bullet-orange.gif
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\gamethumb-on.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\gamethumb2-over.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\ico-calendar.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\ico-download.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\ico-joystick24.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\ico-news24.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\ico-play.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\ico-tags.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\icon-Add.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\icon-download.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\icon-Info.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\icon-play.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\icon-shop.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\menul-bgon.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\menul-bgover.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\panel-botm-noscroll.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scroll-bg-206.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scroll-bg.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scroll-topwin.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scrollb-disable.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scrollb-down.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scrollb-over.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scrollb.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scrollt-disable.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scrollt-down.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scrollt-over.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\scrollt.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\searchbox-pnlbtm.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\star_x_grey.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\star_x_orange.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\TRUSTe_about.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\view-detailed-on.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\view-detailed-over.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\view-thumb-on.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\view-thumb-over.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\widgets-square-16px.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\images\widgets-square-24px.png
c:\program files\qwesttoolbar\chrome\skin\lib\panels\popupGames.html
c:\program files\qwesttoolbar\chrome\skin\lib\panels\popupRSS.html
c:\program files\qwesttoolbar\chrome\skin\lib\panels\popupWidgets.html
c:\program files\qwesttoolbar\chrome\skin\lib\pop.png
c:\program files\qwesttoolbar\chrome\skin\lib\radio.png
c:\program files\qwesttoolbar\chrome\skin\lib\reload.png
c:\program files\qwesttoolbar\chrome\skin\lib\remove.png
c:\program files\qwesttoolbar\chrome\skin\lib\rename.gif
c:\program files\qwesttoolbar\chrome\skin\lib\resize-box.gif
c:\program files\qwesttoolbar\chrome\skin\lib\rss.png
c:\program files\qwesttoolbar\chrome\skin\lib\rsschannelback.png
c:\program files\qwesttoolbar\chrome\skin\lib\RSSLogo.png
c:\program files\qwesttoolbar\chrome\skin\lib\rsstabdivider.gif
c:\program files\qwesttoolbar\chrome\skin\lib\scroll-left.png
c:\program files\qwesttoolbar\chrome\skin\lib\scroll-right.png
c:\program files\qwesttoolbar\chrome\skin\lib\search-go.png
c:\program files\qwesttoolbar\chrome\skin\lib\search.png
c:\program files\qwesttoolbar\chrome\skin\lib\text-ellipsis.xml
c:\program files\qwesttoolbar\chrome\skin\lib\toolbarsplitter.gif
c:\program files\qwesttoolbar\chrome\skin\lib\transparent_1px.gif
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_02.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_03.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_04.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_06.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_07.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_08.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_09.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_10.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_11.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_12.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_13.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_14.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_15.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_16.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_18.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_19.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_20.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\border_21.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\btn-close-grey.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\btn-close-greyover.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\close-hot.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\close-normal.png
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\loadingMid.gif
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\proxy.html
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\template.html
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\template.xml
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\templateFF.html
c:\program files\qwesttoolbar\chrome\skin\lib\uwa\throbber.gif
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\alert-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\alert.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\clearnight-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\clearnight.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\clouds-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\clouds.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\cond051.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\cond999.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\drizzle-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\drizzle.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\flurries-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\flurries.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\flurriesday-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\flurriesday.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\fog-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\fog.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\freezingdrizzle-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\freezingdrizzle.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\freezingrain-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\freezingrain.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\frozenmix-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\frozenmix.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\haze-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\haze.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\hazenight-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\hazenight.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\heavyrain-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\heavyrain.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\heavysnow-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\heavysnow.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\hotandhumid-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\hotandhumid.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\icons.xml
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\lightsnow-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\lightsnow.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\mostlycloudynight-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\mostlycloudynight.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\na-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\na.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\partlycloudnight-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\partlycloudnight.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\partlysunny-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\partlysunny.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\rain-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\rain.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\scatteredcloudsday-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\scatteredcloudsday.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\scatteredcloudsnight-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\scatteredcloudsnight.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\scatteredshowersday-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\scatteredshowersday.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\scatteredthunderstorms-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\scatteredthunderstorms.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\showers-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\showers.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\showersday-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\showersday.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\sleet-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\sleet.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\snow-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\snow.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\snowshowers-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\snowshowers.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\snowshowersday-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\snowshowersday.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\sunny-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\sunny.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\thunders-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\thunders.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\thundersday-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\thundersday.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\verycoldday-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\verycoldday.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\verycoldnight-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\verycoldnight.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\veryhot-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\veryhot.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\weather.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\wind-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\icons\wind.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\add.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\arrowr-bluew5.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue-whitebg.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\box-check.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\box-uncheck.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-grey.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-greyover.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-delete.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-check.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid-s.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\options-weather.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\over-blue.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\over-orange.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug2.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-checked.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-unchecked.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\searchbox-pnlbtm.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\images\weather-contour.png
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.css
c:\program files\qwesttoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.html
c:\program files\qwesttoolbar\chrome\skin\lib\yahoo.png
c:\program files\qwesttoolbar\chrome\skin\lichen.gif
c:\program files\qwesttoolbar\chrome\skin\logo.png
c:\program files\qwesttoolbar\chrome\skin\maps.png
c:\program files\qwesttoolbar\chrome\skin\menuseparatorback.gif
c:\program files\qwesttoolbar\chrome\skin\modify-save.png
c:\program files\qwesttoolbar\chrome\skin\modify_buttons.png
c:\program files\qwesttoolbar\chrome\skin\modifyhot.png
c:\program files\qwesttoolbar\chrome\skin\more.png
c:\program files\qwesttoolbar\chrome\skin\movies.png
c:\program files\qwesttoolbar\chrome\skin\music.png
c:\program files\qwesttoolbar\chrome\skin\music_news.png
c:\program files\qwesttoolbar\chrome\skin\my_account.png
c:\program files\qwesttoolbar\chrome\skin\my_bill_online.png
c:\program files\qwesttoolbar\chrome\skin\my_products.png
c:\program files\qwesttoolbar\chrome\skin\options.png
c:\program files\qwesttoolbar\chrome\skin\options\options-main.png
c:\program files\qwesttoolbar\chrome\skin\options\options-search.png
c:\program files\qwesttoolbar\chrome\skin\options\options-weather.gif
c:\program files\qwesttoolbar\chrome\skin\options\options-widgets.png
c:\program files\qwesttoolbar\chrome\skin\orange.gif
c:\program files\qwesttoolbar\chrome\skin\photo_faq.png
c:\program files\qwesttoolbar\chrome\skin\photo_prize.png
c:\program files\qwesttoolbar\chrome\skin\preferences.png
c:\program files\qwesttoolbar\chrome\skin\premium.png
c:\program files\qwesttoolbar\chrome\skin\privacy_policy.png
c:\program files\qwesttoolbar\chrome\skin\puzzle_games.png
c:\program files\qwesttoolbar\chrome\skin\qwesttoolbar.css
c:\program files\qwesttoolbar\chrome\skin\rss-delete.png
c:\program files\qwesttoolbar\chrome\skin\search-over.png
c:\program files\qwesttoolbar\chrome\skin\search.png
c:\program files\qwesttoolbar\chrome\skin\searchbar\searchbar-background-left.png
c:\program files\qwesttoolbar\chrome\skin\searchbar\searchbar-background-middle.png
c:\program files\qwesttoolbar\chrome\skin\searchbar\searchbar-background-right.png
c:\program files\qwesttoolbar\chrome\skin\skin-bluelite.png
c:\program files\qwesttoolbar\chrome\skin\skin-bluesky.png
c:\program files\qwesttoolbar\chrome\skin\skin-grey.png
c:\program files\qwesttoolbar\chrome\skin\skin-lichen.png
c:\program files\qwesttoolbar\chrome\skin\skin-orange.png
c:\program files\qwesttoolbar\chrome\skin\skin-yellow.png
c:\program files\qwesttoolbar\chrome\skin\sports.png
c:\program files\qwesttoolbar\chrome\skin\sports_football.png
c:\program files\qwesttoolbar\chrome\skin\sports_games.png
c:\program files\qwesttoolbar\chrome\skin\strategy_games.png
c:\program files\qwesttoolbar\chrome\skin\submenu_logo.png
c:\program files\qwesttoolbar\chrome\skin\terms_conditions.png
c:\program files\qwesttoolbar\chrome\skin\throbber.gif
c:\program files\qwesttoolbar\chrome\skin\toolbar_agreement.png
c:\program files\qwesttoolbar\chrome\skin\toolbar_help.png
c:\program files\qwesttoolbar\chrome\skin\toolbar_uninstall.png
c:\program files\qwesttoolbar\chrome\skin\travel.png
c:\program files\qwesttoolbar\chrome\skin\tv.png
c:\program files\qwesttoolbar\chrome\skin\tv_bw.png
c:\program files\qwesttoolbar\chrome\skin\tv_listings.png
c:\program files\qwesttoolbar\chrome\skin\tv_live.png
c:\program files\qwesttoolbar\chrome\skin\tv_news.png
c:\program files\qwesttoolbar\chrome\skin\weather.png
c:\program files\qwesttoolbar\chrome\skin\web.png
c:\program files\qwesttoolbar\chrome\skin\widgets.png
c:\program files\qwesttoolbar\chrome\skin\word_games.png
c:\program files\qwesttoolbar\chrome\skin\yellow.gif
c:\program files\qwesttoolbar\chrome\skin\zoom_in.png
c:\program files\qwesttoolbar\chrome\skin\zoom_out.png
c:\program files\qwesttoolbar\chrome\skin\zoom_reset.png
c:\program files\qwesttoolbar\components\windowmediator.js
c:\program files\qwesttoolbar\install.ico
c:\program files\qwesttoolbar\manifest.xml
c:\program files\qwesttoolbar\qwesttoolbarDx.dll
c:\program files\qwesttoolbar\qwesttoolbartb.dll
c:\program files\qwesttoolbar\uninstall.exe


((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))


2012-01-13 02:27:46 . 2011-12-10 21:24:06 20464 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-01-12 04:13:34 . 2012-01-12 03:59:02 92432 ----a-w- C:\WINDOWS\system32\drivers\tmtdi.sys
2012-01-12 04:13:28 . 2012-01-12 03:59:02 81168 ----a-w- C:\WINDOWS\system32\drivers\tmactmon.sys
2012-01-12 04:13:28 . 2012-01-12 03:59:02 68368 ----a-w- C:\WINDOWS\system32\drivers\tmevtmgr.sys
2012-01-12 04:13:28 . 2012-01-12 03:59:02 205072 ----a-w- C:\WINDOWS\system32\drivers\tmcomm.sys
2012-01-12 04:12:34 . 2012-01-12 04:12:34 56 ----a-w- C:\WINDOWS\system32\SupportTool.exe.bat
2012-01-12 03:51:52 . 2012-01-12 03:51:52 626688 ----a-w- C:\Program Files\Mozilla Firefox\msvcr80.dll
2012-01-12 03:51:52 . 2012-01-12 03:51:52 548864 ----a-w- C:\Program Files\Mozilla Firefox\msvcp80.dll
2012-01-12 03:51:52 . 2012-01-12 03:51:52 479232 ----a-w- C:\Program Files\Mozilla Firefox\msvcm80.dll
2012-01-12 03:51:52 . 2012-01-12 03:51:52 43992 ----a-w- C:\Program Files\Mozilla Firefox\mozutils.dll
2012-01-12 02:55:38 . 2012-01-12 03:19:16 -------- d-----w- C:\WINDOWS\SxsCaPendDel
2012-01-12 02:38:00 . 2011-06-24 14:10:36 139656 -c----w- C:\WINDOWS\system32\dllcache\rdpwd.sys
2012-01-12 02:37:58 . 2011-04-21 13:37:43 105472 -c----w- C:\WINDOWS\system32\dllcache\mup.sys
2012-01-12 02:30:30 . 2012-01-12 02:30:30 -------- d-----w- C:\WINDOWS\system32\winrm
2012-01-12 02:30:23 . 2012-01-12 02:30:40 -------- dc-h--w- C:\WINDOWS\$968930Uinstall_KB968930$
2012-01-12 02:27:51 . 2011-07-08 14:02:00 10496 -c----w- C:\WINDOWS\system32\dllcache\ndistapi.sys
2012-01-03 05:22:45 . 2012-01-04 09:48:10 22032 ----a-w- C:\WINDOWS\DCEBoot.exe
2012-01-03 05:22:45 . 2012-01-04 09:48:10 102400 ----a-w- C:\WINDOWS\RegBootClean.exe
2012-01-03 02:07:31 . 2012-01-03 02:07:31 -------- d-----w- C:\Documents and Settings\LocalService\Application Data\Trend Micro
2012-01-03 01:48:50 . 2012-01-12 04:14:47 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Trend Micro
2012-01-03 01:48:47 . 2012-01-12 04:18:07 -------- d-----w- C:\Program Files\Trend Micro
2011-12-31 19:10:42 . 2011-12-31 19:10:42 -------- d-----w- C:\Documents and Settings\LocalService\Application Data\Nuance
2011-12-30 15:44:38 . 2011-12-30 15:44:38 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Windows Search
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-11-25 21:57:19 . 2004-04-01 04:50:01 293376 ----a-w- C:\WINDOWS\system32\winsrv.dll
2011-11-23 13:25:32 . 2004-04-01 04:50:00 1859584 ----a-w- C:\WINDOWS\system32\win32k.sys
2011-11-18 12:35:08 . 2004-05-20 17:32:01 60416 ----a-w- C:\WINDOWS\system32\packager.exe
2011-11-09 02:10:46 . 2011-11-09 02:10:46 1409 ----a-w- C:\WINDOWS\QTFont.for
2011-11-04 19:20:51 . 2005-10-21 18:51:36 916992 ----a-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:20:51 . 2004-05-20 17:52:44 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-04 19:20:51 . 2004-05-20 17:52:10 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 11:23:59 . 2004-08-04 05:59:57 385024 ----a-w- C:\WINDOWS\system32\html.iec
2011-11-03 15:28:36 . 2005-08-30 15:14:00 1292288 ----a-w- C:\WINDOWS\system32\quartz.dll
2011-11-03 15:28:36 . 2003-05-31 00:00:02 386048 ----a-w- C:\WINDOWS\system32\qdvd.dll
2011-11-01 16:07:10 . 2005-07-26 04:31:13 1288704 ----a-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:48 . 2004-05-20 17:51:34 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2011-10-25 13:33:08 . 2004-04-01 04:49:55 2192768 ----a-w- C:\WINDOWS\system32\ntoskrnl.exe
2011-10-25 12:52:03 . 2002-08-29 08:04:56 2069376 ----a-w- C:\WINDOWS\system32\ntkrnlpa.exe
2011-10-18 11:13:22 . 2002-11-27 06:15:52 186880 ----a-w- C:\WINDOWS\system32\encdec.dll
2012-01-12 03:51:52 . 2011-04-06 14:06:31 121816 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:56 AM

Posted 13 January 2012 - 10:07 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users