Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Longfintuna.net


  • This topic is locked This topic is locked
27 replies to this topic

#1 cbblake1

cbblake1

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 23 September 2013 - 09:33 AM

Not sure if this is a serious problem, but it is very annoying. My wife downloaded a free something or other and this program hijacked Internet Explorer. My Firefox browser seems to be okay so far. I tried to clean this myself by running Malwarebytes and Spybots Search and Destroy and finally did a rollback to an earlier restore point. No avail, so now I am humbly requesting help getting rid of this problem. Thanks in advance for your help! Following is the log from DDS and included attachment:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Kim at 9:17:34 on 2013-09-23
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3327.1975 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
C:\Program Files\APC\APC PowerChute Personal Edition\dataserv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=9Nxdm008YYus&ptb=54809025-797E-4FAC-AC9A-A9E3B08D354F
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: @c:\program files\msn toolbar\platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\kim\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [HP Officejet Pro 8600 (NET)] "c:\program files\hp\hp officejet pro 8600\bin\ScanToPCActivationApp.exe" -deviceID "CN29LBS12Y05KF:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Display] c:\program files\apc\apc powerchute personal edition\DataCollectionLauncher.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1355578516718
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{72AC8D9B-3ED6-48D1-BE40-C6C7A8C77525} : NameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1    www.spywareinfo.com
Hosts: 192.168.1.75 HP001F29726C2F
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kim\application data\mozilla\firefox\profiles\evltp950.dad\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/today/Little+Elm+TX+75068?lswe=75068&from=searchbox_localwx
FF - prefs.js: keyword.URL -
FF - plugin: c:\documents and settings\kim\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\kim\local settings\application data\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_168.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.brc -
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 211560]
R2 APC Data Service;APC Data Service;c:\program files\apc\apc powerchute personal edition\dataserv.exe [2010-9-14 21880]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2012-8-23 13672]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2013-2-10 10136]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2008-9-2 70016]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2008-4-28 38656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]
S3 ATICDSDr;ATICDSDr;\??\d:\drivers\xp\bin\atiicdxx.sys --> d:\drivers\xp\bin\atiicdxx.sys [?]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [2012-1-18 22176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-5-3 36608]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [2009-6-15 38656]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-5-13 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-13 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2011-5-13 114280]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-5-18 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
S4 BelkinAPM;BelkinAPM;c:\progra~1\belkin~1\belkin~1.exe -zglaxservice belkinapm --> c:\progra~1\belkin~1\BELKIN~1.EXE -zglaxservice BelkinAPM [?]
S4 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\belkin~1\be8806~1.exe -zglaxservice belkinapmmanager --> c:\progra~1\belkin~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager [?]
S4 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\belkin~1\belkin~4.exe -zglaxservice belkinapmmonitor --> c:\progra~1\belkin~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor [?]
S4 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\belkin~1\belkin~3.exe -zglaxservice belkinapmrmi --> c:\progra~1\belkin~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI [?]
S4 DTNetService;DTNetService;c:\program files\daemon tools net\DTNetSrv.exe [2010-7-29 394560]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-8-22 1527900]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-11-26 256512]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2013-09-23 13:10:01    7328304    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{798590f9-3b4e-42e3-90db-e56c0ddae324}\mpengine.dll
2013-09-22 13:10:02    7328304    ------w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-09-20 17:46:32    --------    d-----w-    c:\windows\system32\wbem\repository\FS
2013-09-20 17:46:31    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-09-19 13:22:41    --------    d--h--w-    c:\documents and settings\all users\application data\Common Files
2013-09-16 15:17:29    --------    d-----w-    c:\program files\Image Converter
2013-09-16 15:10:26    13464    ----a-w-    c:\windows\system32\drivers\SWDUMon.sys
2013-09-16 15:10:24    --------    d-----w-    c:\documents and settings\kim\local settings\application data\SlimWare Utilities Inc
2013-09-16 15:10:15    --------    d-----w-    c:\program files\DriverUpdate
2013-09-16 15:04:07    --------    d-----w-    c:\program files\SimilarSites
2013-09-16 15:04:01    --------    d-----w-    c:\documents and settings\kim\application data\DigitalSite
2013-09-16 15:04:00    --------    d-----w-    c:\documents and settings\kim\application data\SimilarSites
2013-09-07 18:08:13    --------    d-----w-    c:\windows\system32\MRT
2013-09-03 13:53:52    187248    ----a-w-    c:\program files\mozilla firefox\plugins\nppdf32.dll
2013-09-03 13:53:52    187248    ----a-w-    c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-09-20 17:53:27    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-20 17:53:26    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-09 01:32:08    16400    ----a-w-    c:\windows\system32\drivers\LNonPnP.sys
2013-08-09 01:56:45    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 06:05:59    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-08-08 06:05:59    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-08-08 06:05:59    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-08-08 06:05:58    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-08-08 01:27:48    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-08 00:02:34    385024    ----a-w-    c:\windows\system32\html.iec
2013-08-05 13:30:32    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-03 19:18:38    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-07-10 10:37:53    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03:25    2149888    ------w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08:30    2028544    ------w-    c:\windows\system32\ntkrnlpa.exe
.
============= FINISH:  9:18:36.81 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 AM

Posted 23 September 2013 - 10:05 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )
  • Leave everything else as it is.
  • Close all other running programs as well as your Browser.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.
  • Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 cbblake1

cbblake1
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 23 September 2013 - 01:40 PM

Hi Marius,

 

Following is the contents of the ark.txt file you have requested. If I have missed anything, please let me know.

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-09-23 12:59:57
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12 WDC_WD1600AAJS-00WAA0 rev.58.01D58 149.05GB
Running: oq10r2ud.exe; Driver: C:\DOCUME~1\Kim\LOCALS~1\Temp\ugldypog.sys


---- System - GMER 2.1 ----

SSDT            sptd.sys                                                                                                             ZwCreateKey [0xB9ECAD20]
SSDT            sptd.sys                                                                                                             ZwEnumerateKey [0xB9EFEFFE]
SSDT            sptd.sys                                                                                                             ZwEnumerateValueKey [0xB9EFF38C]
SSDT            sptd.sys                                                                                                             ZwOpenKey [0xB9ECAD00]
SSDT            sptd.sys                                                                                                             ZwQueryKey [0xB9EFF464]
SSDT            sptd.sys                                                                                                             ZwQueryValueKey [0xB9EFF2E4]
SSDT            sptd.sys                                                                                                             ZwSetValueKey [0xB9EFF4F6]

INT 0x63        ?                                                                                                                    8B2C4CC8
INT 0x63        ?                                                                                                                    8B2C4CC8
INT 0x63        ?                                                                                                                    8B2C4CC8
INT 0x63        ?                                                                                                                    8B2C4CC8
INT 0x63        ?                                                                                                                    8B2C4CC8
INT 0x83        ?                                                                                                                    8B2C4CC8
INT 0x83        ?                                                                                                                    8B2C4CC8
INT 0x83        ?                                                                                                                    8B18DCC8
INT 0x84        ?                                                                                                                    8B18DCC8
INT 0x94        ?                                                                                                                    8B18DCC8
INT 0xA4        ?                                                                                                                    8B18DCC8
INT 0xA4        ?                                                                                                                    8B18DCC8
INT 0xA4        ?                                                                                                                    8B18DCC8
INT 0xA4        ?                                                                                                                    8B18DCC8
INT 0xB4        ?                                                                                                                    8B18DCC8

---- Devices - GMER 2.1 ----

Device          \FileSystem\Ntfs \Ntfs                                                                                               8B2C31F8
Device          \FileSystem\Fastfat \FatCdrom                                                                                        8A9851F8
Device          \Driver\usbuhci \Device\USBPDO-0                                                                                     8B18C1F8
Device          \Driver\PCI_PNP9154 \Device\00000045                                                                                 sptd.sys
Device          \Driver\PCI_PNP9154 \Device\00000045                                                                                 sptd.sys
Device          \Driver\usbuhci \Device\USBPDO-1                                                                                     8B18C1F8
Device          \Driver\dmio \Device\DmControl\DmIoDaemon                                                                            8B30A1F8
Device          \Driver\dmio \Device\DmControl\DmConfig                                                                              8B30A1F8
Device          \Driver\dmio \Device\DmControl\DmPnP                                                                                 8B30A1F8
Device          \Driver\dmio \Device\DmControl\DmInfo                                                                                8B30A1F8
Device          \Driver\usbuhci \Device\USBPDO-2                                                                                     8B18C1F8
Device          \Driver\usbehci \Device\USBPDO-3                                                                                     8B16A1F8
Device          \Driver\usbuhci \Device\USBPDO-4                                                                                     8B18C1F8
Device          \Driver\usbuhci \Device\USBPDO-5                                                                                     8B18C1F8
Device          \Driver\usbuhci \Device\USBPDO-6                                                                                     8B18C1F8
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                               8B2C51F8
Device          \Driver\usbehci \Device\USBPDO-7                                                                                     8B16A1F8
Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                               8B2C51F8
Device          \Driver\Cdrom \Device\CdRom0                                                                                         8B12C1F8
Device          \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12                                                                         [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort0                                                                                   [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                   [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort2                                                                                   [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort3                                                                                   [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7                                                                          [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort4                                                                                   [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdePort5                                                                                   [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-28                                                                         [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-1d                                                                         [B9DE5B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device          \Driver\Ftdisk \Device\HarddiskVolume3                                                                               8B2C51F8
Device          \Driver\Cdrom \Device\CdRom1                                                                                         8B12C1F8
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                              8AA751F8
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                     8AA751F8
Device          \Driver\usbuhci \Device\USBFDO-0                                                                                     8B18C1F8
Device          \Driver\usbuhci \Device\USBFDO-1                                                                                     8B18C1F8
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                    8AA201F8
Device          \Driver\usbuhci \Device\USBFDO-2                                                                                     8B18C1F8
Device          \Driver\usbehci \Device\USBFDO-3                                                                                     8B16A1F8
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                          8AA201F8
Device          \Driver\Ftdisk \Device\FtControl                                                                                     8B2C51F8
Device          \Driver\usbuhci \Device\USBFDO-4                                                                                     8B18C1F8
Device          \Driver\usbuhci \Device\USBFDO-5                                                                                     8B18C1F8
Device          \Driver\usbuhci \Device\USBFDO-6                                                                                     8B18C1F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{72AC8D9B-3ED6-48D1-BE40-C6C7A8C77525}                                             8AA751F8
Device          \Driver\usbehci \Device\USBFDO-7                                                                                     8B16A1F8
Device          \Driver\abx5sqde \Device\Scsi\abx5sqde1                                                                              8B1001F8
Device          \Driver\abx5sqde \Device\Scsi\abx5sqde1Port6Path0Target0Lun0                                                         8B1001F8
Device          \FileSystem\Fastfat \Fat                                                                                             8A9851F8

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                             fltmgr.sys

Device          \FileSystem\Cdfs \Cdfs                                                                                               8A9841F8

---- Registry - GMER 2.1 ----

Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                      1
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                   0xFB 0x52 0x09 0x34 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                      0x47 0x2A 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                      C:\Program Files\DAEMON Tools Net\
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                          0xBF 0xE3 0x3B 0x8C ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                             0xA0 0x02 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)   
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                     0xD7 0x62 0xC2 0x5A ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0xA2 0x48 0xB1 0xCF ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0x53 0x37 0x28 0xD5 ...
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x15 0xEF 0xE6 0x09 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                   771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                   285507792
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                   2
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                  1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                               0xFB 0x52 0x09 0x34 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                  0x47 0x2A 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                  C:\Program Files\DAEMON Tools Net\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                      0xBF 0xE3 0x3B 0x8C ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                         0xA0 0x02 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0                       
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                 0xD7 0x62 0xC2 0x5A ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                     
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                  0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                               0xA2 0x48 0xB1 0xCF ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                            
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                      0x53 0x37 0x28 0xD5 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                0x15 0xEF 0xE6 0x09 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                                      1
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                                   0xFB 0x52 0x09 0x34 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                                      0x47 0x2A 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0                                      C:\Program Files\DAEMON Tools Net\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12                          0xBF 0xE3 0x3B 0x8C ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0                             0xA0 0x02 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)   
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12                     0xD7 0x62 0xC2 0x5A ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                 
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                      0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                   0xA2 0x48 0xB1 0xCF ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)        
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                          0x53 0x37 0x28 0xD5 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                    0x15 0xEF 0xE6 0x09 ...
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                   15
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                      10000
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                    yes
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                                   
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                   90
Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                     10000

---- EOF - GMER 2.1 ----
 

 



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 AM

Posted 23 September 2013 - 02:11 PM

Disable CD Emulation with DeFogger

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.

     

  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK


IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

 

 

 

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 cbblake1

cbblake1
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 23 September 2013 - 04:15 PM

Hello Marius,

 

I have followed all of your instructions so far. Following is the Combofix log:

 

ComboFix 13-09-23.02 - Kim 09/23/2013  15:48:41.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3327.2506 [GMT -5:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Kim\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
c:\documents and settings\Kim\WINDOWS
c:\program files\MyScrapNook_12EI
c:\windows\system32\DC120fc7_32.dll
c:\windows\system32\HPOpar08.tmp
c:\windows\system32\HPZipm12.1
c:\windows\system32\HPZipm12.2
c:\windows\system32\SET96B.tmp
c:\windows\system32\SET970.tmp
c:\windows\system32\SET977.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-23 to 2013-09-23  )))))))))))))))))))))))))))))))
.
.
2013-09-23 20:31 . 2013-09-23 20:31    9310    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2013-09-23 20:31 . 2013-09-23 20:31    8646    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2013-09-23 20:31 . 2013-09-23 20:31    6429    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2013-09-23 20:31 . 2013-09-23 20:31    63115    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2013-09-23 20:31 . 2013-09-23 20:31    5927    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2013-09-23 20:31 . 2013-09-23 20:31    4599    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2013-09-23 20:30 . 2013-09-23 20:30    8613    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2013-09-23 20:30 . 2013-09-23 20:30    1651    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2013-09-23 20:30 . 2013-09-23 20:30    6910    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2013-09-23 20:30 . 2013-09-23 20:30    18541    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2013-09-23 20:30 . 2013-09-23 20:30    8288    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2013-09-23 20:30 . 2013-09-23 20:30    6208    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2013-09-23 20:30 . 2013-09-23 20:30    51852    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-09-23 20:30 . 2013-09-23 20:30    23327    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-09-23 20:30 . 2013-09-23 20:30    20719    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-09-23 20:30 . 2013-09-23 20:30    8782    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-09-23 20:30 . 2013-09-23 20:30    7271    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-09-23 20:30 . 2013-09-23 20:30    40392    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{798590F9-3B4E-42E3-90DB-E56C0DDAE324}\MpKsl0240523f.sys
2013-09-23 13:10 . 2013-09-05 05:02    7328304    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{798590F9-3B4E-42E3-90DB-E56C0DDAE324}\mpengine.dll
2013-09-22 13:10 . 2013-09-05 05:02    7328304    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-20 17:46 . 2013-09-20 17:46    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-09-19 13:22 . 2013-09-19 13:22    --------    d--h--w-    c:\documents and settings\All Users\Application Data\Common Files
2013-09-18 05:04 . 2013-09-18 05:04    --------    d-sh--w-    c:\documents and settings\NetworkService\PrivacIE
2013-09-16 15:17 . 2013-09-16 15:17    --------    d-----w-    c:\program files\Image Converter
2013-09-16 15:10 . 2013-09-19 17:32    13464    ----a-w-    c:\windows\system32\drivers\SWDUMon.sys
2013-09-16 15:10 . 2013-09-16 15:10    --------    d-----w-    c:\documents and settings\Kim\Local Settings\Application Data\SlimWare Utilities Inc
2013-09-16 15:10 . 2013-09-19 17:38    --------    d-----w-    c:\program files\DriverUpdate
2013-09-16 15:04 . 2013-09-16 15:04    --------    d-----w-    c:\program files\SimilarSites
2013-09-16 15:04 . 2013-09-16 15:04    --------    d-----w-    c:\documents and settings\Kim\Application Data\DigitalSite
2013-09-16 15:04 . 2013-09-16 15:04    --------    d-----w-    c:\documents and settings\Kim\Application Data\SimilarSites
2013-09-07 18:08 . 2013-09-19 13:35    --------    d-----w-    c:\windows\system32\MRT
2013-09-07 18:07 . 2013-09-07 18:07    --------    d-----w-    c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2013-09-03 13:53 . 2013-09-03 13:53    187248    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-09-03 13:53 . 2013-09-03 13:53    187248    ----a-w-    c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-20 17:53 . 2012-04-12 14:06    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-20 17:53 . 2011-05-23 11:27    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-09 01:32 . 2013-02-10 20:09    16400    ----a-w-    c:\windows\system32\drivers\LNonPnP.sys
2013-08-09 01:56 . 2008-05-18 21:34    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2007-07-27 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2007-07-27 12:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2007-07-27 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2008-05-18 21:34    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2008-05-18 21:34    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2008-05-18 21:34    385024    ----a-w-    c:\windows\system32\html.iec
2013-08-05 13:30 . 2008-05-18 21:34    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-03 19:18 . 2006-10-19 02:47    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2008-05-18 21:34    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2008-05-18 21:34    2149888    ------w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2008-05-18 21:34    2028544    ------w-    c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-02-28 18642024]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2012-10-17 1837672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-06-20 995176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2013-07-31 2296600]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-9-14 271736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2012-10-01 07:22    66360    ----a-w-    c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kim^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=c:\windows\pss\Event Reminder.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Net Agent]
2010-07-29 11:20    431424    ----a-w-    c:\program files\DAEMON Tools Net\DTAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-03 00:44    136176    ----atw-    c:\documents and settings\Kim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 07:41    49208    ----a-w-    c:\program files\Hewlett-Packard\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 06:49    151952    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ----a-w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57    153136    ----a-w-    c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-03-21 14:49    16126464    ------r-    c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
2007-12-04 17:34    90112    ----a-w-    c:\program files\MAGIX\Movie_Edit_Pro_14\Trayserver.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"PEVSystemStart"=2 (0x2)
"ose"=2 (0x2)
"npkcmsvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FsUsbExService"=2 (0x2)
"FirebirdServerMAGIXInstance"=3 (0x3)
"DTNetService"=2 (0x2)
"clr_optimization_v4.0.30319_32"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"BelkinAPMRMI"=3 (0x3)
"BelkinAPMmonitor"=3 (0x3)
"BelkinAPMmanager"=3 (0x3)
"BelkinAPM"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Kim\\My Documents\\Downloads\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Jonathan's Stuff\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\HP\\HP Officejet Pro 8600\\Bin\\HP Officejet Pro 8600.exe"=
"c:\\Program Files\\HP\\HP Officejet Pro 8600\\Bin\\HPScan.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 MpKsl0240523f;MpKsl0240523f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{798590F9-3B4E-42E3-90DB-E56C0DDAE324}\MpKsl0240523f.sys [9/23/2013 3:30 PM 40392]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 1:37 PM 13672]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2/10/2013 3:08 PM 10136]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/2/2008 3:11 PM 70016]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [4/28/2008 10:23 PM 38656]
S2 APC Data Service;APC Data Service;c:\program files\APC\APC PowerChute Personal Edition\dataserv.exe [9/14/2010 4:54 PM 21880]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 6:45 PM 161384]
S3 ATICDSDr;ATICDSDr;\??\d:\drivers\XP\bin\atiicdxx.sys --> d:\drivers\XP\bin\atiicdxx.sys [?]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [1/18/2012 1:44 AM 22176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [5/3/2011 5:40 PM 36608]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [6/15/2009 5:26 PM 38656]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [5/13/2011 3:21 AM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [5/13/2011 3:21 AM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [5/13/2011 3:21 AM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [5/13/2011 3:21 AM 114280]
S4 BelkinAPM;BelkinAPM;c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM --> c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM [?]
S4 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager --> c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager [?]
S4 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor --> c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor [?]
S4 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI --> c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI [?]
S4 DTNetService;DTNetService;c:\program files\DAEMON Tools Net\DTNetSrv.exe [7/29/2010 6:19 AM 394560]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [8/22/2008 8:32 AM 1527900]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/9/2008 1:07 PM 445936]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL0240523F
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-09-20 02:46    451872    ----a-w-    c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 17:53]
.
2013-09-23 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 21:53]
.
2013-09-23 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 21:53]
.
2013-09-23 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 21:53]
.
2013-09-23 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 21:53]
.
2013-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 17:54]
.
2013-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 17:54]
.
2013-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1123561945-725345543-1003Core.job
- c:\documents and settings\Kim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:44]
.
2013-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1123561945-725345543-1003UA.job
- c:\documents and settings\Kim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:44]
.
2013-09-23 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-06-20 23:05]
.
2013-09-22 c:\windows\Tasks\Wise Disk Cleaner 4.job
- c:\program files\Wise Disk Cleaner\WiseDiskCleaner.exe [2010-05-30 18:11]
.
2013-09-22 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-10-12 18:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.mywebsearch.com/index.jhtml?n=77DE8857&ptnrS=9Nxdm008YYus&ptb=54809025-797E-4FAC-AC9A-A9E3B08D354F
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: Interfaces\{72AC8D9B-3ED6-48D1-BE40-C6C7A8C77525}: NameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\evltp950.Dad\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/today/Little+Elm+TX+75068?lswe=75068&from=searchbox_localwx
FF - prefs.js: keyword.URL -
FF - user.js: general.useragent.extra.brc -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-23 16:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,44,4c,e5,da,02,57,46,b6,a7,2f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4c,44,4c,e5,da,02,57,46,b6,a7,2f,\
.
[HKEY_USERS\S-1-5-21-776561741-1123561945-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:8f,6e,44,c9,98,cb,2b,d3,5b,47,80,ae,2f,dd,97,25,26,b3,4f,1b,d9,4f,89,
   ca,81,03,d2,8e,ec,0b,b1,64,7d,97,72,9f,ec,b5,06,0c,14,4c,a0,54,c8,67,d0,59,\
"??"=hex:3c,7c,f4,55,87,dd,49,2f,ad,91,02,c6,e1,47,1f,ea
.
[HKEY_USERS\S-1-5-21-776561741-1123561945-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:93,6f,09,04,be,4b,e1,80,36,f4,64,85,f8,78,4f,50,b4,e4,43,da,80,
   6d,40,1b,ee,86,e4,7d,fd,12,a7,e9,e6,0a,d4,68,55,54,43,ac,15,6f,4c,db,14,74,\
"rkeysecu"=hex:7d,a5,04,90,61,42,93,f5,3c,cf,d2,c6,5e,ed,2c,d3
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2013-09-23  16:09:32
ComboFix-quarantined-files.txt  2013-09-23 21:09
ComboFix2.txt  2010-10-29 21:38
ComboFix3.txt  2010-10-14 00:45
.
Pre-Run: 43,900,948,480 bytes free
Post-Run: 44,502,122,496 bytes free
.
- - End Of File - - 170251C31C4DCED13EB675578E026F0B
8F558EB6672622401DA993E1E865C861
 



#6 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 AM

Posted 24 September 2013 - 04:39 AM

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#7 cbblake1

cbblake1
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 24 September 2013 - 07:23 AM

Hi Marius,

 

Wow... this is worse than I thought... OK, I should have this part done soon, and thank you very much for your help! I will post the logs as soon as I get theses steps completed.

 

Best regards

 

C



#8 cbblake1

cbblake1
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 24 September 2013 - 11:40 PM

Took longer than I thought. Here is the Combofix log:

 

ComboFix 13-09-24.02 - Kim 09/24/2013   7:30.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3327.2385 [GMT -5:00]
Running from: c:\documents and settings\Kim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kim\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\AUTHAPP_HEADER.JPG . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DOWNARROW00.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1025.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1028.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1037.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1038.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1041.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1042.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1081.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1095.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1097.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1098.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1099.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1100.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_1102.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_2052.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_3098.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\GLOBAL_DEFAULT.CSS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\HIP_ABC.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\HIP_AUDIOREPL.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\HIP_SPEAKER.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\HIPUSER.HTM . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IC_ALERT_LOW_16X.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\MULTIUSERSSO.HTM . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSER.HTM . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERFED.HTM . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSERS.HTM . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\WAIT.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\WAITPAGE.HTM . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\WLID_BOOK.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\WLID_FRAME.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\WLID_ICON_ERROR.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\WLID_LOGO_H.GIF . . . . Failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\WLID_USERTILE.GIF . . . . Failed to delete
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-24 to 2013-09-24  )))))))))))))))))))))))))))))))
.
.
2013-09-24 12:47 . 2013-09-24 12:47    6429    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2013-09-24 12:47 . 2013-09-24 12:47    63115    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2013-09-24 12:47 . 2013-09-24 12:47    4599    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2013-09-24 12:47 . 2013-09-24 12:47    9310    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2013-09-24 12:47 . 2013-09-24 12:47    8646    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2013-09-24 12:47 . 2013-09-24 12:47    5927    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2013-09-24 12:47 . 2013-09-24 12:47    8613    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2013-09-24 12:47 . 2013-09-24 12:47    1651    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2013-09-24 12:47 . 2013-09-24 12:47    6910    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2013-09-24 12:46 . 2013-09-24 12:46    8288    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2013-09-24 12:46 . 2013-09-24 12:46    6208    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2013-09-24 12:46 . 2013-09-24 12:46    18541    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2013-09-24 12:46 . 2013-09-24 12:46    51852    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-09-24 12:46 . 2013-09-24 12:46    20719    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-09-24 12:46 . 2013-09-24 12:46    8782    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-09-24 12:46 . 2013-09-24 12:46    7271    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-09-24 12:46 . 2013-09-24 12:46    23327    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-09-23 23:48 . 2013-09-05 05:02    7328304    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E406CF60-D710-4856-AFE3-A794682537B1}\mpengine.dll
2013-09-22 13:10 . 2013-09-05 05:02    7328304    ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-09-20 17:46 . 2013-09-20 17:46    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-09-19 13:22 . 2013-09-19 13:22    --------    d--h--w-    c:\documents and settings\All Users\Application Data\Common Files
2013-09-18 05:04 . 2013-09-18 05:04    --------    d-sh--w-    c:\documents and settings\NetworkService\PrivacIE
2013-09-16 15:17 . 2013-09-16 15:17    --------    d-----w-    c:\program files\Image Converter
2013-09-16 15:10 . 2013-09-19 17:32    13464    ----a-w-    c:\windows\system32\drivers\SWDUMon.sys
2013-09-16 15:10 . 2013-09-16 15:10    --------    d-----w-    c:\documents and settings\Kim\Local Settings\Application Data\SlimWare Utilities Inc
2013-09-16 15:10 . 2013-09-19 17:38    --------    d-----w-    c:\program files\DriverUpdate
2013-09-16 15:04 . 2013-09-16 15:04    --------    d-----w-    c:\program files\SimilarSites
2013-09-16 15:04 . 2013-09-16 15:04    --------    d-----w-    c:\documents and settings\Kim\Application Data\DigitalSite
2013-09-16 15:04 . 2013-09-16 15:04    --------    d-----w-    c:\documents and settings\Kim\Application Data\SimilarSites
2013-09-07 18:08 . 2013-09-19 13:35    --------    d-----w-    c:\windows\system32\MRT
2013-09-07 18:07 . 2013-09-07 18:07    --------    d-----w-    c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2013-09-03 13:53 . 2013-09-03 13:53    187248    ----a-w-    c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-09-03 13:53 . 2013-09-03 13:53    187248    ----a-w-    c:\program files\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-20 17:53 . 2012-04-12 14:06    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-20 17:53 . 2011-05-23 11:27    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-09 01:32 . 2013-02-10 20:09    16400    ----a-w-    c:\windows\system32\drivers\LNonPnP.sys
2013-08-09 01:56 . 2008-05-18 21:34    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2007-07-27 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2007-07-27 12:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2007-07-27 12:00    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2008-05-18 21:34    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2008-05-18 21:34    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2008-05-18 21:34    385024    ----a-w-    c:\windows\system32\html.iec
2013-08-05 13:30 . 2008-05-18 21:34    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-03 19:18 . 2006-10-19 02:47    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2008-05-18 21:34    406016    ----a-w-    c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2008-05-18 21:34    2149888    ------w-    c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2008-05-18 21:34    2028544    ------w-    c:\windows\system32\ntkrnlpa.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-02-28 18642024]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2012-10-17 1837672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-12-16 479232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-06-20 995176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-11-29 151952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2013-07-31 2296600]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-9-14 271736]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2012-10-01 07:22    66360    ----a-w-    c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kim^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=c:\windows\pss\Event Reminder.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Net Agent]
2010-07-29 11:20    431424    ----a-w-    c:\program files\DAEMON Tools Net\DTAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-03 00:44    136176    ----atw-    c:\documents and settings\Kim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 07:41    49208    ----a-w-    c:\program files\Hewlett-Packard\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-11-29 06:49    151952    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ----a-w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57    153136    ----a-w-    c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-03-21 14:49    16126464    ------r-    c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
2007-12-04 17:34    90112    ----a-w-    c:\program files\MAGIX\Movie_Edit_Pro_14\Trayserver.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UPS"=3 (0x3)
"SCardSvr"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"PEVSystemStart"=2 (0x2)
"ose"=2 (0x2)
"npkcmsvc"=2 (0x2)
"NMIndexingService"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"LBTServ"=3 (0x3)
"iPod Service"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FsUsbExService"=2 (0x2)
"FirebirdServerMAGIXInstance"=3 (0x3)
"DTNetService"=2 (0x2)
"clr_optimization_v4.0.30319_32"=2 (0x2)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"BelkinAPMRMI"=3 (0x3)
"BelkinAPMmonitor"=3 (0x3)
"BelkinAPMmanager"=3 (0x3)
"BelkinAPM"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Kim\\My Documents\\Downloads\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Jonathan's Stuff\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\HP\\HP Officejet Pro 8600\\Bin\\HP Officejet Pro 8600.exe"=
"c:\\Program Files\\HP\\HP Officejet Pro 8600\\Bin\\HPScan.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 APC Data Service;APC Data Service;c:\program files\APC\APC PowerChute Personal Edition\dataserv.exe [9/14/2010 4:54 PM 21880]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 1:37 PM 13672]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2/10/2013 3:08 PM 10136]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [9/2/2008 3:11 PM 70016]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [4/28/2008 10:23 PM 38656]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 6:45 PM 161384]
S3 ATICDSDr;ATICDSDr;\??\d:\drivers\XP\bin\atiicdxx.sys --> d:\drivers\XP\bin\atiicdxx.sys [?]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [1/18/2012 1:44 AM 22176]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [5/3/2011 5:40 PM 36608]
S3 SQTECH9052;Disney Micro;c:\windows\system32\drivers\Capt9052.sys [6/15/2009 5:26 PM 38656]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [5/13/2011 3:21 AM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [5/13/2011 3:21 AM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [5/13/2011 3:21 AM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [5/13/2011 3:21 AM 114280]
S4 BelkinAPM;BelkinAPM;c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM --> c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM [?]
S4 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager --> c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager [?]
S4 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor --> c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor [?]
S4 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI --> c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI [?]
S4 DTNetService;DTNetService;c:\program files\DAEMON Tools Net\DTNetSrv.exe [7/29/2010 6:19 AM 394560]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [8/22/2008 8:32 AM 1527900]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 10:08 PM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/9/2008 1:07 PM 445936]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-09-20 02:46    451872    ----a-w-    c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 17:53]
.
2013-09-23 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 21:53]
.
2013-09-24 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 21:53]
.
2013-09-24 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 21:53]
.
2013-09-23 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09 21:53]
.
2013-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 17:54]
.
2013-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 17:54]
.
2013-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1123561945-725345543-1003Core.job
- c:\documents and settings\Kim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:44]
.
2013-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1123561945-725345543-1003UA.job
- c:\documents and settings\Kim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-03 00:44]
.
2013-09-24 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-06-20 23:05]
.
2013-09-22 c:\windows\Tasks\Wise Disk Cleaner 4.job
- c:\program files\Wise Disk Cleaner\WiseDiskCleaner.exe [2010-05-30 18:11]
.
2013-09-22 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-10-12 18:40]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: Interfaces\{72AC8D9B-3ED6-48D1-BE40-C6C7A8C77525}: NameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Kim\Application Data\Mozilla\Firefox\Profiles\evltp950.Dad\
FF - prefs.js: browser.startup.homepage - hxxp://www.weather.com/weather/today/Little+Elm+TX+75068?lswe=75068&from=searchbox_localwx
FF - prefs.js: keyword.URL -
FF - user.js: general.useragent.extra.brc -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-24 07:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-776561741-1123561945-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:8f,6e,44,c9,98,cb,2b,d3,5b,47,80,ae,2f,dd,97,25,26,b3,4f,1b,d9,4f,89,
   ca,81,03,d2,8e,ec,0b,b1,64,7d,97,72,9f,ec,b5,06,0c,14,4c,a0,54,c8,67,d0,59,\
"??"=hex:3c,7c,f4,55,87,dd,49,2f,ad,91,02,c6,e1,47,1f,ea
.
[HKEY_USERS\S-1-5-21-776561741-1123561945-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:93,6f,09,04,be,4b,e1,80,36,f4,64,85,f8,78,4f,50,b4,e4,43,da,80,
   6d,40,1b,ee,86,e4,7d,fd,12,a7,e9,e6,0a,d4,68,55,54,43,ac,15,6f,4c,db,14,74,\
"rkeysecu"=hex:7d,a5,04,90,61,42,93,f5,3c,cf,d2,c6,5e,ed,2c,d3
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(816)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(2108)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
.
**************************************************************************
.
Completion time: 2013-09-24  07:59:36 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-24 12:59
ComboFix2.txt  2013-09-23 21:09
ComboFix3.txt  2010-10-29 21:38
ComboFix4.txt  2010-10-14 00:45
.
Pre-Run: 44,067,999,744 bytes free
Post-Run: 44,065,792,000 bytes free
.
- - End Of File - - 43E95559C217CE94E217E5AA5AF254C3
8F558EB6672622401DA993E1E865C861
 



#9 cbblake1

cbblake1
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 24 September 2013 - 11:43 PM

And the MBAM log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.24.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kim :: MAIN [administrator]

9/24/2013 8:04:33 AM
mbam-log-2013-09-24 (08-04-33).txt

Scan type: Full scan (C:\|E:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 838766
Time elapsed: 5 hour(s), 20 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\Kim\Application Data\DigitalSite\UpdateProc (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.

Files Detected: 11
E:\System Volume Information\_restore{699AB511-D647-4252-979F-D2851BAF578F}\RP2307\A0200857.exe (PUP.Optional.BundleInstaller.A) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{699AB511-D647-4252-979F-D2851BAF578F}\RP2307\A0200858.exe (PUP.Optional.BundleInstaller.A) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{699AB511-D647-4252-979F-D2851BAF578F}\RP2307\A0200859.exe (PUP.Optional.BundleInstaller.A) -> Quarantined and deleted successfully.
E:\Downloads\ImageEditorSetup.exe (PUP.Optional.BundleInstaller.A) -> Quarantined and deleted successfully.
G:\Nexon\MapleStory\SummerStory Extras\Penguin Trainer.exe (HackTool.GamesCheat.Gen) -> Quarantined and deleted successfully.
G:\System Volume Information\_restore{D73B0BD8-6474-4E86-93B5-960C64ECBB61}\RP169\A0012719.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Application Data\DigitalSite\UpdateProc\config.dat (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Application Data\DigitalSite\UpdateProc\prod.dat (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Application Data\DigitalSite\UpdateProc\STTL.DAT (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Application Data\DigitalSite\UpdateProc\TTL.DAT (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kim\Application Data\DigitalSite\UpdateProc\UpdateTask.exe (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.

(end)
 



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 AM

Posted 25 September 2013 - 04:03 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 cbblake1

cbblake1
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 25 September 2013 - 11:48 PM

Hello Marius,

 

Here is the ESET log:

 

C:\Documents and Settings\Kim\Local Settings\Application Data\Mozilla\Firefox\Profiles\53wmbczt.tim\Cache\7679EC48d01    JS/BadJoke.NAB trojan
C:\System Volume Information\_restore{699AB511-D647-4252-979F-D2851BAF578F}\RP2301\A0199976.exe    a variant of Win32/InstallCore.AZ application
E:\Clay's Stuff\Downloads\couponprinter.exe    probably a variant of Win32/Adware.Softomate.AD application
E:\Clay's Stuff\Downloads\disk-defrag-setup.exe    a variant of Win32/Bundled.Toolbar.Ask application
E:\Clay's Stuff\System stuff\couponprinter.exe    probably a variant of Win32/Adware.Softomate.AD application
G:\Documents and Settings\Timothy Blake\My Documents\Azureus Downloads\uTorrent\ewqlsog\ewqlso_keygen.exe    a variant of Win32/Keygen.AA application
G:\Documents and Settings\Timothy Blake\My Documents\Azureus Downloads\uTorrent\Image Line FL Studio XXL v9.0-UNION\Image Line FL Studio XXL v9.0-UNION\flstudio_9.0.exe    Win32/OpenCandy application
G:\Nexon\MapleStory\DestinyMS_V0.19.exe    Win32/SuspLibLoad.A trojan
G:\Program Files\Cheat Engine\Cheat Engine.exe    a variant of Win32/HackTool.CheatEngine.AA application
G:\Program Files\Cheat Engine\dbk32.dll    a variant of Win32/HackTool.CheatEngine.AA application
G:\Program Files\Cheat Engine\dbk32.sys    probably a variant of Win32/HackTool.CheatEngine.AA application
G:\Program Files\Cheat Engine\Systemcallretriever.exe    a variant of Win32/HackTool.SystemCall.AA application
G:\Program Files\Cheat Engine\systemcallsignal.exe    a variant of Win32/HackTool.SystemCall.AA application
G:\WINDOWS\pss\PowerReg Scheduler.exeStartup    Win32/PowerReg application
 



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 AM

Posted 26 September 2013 - 06:30 AM

Your logs show obvious signs of having cracked software on your system. This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Referring to the Forum Rules which you should have read at the time of Registering at this forum, this forum does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine

Having said that we can help you clean your machine this time BUT this would be a ONCE ONLY offer on the understanding that all cracks are removed. This would apply not only here but at many other Malware Support forums if you were to appear again with cracks onboard, as many of us analysts work at multiple support sites. Please remove all cracked software and illegally obtained copyrighted material you have on the system so we may continue with the clean up.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 cbblake1

cbblake1
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 26 September 2013 - 07:27 AM

Hello Marius,

 

I am extremely sorry for this turn of events. My wife and I are the primary users of this computer and do not visit or use cracked or otherwise illegal software. However, my youngest son has also used this computer ocassionally in the past and may have been responsible for this activity. If it is possible, can you identify through the logs what files and or folders or programs need to be deleted or uninstalled and give me a list, so that we may continue? Your assistance in this is greatly appreciated.

 

Again, my deepest apologies

 

C



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 AM

Posted 26 September 2013 - 04:12 PM

Children... ;)

 

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

Attached Files


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 cbblake1

cbblake1
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 26 September 2013 - 11:43 PM

The child knew better... Ah well... I will run the scanners tonight and hopefully have the logs for you in the morning.

 

Many thanks

 

C






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users