Jump to content

Packman Jones

Honorary Members
  • Posts

    32
  • Joined

  • Last visited

Everything posted by Packman Jones

  1. bitorrent was uninstalled previously. here are my logs: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=f591d5ab5e084f4b9a1998294a824dbe # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-09-19 12:39:26 # local_time=2010-09-18 07:39:26 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1797 16775141 100 93 84457 42997934 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=98889 # found=2 # cleaned=2 # scan_time=5123 C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pci.sys.vir Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1560\A0387321.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C Results of screen317's Security Check version 0.99.5 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! Avira AntiVir Personal - Free Antivirus ESET Online Scanner v3 Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware Malwarebytes' Anti-Malware CCleaner Duplicate Cleaner 1.4.5 Java 6 Update 21 Adobe Flash Player 10.0.42.34 Adobe Reader 9.3 Mozilla Firefox (3.6.9) ```````````````````````````````` Process Check: objlist.exe by Laurent Ad-Aware AAWService.exe is disabled! Ad-Aware AAWTray.exe is disabled! Avira Antivir avgnt.exe Avira Antivir avguard.exe ```````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) ``````````End of Log```````````` system seems to be running about 100% better now. Thanks again!
  2. ComboFix 10-09-16.04 - Kim Lowe 09/16/2010 19:15:34.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.252 [GMT -5:00] Running from: c:\documents and settings\Kim Lowe\Desktop\Combo-Fix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 ))))))))))))))))))))))))))))))) . 2010-09-15 22:44 . 2010-09-16 03:03 -------- dc----w- C:\dce 2010-09-15 01:28 . 2010-09-15 01:30 -------- d-----w- c:\program files\ERUNT 2010-09-12 05:29 . 2010-09-15 04:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe 2010-09-07 05:19 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-09-05 07:56 . 2010-09-05 07:56 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-09-01 12:59 . 2010-09-01 12:59 -------- d-----w- c:\documents and settings\Kim Lowe\Local Settings\Application Data\Sunbelt Software 2010-09-01 04:48 . 2010-09-01 04:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70} 2010-09-01 04:46 . 2010-09-04 01:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-09-01 04:46 . 2010-09-01 04:46 -------- d-----w- c:\program files\Lavasoft 2010-08-29 05:08 . 2010-09-12 05:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-08-22 01:50 . 2010-08-22 01:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Identities 2010-08-18 20:32 . 2010-08-18 20:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-16 00:50 . 2010-08-17 04:06 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-12 13:04 . 2010-04-14 19:09 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\MechCAD 2010-09-12 12:58 . 2010-04-24 13:54 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\BitTorrent 2010-09-12 01:33 . 2010-01-24 02:53 1 ----a-w- c:\documents and settings\Kim Lowe\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-09-10 11:52 . 2010-09-10 11:52 1421 ----a-w- c:\documents and settings\Kim Lowe\Application Data\WinFF\ff100910065223.bat 2010-09-10 11:52 . 2010-05-09 01:54 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\WinFF 2010-09-06 21:42 . 2010-07-04 15:10 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\vlc 2010-09-04 01:49 . 2007-12-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell 2010-08-31 16:17 . 2010-08-31 16:17 700 ----a-w- c:\documents and settings\Kim Lowe\Application Data\WinFF\ff100831111711.bat 2010-08-30 19:34 . 2010-09-08 02:55 1496064 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll 2010-08-30 19:33 . 2010-09-08 02:55 43008 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2010-08-30 19:33 . 2010-09-08 02:55 338944 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2010-08-30 19:33 . 2010-09-08 02:55 346112 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2010-08-24 22:11 . 2010-08-13 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Pure Networks 2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe 2010-08-17 00:43 . 2010-08-02 02:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-08-13 23:05 . 2009-08-18 02:44 62776 ----a-w- c:\documents and settings\Kim Lowe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-08-13 21:28 . 2010-08-13 21:12 -------- d-----w- c:\program files\Linksys 2010-08-13 21:12 . 2010-08-14 12:53 188176 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-08-13 20:00 . 2010-08-13 20:00 -------- d-----w- c:\program files\Pure Networks 2010-08-13 19:59 . 2010-08-13 19:59 -------- d-----w- c:\program files\WebEx 2010-08-13 19:59 . 2010-08-13 19:59 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi 2010-08-13 19:57 . 2010-08-13 19:57 -------- d-----w- c:\program files\Common Files\Pure Networks Shared 2010-08-12 13:11 . 2010-05-09 13:38 -------- d-----w- c:\program files\iTunes 2010-08-12 13:07 . 2005-08-30 21:56 -------- d-----w- c:\program files\iPod 2010-08-12 13:07 . 2010-05-09 01:14 -------- d-----w- c:\program files\Common Files\Apple 2010-08-12 13:00 . 2010-05-12 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2010-08-12 13:00 . 2010-05-13 12:53 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll 2010-08-12 12:48 . 2010-08-12 12:48 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe 2010-08-12 12:48 . 2010-05-12 22:16 -------- d-----w- c:\program files\DivX 2010-08-12 12:48 . 2010-08-12 12:48 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe 2010-08-12 12:45 . 2010-08-12 12:45 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe 2010-08-12 12:43 . 2010-08-12 12:43 -------- d-----w- c:\program files\Bonjour 2010-08-12 12:38 . 2010-05-13 12:53 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll 2010-08-12 12:16 . 2010-09-01 04:48 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe 2010-08-12 11:49 . 2010-08-12 11:49 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe 2010-07-09 14:26 . 2010-09-01 02:38 475136 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe 2010-07-07 18:30 . 2010-05-13 12:53 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe 2010-07-03 13:24 . 2010-07-03 13:24 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe 2010-07-03 13:24 . 2010-07-03 13:24 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe 2010-07-03 13:23 . 2010-07-03 13:23 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe 2010-07-03 13:23 . 2010-07-03 13:23 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe 2010-07-03 13:22 . 2010-07-03 13:22 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe 2010-07-02 14:25 . 2010-09-01 02:38 1118208 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\Libxml2.dll 2010-07-02 14:25 . 2010-09-01 02:38 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll 2010-06-30 12:31 . 2004-08-11 22:00 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-29 22:39 . 2010-06-29 22:31 103193 ----a-w- c:\windows\hpoins08.dat 2010-06-24 12:30 . 2010-06-24 12:30 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll 2010-06-24 12:29 . 2010-06-24 12:29 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll 2010-06-24 12:28 . 2010-06-24 12:28 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll 2010-06-24 12:28 . 2010-06-24 12:28 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll 2010-06-24 12:28 . 2010-06-24 12:28 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE 2010-06-24 12:28 . 2010-06-24 12:28 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll 2010-06-24 12:27 . 2010-06-24 12:27 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll 2010-06-24 12:27 . 2010-06-24 12:27 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll 2010-06-24 12:26 . 2010-06-24 12:26 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll 2010-06-24 12:25 . 2010-06-24 12:25 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll 2010-06-24 12:25 . 2010-06-24 12:25 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd 2010-06-24 12:22 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-24 11:56 . 2010-06-24 11:56 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys 2010-06-24 11:56 . 2010-06-24 11:56 441760 -c--a-w- c:\windows\system32\drivers\timntr.sys 2010-06-24 11:56 . 2010-06-24 11:56 132224 -c--a-w- c:\windows\system32\drivers\snapman.sys 2010-06-24 11:56 . 2010-06-24 11:56 368480 -c--a-w- c:\windows\system32\drivers\tdrpman.sys 2010-06-23 13:44 . 2004-08-11 22:00 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2005-08-22 22:46 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2008-04-27 06:13 . 2008-04-27 06:13 0 ----a-w- c:\program files\temp01 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PMX Daemon"="ICO.EXE" [2006-06-09 47104] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-13 344064] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832] "SunJavaUpdateSched"="c:\progra~1\JavaSoft\JRE\1.4.2_03\bin\jusched.exe" [2003-11-19 32881] "AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-16 904840] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608] "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216] "nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-22 24576] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^REALTEK USB Wireless LAN Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\REALTEK USB Wireless LAN Utility.lnk backup=c:\windows\pss\REALTEK USB Wireless LAN Utility.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Kim Lowe^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk] path=c:\documents and settings\Kim Lowe\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DACSMiniApp] 2008-03-13 18:05 128256 ----a-w- c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport] 2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter] 2009-05-21 15:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscWizardMonitor.exe] 2009-10-16 23:37 1325936 ----a-w- c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate] 2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate] 2009-10-28 03:40 257440 ----a-w- c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-01-09 02:27 135664 ----atw- c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagate Scheduler2 Service] 2009-10-16 23:39 136544 ----a-w- c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1132732177\\ee\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\1132732177\\ee\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/25/2010 7:04 AM 135336] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/19/2010 5:28 PM 38144] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928] R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [10/16/2009 6:39 PM 431456] S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\DCalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008] S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [5/19/2010 4:39 PM 185344] S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 6:44 AM 488960] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2010-09-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 07:56] 2010-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34] 2010-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-219612428-2456359044-841806917-1006Core.job - c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-09 02:27] 2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-219612428-2456359044-841806917-1006UA.job - c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-09 02:27] . . ------- Supplementary Scan ------- . uStart Page = about:blank mStart Page = about:blank uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = http=127.0.0.1:6522 DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab FF - ProfilePath - c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\ FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - component: c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - plugin: c:\documents and settings\Kim Lowe\Application Data\Mozilla\plugins\np-mswmp.dll FF - plugin: c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\progra~1\JavaSoft\JRE\1.4.2_03\bin\NPJPI142_03.dll FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-16 19:37 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(780) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(836) c:\windows\system32\relog_ap.dll . Completion time: 2010-09-16 19:46:43 ComboFix-quarantined-files.txt 2010-09-17 00:46 ComboFix2.txt 2010-02-28 22:02 Pre-Run: 1,023,864,832 bytes free Post-Run: 1,084,788,736 bytes free - - End Of File - - C2A23A71C90B3D4FE67AE747FF2946B2
  3. Just finished the sysclean, but the system does seem to be responding better. Again, I can't thank you enough! Here is my logs: /--------------------------------------------------------------\ | Trend Micro System Cleaner | | Copyright 2009-2010, Trend Micro, Inc. | | http://www.trendmicro.com | \--------------------------------------------------------------/ 2010-09-15, 17:51:39, Auto-clean mode specified. 2010-09-15, 17:52:07, Initialized Rootkit Driver version 2.2.0.1004. 2010-09-15, 17:52:07, Running scanner "C:\dce\TSC.BIN"... 2010-09-15, 17:55:06, Scanner "C:\dce\TSC.BIN" has finished running. 2010-09-15, 17:55:06, TSC Log:
  4. Very very sorry. I forgot my protocol. Thank you for taking the time to assist me. I am using: Windows XP Professional SP 3 MY defogger log: defogger_disable by jpshortstuff (23.02.10.1) Log created at 11:41 on 12/09/2010 (Kim Lowe) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- My Mbam Log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4438 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 9/12/2010 10:36:38 AM mbam-log-2010-09-12 (10-36-38).txt Scan type: Quick scan Objects scanned: 157837 Time elapsed: 38 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) My DDS Log: DDS (Ver_10-03-17.01) - NTFSx86 Run by Kim Lowe at 11:44:41.89 on Sun 09/12/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.89 [GMT -5:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe svchost.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe C:\WINDOWS\system32\ICO.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Apoint\Apoint.exe C:\Progra~1\JavaSoft\JRE\1.4.2_03\bin\jusched.exe C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files\Pure Networks\Network Magic\nmapp.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Documents and Settings\Kim Lowe\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Documents and Settings\Kim Lowe\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.ask.com?o=15438&l=dis uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = http=127.0.0.1:6522 uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll {555d4d79-4bd2-4094-a395-cfc534424a05} mRun: [PMX Daemon] ICO.EXE mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] c:\progra~1\javasoft\jre\1.4.2_03\bin\jusched.exe mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe" mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835 DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159218937906 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll Notify: AtiExtEvent - Ati2evxx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll LSA: Authentication Packages = msv1_0 relog_ap ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\kimlow~1\applic~1\mozilla\firefox\profiles\b58bjj77.default\ FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - component: c:\documents and settings\kim lowe\application data\mozilla\firefox\profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - plugin: c:\documents and settings\kim lowe\application data\mozilla\plugins\np-mswmp.dll FF - plugin: c:\documents and settings\kim lowe\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\progra~1\javasoft\jre\1.4.2_03\bin\NPJPI142_03.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-25 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-25 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-25 267432] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-25 60936] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2010-5-19 38144] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355928] R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456] S3 DCALEXICO;DCALEXICO;c:\windows\system32\drivers\dcalexico.sys --> c:\windows\system32\drivers\DCalexico.sys [?] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008] S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-4-25 644096] S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2010-5-19 185344] S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 488960] =============== Created Last 30 ================ 2010-09-12 16:41:33 0 ----a-w- c:\documents and settings\kim lowe\defogger_reenable 2010-09-07 05:19:15 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-09-05 07:56:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-09-01 04:48:47 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70} 2010-09-01 04:46:15 0 d-----w- c:\program files\Lavasoft 2010-08-17 04:06:14 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-08-13 21:12:52 0 d-----w- c:\program files\Linksys 2010-08-13 20:00:39 0 d-----w- c:\program files\Pure Networks 2010-08-13 19:59:29 0 d-----w- c:\program files\WebEx 2010-08-13 19:58:15 25392 ----a-w- c:\windows\system32\drivers\pnarp.sys 2010-08-13 19:57:57 26672 ----a-w- c:\windows\system32\drivers\purendis.sys 2010-08-13 19:57:31 0 d-----w- c:\program files\common files\Pure Networks Shared 2010-08-13 19:56:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Pure Networks ==================== Find3M ==================== 2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll 2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll 2010-06-29 22:39:07 103193 ----a-w- c:\windows\hpoins08.dat 2010-06-24 22:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll 2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-24 12:22:03 916480 ------w- c:\windows\system32\dllcache\wininet.dll 2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll 2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll 2010-06-24 12:22:01 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll 2010-06-24 12:22:01 206848 ------w- c:\windows\system32\dllcache\occache.dll 2010-06-24 12:21:59 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll 2010-06-24 12:21:59 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-06-24 12:21:59 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll 2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll 2010-06-24 12:21:58 184320 ------w- c:\windows\system32\dllcache\iepeers.dll 2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-06-24 12:21:55 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll 2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys 2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys 2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe 2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll 2008-04-27 06:13:09 0 ----a-w- c:\program files\temp01 2008-09-11 04:41:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat ============= FINISH: 11:49:05.40 =============== And the ARK and Attach logs are zipped and attached Attach.zip
  5. I embarrassed to be back here as I came here for help some time ago and thought I was being very safe since then. Somehow, I don't know how, I got a fake antivirus malware program. I used malware bytes to remove it, but since then I continue to get google search redirects, and My computer sometimes becomes unresponsive for no reason at all. My startup time is now like 10 minutes, whereas before it was only about 1 min. I know I may have irreversibly damaged my computer, but any help here would be greatly appreciated. I have run complete scans with malware bytes, ad-aware, and Avira, but since the initial issue they turn up nothing.
  6. This appears to have cleared the symptoms. Thank You! V VV ComboFix 10-02-27.04 - Kim Lowe 02/28/2010 15:39:21.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.256 [GMT -6:00] Running from: c:\documents and settings\Kim Lowe\Desktop\Combo-Fix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Kim Lowe\Local Settings\Application Data\av.exe c:\documents and settings\Kim Lowe\Local Settings\Temporary Internet Files\pse_350_enu.exe c:\documents and settings\Kim Lowe\Local Settings\Temporary Internet Files\udDownload[1].tmp C:\mtwb.dat c:\program files\Fast Browser Search c:\program files\Fast Browser Search\IE\1.bat c:\program files\Fast Browser Search\IE\about.html c:\program files\Fast Browser Search\IE\affid.dat c:\program files\Fast Browser Search\IE\basis.xml c:\program files\Fast Browser Search\IE\basis_br.xml c:\program files\Fast Browser Search\IE\basis_de.xml c:\program files\Fast Browser Search\IE\basis_en.xml c:\program files\Fast Browser Search\IE\basis_es.xml c:\program files\Fast Browser Search\IE\basis_fr.xml c:\program files\Fast Browser Search\IE\basis_it.xml c:\program files\Fast Browser Search\IE\basis_nr.xml c:\program files\Fast Browser Search\IE\basis_pt.xml c:\program files\Fast Browser Search\IE\basis_ru.xml c:\program files\Fast Browser Search\IE\basis_tr.xml c:\program files\Fast Browser Search\IE\BHO.dll c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe c:\program files\Fast Browser Search\IE\error.html c:\program files\Fast Browser Search\IE\FBSPlugin.dll c:\program files\Fast Browser Search\IE\fbsSearchProvider.xml c:\program files\Fast Browser Search\IE\search_fr.bmp c:\program files\Fast Browser Search\IE\search_it.bmp c:\program files\Fast Browser Search\IE\search_pt.bmp c:\program files\Fast Browser Search\IE\search_ru.bmp c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico c:\program files\Fast Browser Search\IE\SGPU.ico c:\program files\Fast Browser Search\IE\sgpUpdater.exe c:\program files\Fast Browser Search\IE\sgpUpdater.xml c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe c:\program files\Fast Browser Search\IE\tbhelper.dll c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js c:\program files\Fast Browser Search\IE\Toolbar Help.htm c:\program files\Fast Browser Search\IE\uninstall.exe c:\program files\Fast Browser Search\IE\uninstalSGP.exe c:\program files\Fast Browser Search\IE\uninstalSGPU.exe c:\program files\Fast Browser Search\IE\update.exe c:\program files\Fast Browser Search\IE\version.txt c:\program files\FunWebProducts c:\program files\FunWebProducts\Shared\02580875.dat c:\program files\Search Guard Plus c:\program files\Search Guard Plus\fbsSearchProvider.xml c:\program files\Search Guard Plus\SearchGuardPlus.exe c:\program files\Search Guard Plus\SearchGuardPlus.ico c:\program files\Search Guard Plus\uninstalSGP.exe c:\program files\Search Guard PlusU c:\program files\Search Guard PlusU\SGPU.ico c:\program files\Search Guard PlusU\sgpUpdater.exe c:\program files\Search Guard PlusU\sgpUpdater.xml c:\program files\Search Guard PlusU\sgpUpdaters.exe c:\program files\Search Guard PlusU\uninstalSGPU.exe c:\program files\SGPSA c:\program files\SGPSA\BHO.dll c:\program files\Uninstall Fun Web Products.dll c:\windows\system32\bszip.dll c:\windows\system32\hjjlm.bak1 c:\windows\system32\hjjlm.bak2 c:\windows\system32\hjjlm.ini c:\windows\system32\hjjlm.ini2 c:\windows\system32\hjjlm.tmp c:\windows\system32\mcrh.tmp c:\windows\system32\pqtss.ini . ((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 ))))))))))))))))))))))))))))))) . 2010-02-14 21:43 . 2010-02-14 21:43 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\Fisher-Price 2010-02-14 21:41 . 2010-02-14 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Fisher-Price 2010-02-14 21:38 . 2007-03-05 18:42 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll 2010-02-07 01:05 . 2010-02-07 01:07 -------- d-----w- c:\program files\iTunes 2010-02-07 01:05 . 2010-02-07 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2010-02-07 01:03 . 2010-02-07 01:04 -------- d-----w- c:\program files\QuickTime 2010-02-07 00:19 . 2010-02-07 00:19 -------- d-----w- c:\program files\Windows Installer Clean Up 2010-02-07 00:19 . 2010-02-07 00:19 -------- d-----w- c:\program files\MSECACHE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-28 17:31 . 2005-08-22 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-02-28 17:12 . 2005-12-19 02:46 -------- d-----w- c:\program files\Yahoo! 2010-02-28 17:10 . 2005-09-01 00:35 -------- d-----w- c:\program files\Common Files\Adobe 2010-02-24 21:58 . 2008-06-07 18:10 50496 ---ha-w- c:\windows\system32\mlfcache.dat 2010-02-14 21:42 . 2010-02-14 21:41 7158518 ----a-w- c:\documents and settings\All Users\Application Data\Fisher-Price\DACS\Download\setup.exe 2010-02-14 21:41 . 2009-10-06 00:56 1516 ----a-w- c:\documents and settings\Kim Lowe\Application Data\wklnhst.dat 2010-02-14 21:39 . 2010-02-14 21:39 -------- d-----w- c:\program files\Fisher-Price 2010-02-07 01:17 . 2010-01-01 03:04 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\Apple Computer 2010-02-07 01:06 . 2005-08-30 21:56 -------- d-----w- c:\program files\iPod 2010-02-07 01:06 . 2007-09-23 17:59 -------- d-----w- c:\program files\Common Files\Apple 2010-02-07 00:19 . 2010-02-07 00:19 3584 ----a-r- c:\documents and settings\Kim Lowe\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe 2010-01-27 16:37 . 2010-01-24 02:53 1 ----a-w- c:\documents and settings\Kim Lowe\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-01-24 03:12 . 2010-01-24 03:12 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\ElevatedDiagnostics 2010-01-24 03:08 . 2010-01-24 03:08 -------- d-----w- c:\program files\Microsoft ATS 2010-01-24 03:08 . 2009-08-18 02:44 68800 ----a-w- c:\documents and settings\Kim Lowe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-01-24 02:52 . 2010-01-24 02:52 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\OpenOffice.org 2010-01-24 01:44 . 2010-01-24 01:44 -------- d-----w- c:\program files\JRE 2010-01-24 01:44 . 2010-01-24 01:43 -------- d-----w- c:\program files\OpenOffice.org 3 2010-01-24 01:42 . 2009-08-18 02:55 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-01-23 01:51 . 2010-01-23 01:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2010-01-22 12:08 . 2009-03-16 03:37 -------- d-----w- c:\program files\Microsoft Silverlight 2010-01-17 20:31 . 2010-01-17 20:31 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\StreamTorrent 2010-01-17 20:31 . 2010-01-17 20:31 -------- d-----w- c:\program files\StreamTorrent 1.0 2010-01-17 20:07 . 2010-01-17 20:07 -------- d-----w- c:\program files\Veetle 2010-01-09 03:58 . 2008-05-21 01:16 -------- d-----w- c:\program files\HP 2010-01-09 03:16 . 2008-05-21 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2010-01-09 01:41 . 2010-01-09 01:41 -------- d-----w- c:\program files\Windows Media Connect 2 2010-01-08 00:49 . 2010-01-08 00:49 1924744 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe 2010-01-03 23:07 . 2010-01-03 23:03 -------- d-----w- c:\program files\TVAnts 2010-01-02 02:53 . 2010-01-02 02:53 -------- d-----w- c:\documents and settings\Kim Lowe\Application Data\CyberLink 2010-01-01 21:41 . 2010-01-01 21:41 -------- d-----w- c:\program files\Intel Corporation 2009-12-31 16:50 . 2005-08-22 22:46 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-21 19:14 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-16 22:05 . 2010-01-01 05:47 347136 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2009-12-16 22:05 . 2010-01-01 05:47 340992 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2009-12-16 22:05 . 2010-01-01 05:47 471040 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll 2009-12-16 22:05 . 2010-01-01 05:47 43008 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2009-12-16 22:05 . 2010-01-01 05:47 1452032 ----a-w- c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll 2009-12-16 18:43 . 2004-08-11 22:11 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:27 . 2004-08-11 22:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2004-08-04 03:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-12-07 01:05 . 2009-12-07 01:03 23101 ----a-w- c:\windows\hpqins15.dat 2009-12-07 00:57 . 2009-12-07 00:49 19521 ----a-w- c:\windows\hpqins13.dat 2009-12-04 18:22 . 2005-08-22 22:46 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2008-04-27 06:13 . 2008-04-27 06:13 0 ----a-w- c:\program files\temp01 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "Google Update"="c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-09 135664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-13 344064] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "PMX Daemon"="ICO.EXE" [2006-06-09 47104] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608] "DACSMiniApp"="c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe" [2008-03-13 128256] c:\documents and settings\Nic\Start Menu\Programs\Startup\ wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-9-16 15360] c:\documents and settings\Kim Lowe\Start Menu\Programs\Startup\ OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-8-22 156784] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-22 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\America Online 9.0\\waol.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Common Files\\AOL\\1132732177\\ee\\aolsoftware.exe"= "c:\\Program Files\\Common Files\\AOL\\1132732177\\ee\\aim6.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\TVAnts\\Tvants.exe"= "c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 5:44 AM 477696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 . Contents of the 'Scheduled Tasks' folder 2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34] 2010-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-219612428-2456359044-841806917-1006Core.job - c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-09 02:27] 2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-219612428-2456359044-841806917-1006UA.job - c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-09 02:27] . . ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab FF - ProfilePath - c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\ FF - component: c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll FF - component: c:\documents and settings\Kim Lowe\Application Data\Mozilla\Firefox\Profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - plugin: c:\documents and settings\Kim Lowe\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - BHO-{F0626A63-410B-45E2-99A1-3F2475B2D695} - c:\program files\SGPSA\BHO.dll WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file) HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe HKLM-Run-SGPUpdater - c:\program files\Search Guard PlusU\sgpUpdaters.exe HKLM-Run-FBSearch - c:\program files\Search Guard Plus\SearchGuardPlus.exe AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb AddRemove-{AAC4FC36-8F89-4587-8DD3-EBC57C83374D} - c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\setup\hpzscr01.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-28 15:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run SGPUpdater = c:\program files\Search Guard PlusU\sgpUpdaters.exe??o?LUDE_CUSTOM_XML id="customxml_19" name="custo FBSearch = c:\program files\Search Guard Plus\SearchGuardPlus.exe?LUDE_CUSTOM_XML id="customxml_19" name="custo scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(984) c:\windows\system32\Ati2evxx.dll c:\program files\Intel\Wireless\Bin\LgNotify.dll . Completion time: 2010-02-28 16:02:26 ComboFix-quarantined-files.txt 2010-02-28 22:02 Pre-Run: 30,570,561,536 bytes free Post-Run: 33,072,431,104 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 208810FDFB5E71277ED3E5F520890164
  7. "In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes." It wouldn't open normally, and that method wouldn't work either
  8. I'm sorry, but I found the winlogon.exe file, but nothing happens when I double click it. the program still won't run.
  9. Thank You! Here are the logs: JavaRa 1.15 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Sun Feb 28 11:20:27 2010 Found and removed: SOFTWARE\Classes\JavaPlugin.142_03 Found and removed: Software\Classes\JavaPlugin.160_02 ------------------------------------ Finished reporting. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Ran as Kim Lowe on 02/28/2010 at 11:39:53. Processes terminated by Rkill or while it was running: C:\Documents and Settings\Kim Lowe\Local Settings\Application Data\av.exe C:\Documents and Settings\Kim Lowe\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Kim Lowe\Desktop\rkill.exe Rkill completed on 02/28/2010 at 11:39:56.
  10. Bad infection on my Dell 6000. XP Antivirus 2010. I can't install mbam (installer will not open, even with randomly named file) I've posted mt Defogger disable, DDS log, and attached dds attach, and GMER log Here is my defogger-disable log: defogger_disable by jpshortstuff (23.02.10.1) Log created at 01:16 on 27/02/2010 (Kim Lowe) Checking for autostart values... HKCU\~\Run values retrieved. HKLM\~\Run values retrieved. Checking for services/drivers... -=E.O.F=- My DDS log: DDS (Ver_09-12-01.01) - NTFSx86 Run by Kim Lowe at 1:25:33.60 on Sat 02/27/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.113 [GMT -6:00] ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Documents and Settings\Kim Lowe\Local Settings\Application Data\av.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\WINDOWS\system32\ICO.EXE C:\Program Files\Apoint\Apoint.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Search Guard PlusU\sgpUpdaters.exe C:\Program Files\Search Guard Plus\SearchGuardPlus.exe C:\Program Files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Documents and Settings\Kim Lowe\Local Settings\Application Data\Google\Update\1.2.183.17\GoogleCrashHandler.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Kim Lowe\Desktop\dds.scr ============== Pseudo HJT Report =============== uDefault_Page_URL = hxxp://www.dell4me.com/myway uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html uInternet Connection Wizard,ShellNext = iexplore mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: H - No File uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\2.bin\MWSSRCAS.DLL uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll mURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\2.bin\MWSSRCAS.DLL BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\2.bin\MWSSRCAS.DLL BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\2.bin\MWSBAR.DLL TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File {555d4d79-4bd2-4094-a395-cfc534424a05} uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [Google Update] "c:\documents and settings\kim lowe\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe" mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\2.bin\mwsoemon.exe mRun: [PMX Daemon] ICO.EXE mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe" mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\2.bin\m3SrchMn.exe" /m=2 /w mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [sGPUpdater] c:\program files\search guard plusu\sgpUpdaters.exe mRun: [FBSearch] c:\program files\search guard plus\SearchGuardPlus.exe mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [DACSMiniApp] c:\program files\fisher-price\dacs\miniapp\DACSMiniApp.exe StartupFolder: c:\docume~1\kimlow~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835 DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159218937906 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: AtiExtEvent - Ati2evxx.dll Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\kimlow~1\applic~1\mozilla\firefox\profiles\b58bjj77.default\ FF - component: c:\documents and settings\kim lowe\application data\mozilla\firefox\profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll FF - component: c:\documents and settings\kim lowe\application data\mozilla\firefox\profiles\b58bjj77.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - plugin: c:\documents and settings\kim lowe\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\veetle\player\npvlc.dll FF - plugin: c:\program files\veetle\plugins\npVeetle.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-22 24652] S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 477696] =============== Created Last 30 ================ 2010-02-27 07:16:25 0 ----a-w- c:\documents and settings\kim lowe\defogger_reenable 2010-02-14 21:43:51 0 d-----w- c:\docume~1\kimlow~1\applic~1\Fisher-Price 2010-02-14 21:41:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Fisher-Price 2010-02-14 21:39:50 0 d-----w- c:\program files\Fisher-Price 2010-02-14 21:39:18 266088 ----a-w- c:\windows\system32\xactengine2_8.dll 2010-02-14 21:39:18 18280 ----a-w- c:\windows\system32\x3daudio1_2.dll 2010-02-14 21:39:16 443752 ----a-w- c:\windows\system32\d3dx10_34.dll 2010-02-14 21:39:15 1124720 ----a-w- c:\windows\system32\D3DCompiler_34.dll 2010-02-14 21:39:13 3497832 ----a-w- c:\windows\system32\d3dx9_34.dll 2010-02-14 21:39:11 81768 ----a-w- c:\windows\system32\xinput1_3.dll 2010-02-14 21:39:07 261480 ----a-w- c:\windows\system32\xactengine2_7.dll 2010-02-14 21:39:05 443752 ----a-w- c:\windows\system32\d3dx10_33.dll 2010-02-14 21:39:05 1123696 ----a-w- c:\windows\system32\D3DCompiler_33.dll 2010-02-14 21:39:01 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll 2010-02-14 21:39:00 255848 ----a-w- c:\windows\system32\xactengine2_6.dll 2010-02-14 21:39:00 251672 ----a-w- c:\windows\system32\xactengine2_5.dll 2010-02-07 01:05:47 0 d-----w- c:\program files\iTunes 2010-02-07 01:05:47 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2010-02-07 00:19:35 0 d-----w- c:\program files\Windows Installer Clean Up 2010-02-07 00:19:08 0 d-----w- c:\program files\MSECACHE ==================== Find3M ==================== 2010-02-24 21:58:44 50496 ---ha-w- c:\windows\system32\mlfcache.dat 2010-02-14 21:41:31 1516 ----a-w- c:\docume~1\kimlow~1\applic~1\wklnhst.dat 2010-01-24 01:42:38 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-01-01 01:57:47 12288 ----a-w- C:\mtwb.dat 2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys 2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe 2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll 2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll 2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll 2009-12-07 01:05:29 23101 ----a-w- c:\windows\hpqins15.dat 2009-12-07 00:57:09 19521 ----a-w- c:\windows\hpqins13.dat 2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2008-04-27 06:13:09 0 ----a-w- c:\program files\temp01 2005-12-23 03:40:56 403199 --sh--w- c:\windows\system32\hjjlm.bak1 2005-12-23 20:43:05 404926 --sh--w- c:\windows\system32\hjjlm.bak2 2005-12-24 01:42:07 405585 --sh--w- c:\windows\system32\hjjlm.ini2 2008-09-11 04:41:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat ============= FINISH: 1:27:00.46 =============== GMER and DDS attach are attached I would really appreciate any help! thank you! ark.txt Attach.txt
  11. Really?.... I was trying to play a game with my kids and I downloaded the plug in. The game never worked and about 10 minutes later I started getting the fake warnings, redirects, and constant pop ups. I just tried playing one of the games and it worked without making me download anything. I'm just not sure how that happened. I hadn't used Ares or Limewire in months and hadn't downloaded anything else in recent memory.
  12. I followed all your directions, thanks a million times. I have noticed one remaining issue. the original Firefox add-on that I downloaded remains on firefox and won't uninstall. it creates a button to link to this website: http://www.playsushi.com/Home.ps It's an extremely professional knock off of addictinggames.com, but trying to play the games gets a person in quite a bit of trouble as happened to me. Should I be concerned about the add-on remaining in Firefox?
  13. ComboFix 09-12-21.08 - Owner 12/29/2009 18:22:47.3.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.111 [GMT -6:00] Running from: c:\documents and settings\Owner\Desktop\kahdah.exe Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt FILE :: "c:\windows\system32\ULISSvPFvF.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\ULISSvPFvF.dll c:\windows\system32\wininit.dll . ((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-30 ))))))))))))))))))))))))))))))) . 2009-12-24 05:30 . 2009-12-24 05:30 -------- dc----w- C:\_OTM 2009-12-22 12:11 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-22 12:11 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-22 12:11 . 2009-12-23 03:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-20 10:37 . 2009-12-20 10:37 -------- d--h--w- c:\windows\PIF 2009-12-19 13:14 . 2009-12-19 13:14 552 ----a-w- c:\windows\system32\d3d8caps.dat 2009-12-02 22:49 . 2009-12-02 22:50 -------- dc----w- C:\holiday card 3 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-30 00:36 . 2009-04-20 22:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype 2009-12-29 12:22 . 2009-02-05 22:56 7912 ----a-w- c:\windows\system32\d3d9caps.dat 2009-12-24 05:36 . 2008-04-19 02:06 -------- d-----w- c:\program files\LimeWire 2009-12-23 01:55 . 2009-04-04 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-12-14 12:50 . 2009-11-25 09:25 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-11-22 18:00 . 2008-11-23 19:47 -------- d-----w- c:\program files\Veetle 2009-11-20 02:49 . 2006-05-05 03:42 223672 -c-ha-w- c:\windows\system32\mlfcache.dat 2009-11-06 21:01 . 2009-11-06 21:01 188928 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll 2009-11-02 01:01 . 2004-10-30 06:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer 2009-11-02 00:39 . 2009-11-02 00:37 -------- d-----w- c:\program files\iTunes 2009-11-02 00:39 . 2009-11-02 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-11-02 00:38 . 2004-10-30 06:47 -------- d-----w- c:\program files\iPod 2009-11-02 00:38 . 2007-08-17 00:23 -------- d-----w- c:\program files\Common Files\Apple 2009-11-02 00:36 . 2009-11-02 00:35 -------- d-----w- c:\program files\QuickTime 2009-10-29 05:48 . 2004-08-04 12:00 662016 ------w- c:\windows\system32\wininet.dll 2009-10-29 02:58 . 2009-10-29 02:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-10-21 06:00 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 06:00 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:53 . 2004-08-04 12:00 266752 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:54 . 2004-08-04 12:00 69632 ----a-w- c:\windows\system32\raschap.dll 2009-10-12 13:54 . 2004-08-04 12:00 112128 ----a-w- c:\windows\system32\rastls.dll 2006-09-27 02:46 . 2006-09-26 22:07 152 --sha-r- c:\windows\system32\2F0320EBFA.dll 2006-04-03 15:50 . 2005-10-29 04:50 104 --sha-r- c:\windows\system32\2F0320EBFA.sys 2008-05-16 04:01 . 2005-10-29 04:40 4184 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SansaDispatch"="c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-12-06 79872] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-04 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-06-12 69632] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "VTTimer"="VTTimer.exe" [2005-03-08 53248] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-21 148888] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2005-8-30 25896] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2009-8-26 1634304] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ZDWLan Utility.lnk backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DACSMiniApp] 2008-03-13 18:05 128256 -c--a-w- c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dwStart] 2004-08-05 01:13 405504 -c--a-w- c:\program files\PCSecurityShield\The Shield Firewall\FireWall.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2008-11-16 21:50 133104 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-10-29 02:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] 2008-06-09 16:16 2363392 -c--a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 21:45 313472 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"= "c:\\Program Files\\TVAnts\\Tvants.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\Ralink\Common\RalinkRegistryWriter.exe [8/26/2009 3:49 PM 75040] R3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 4:44 AM 477696] S2 gupdate1c9b4ecb122e84a;Google Update Service (gupdate1c9b4ecb122e84a);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2009 12:14 AM 133104] S3 athrusb;Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [7/14/2008 5:31 PM 446976] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [7/19/2008 8:31 AM 20608] S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [5/19/2004 10:53 PM 142169] S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [6/29/2006 5:20 PM 48896] S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [8/26/2009 3:49 PM 16512] S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [8/21/2009 7:38 PM 644096] S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [6/9/2008 7:49 PM 104320] S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2008-06-09 16:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dogpile.com/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = <local>;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\PlaySushi\PSText.dll FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\snfg2ydz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q= FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-29 18:35 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?.lnk?tform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_conten scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(652) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2364) c:\windows\system32\ieframe.dll c:\windows\system32\shdoclc.dll c:\windows\system32\msi.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\PSIService.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\system32\wscntfy.exe c:\windows\system32\VTTimer.exe c:\program files\Microsoft ActiveSync\wcescomm.exe c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-12-29 18:44:42 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-30 00:44 ComboFix2.txt 2009-12-23 13:24 ComboFix3.txt 2009-12-23 03:05 Pre-Run: 8,897,003,520 bytes free Post-Run: 8,952,696,832 bytes free - - End Of File - - DB9494AF56FDD558A11539F2E6490502
  14. [ArcaVir] 2009-12-28 Found nothing [F-Secure Anti-Virus] 2009-12-28 Found nothing [A-Squared] 2009-12-29 Trojan.Win32.Alureon!IK [G DATA] 2009-12-28 Trojan.Generic.2874687 [Avast! antivirus] 2009-12-27 Win32:Malware-gen [ikarus] 2009-12-29 Trojan.Win32.Alureon [Grisoft AVG Anti-Virus] 2009-12-28 Generic16.AIL [Kaspersky Anti-Virus] 2009-12-29 Found nothing [Avira AntiVir] 2009-12-28 TR/Crypt.ZPACK.Gen [ESET NOD32] 2009-12-28 Win32/Kryptik.BP [softwin BitDefender] 2009-12-26 Trojan.Generic.2874687 [Panda Antivirus] 2009-12-28 Generic [ClamAV] 2009-12-29 Found nothing [Quick Heal] 2009-12-28 Trojan.Agent.ATV [CPsecure] 2009-12-29 Found nothing [sophos] 2009-12-29 Found nothing [Dr.Web] 2009-12-28 Found nothing [VirusBlokAda VBA32] 2009-12-28 Found nothing [Frisk F-Prot Antivirus] 2009-12-28 Found nothing [VirusBuster] 2009-12-28 Found nothing
  15. I use Firefox 90% of the time, but I haven't had it happen once with Chrome (I never use IE). Here is the log. Again, thank you soooo much. GooredFix by jpshortstuff (06.12.09.1) Log created at 10:48 on 24/12/2009 (Owner) Firefox version 3.5.6 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [21:56 02/01/2007] {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [04:54 21/03/2008] C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\snfg2ydz.default\extensions\ {20a82645-c095-46ed-80e3-08825760534b} [12:27 01/10/2009] {517ca167-b6e8-4397-a0b4-a0074bbe3d5b} [23:58 19/12/2009] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [12:56 21/03/2009] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [23:03 13/08/2009] -=E.O.F=-
  16. I'm not sure if this is of interest to you, but the only current sign of infection my computer continues to show is my Firefox browser redirects when I click links from a Google search 70% of the time. And again, thank you!
  17. .txt posted, attach attached DDS (Ver_09-12-01.01) - NTFSx86 Run by Owner at 23:39:14.60 on Wed 12/23/2009 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.46 [GMT -6:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Documents and Settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe C:\Program Files\Ralink\Common\RaUI.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\java.exe C:\Documents and Settings\Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.dogpile.com/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = <local>;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: H - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: EyeOnIE Class: {316aef8d-3c37-423e-9e6e-13820a9dc37a} - c:\progra~1\pcsecu~1\theshi~1\IrlOnIE.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: PopupBlocker Class: {e22f9b9d-1a1f-473e-bed6-d8bc152441f4} - c:\progra~1\pcsecu~1\theshi~1\FARPOP~1.DLL BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll TB: {119DBEDA-9C41-4F97-94B4-B6BCD01133CF} - No File TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" uRun: [sansaDispatch] c:\documents and settings\owner\application data\sandisk\sansa updater\SansaDispatch.exe uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [intelliType] "c:\program files\microsoft hardware\keyboard\type32.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [VTTimer] VTTimer.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe" mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\program files\creative home\hallmark card studio 2006\planner\PLNRnote.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll LSP: c:\windows\system32\ULISSvPFvF.dll DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} - hxxp://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095969599519 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://hgtv3.view22.com/view22/app/view22rte.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.scrapbookpictures.com/ImageUploader4.cab Notify: AtiExtEvent - Ati2evxx.dll Notify: WRNotifier - WRLogonNTF.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe" ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\snfg2ydz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q= FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\veetle\player\npvlc.dll FF - plugin: c:\program files\veetle\plugins\npVeetle.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\ralink\common\RalinkRegistryWriter.exe [2009-8-26 75040] R3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2006-8-24 477696] S2 gupdate1c9b4ecb122e84a;Google Update Service (gupdate1c9b4ecb122e84a);c:\program files\google\update\GoogleUpdate.exe [2009-4-4 133104] S3 athrusb;Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-14 446976] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2008-7-19 20608] S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [2004-5-19 142169] S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [2006-6-29 48896] S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2009-8-26 16512] S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-8-21 644096] S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-6-9 104320] S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?] =============== Created Last 30 ================ 2009-12-24 05:30:04 0 dc----w- C:\_OTM 2009-12-23 13:25:18 744 ----a-w- c:\windows\system32\wininit.dll 2009-12-23 13:01:22 0 dcsha-r- C:\cmdcons 2009-12-23 02:04:01 98816 ----a-w- c:\windows\sed.exe 2009-12-23 02:04:01 77312 ----a-w- c:\windows\MBR.exe 2009-12-23 02:04:01 261632 ----a-w- c:\windows\PEV.exe 2009-12-23 02:04:01 161792 ----a-w- c:\windows\SWREG.exe 2009-12-22 12:11:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-22 12:11:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-22 12:11:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-22 00:46:20 97792 ----a-w- c:\windows\system32\ULISSvPFvF.dll 2009-12-20 10:37:09 0 d--h--w- c:\windows\PIF 2009-12-19 13:14:02 552 ----a-w- c:\windows\system32\d3d8caps.dat 2009-12-02 22:49:56 0 dc----w- C:\holiday card 3 2009-11-26 00:40:13 0 dc----w- C:\nov 25, 2009 ==================== Find3M ==================== 2009-12-24 05:35:52 7912 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-20 02:49:04 223672 -c-ha-w- c:\windows\system32\mlfcache.dat 2009-10-29 05:48:04 662016 ------w- c:\windows\system32\wininet.dll 2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll 2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll 2009-09-25 05:56:32 81920 ----a-w- c:\windows\system32\ieencode.dll 2006-09-27 02:46:14 152 --sha-r- c:\windows\system32\2F0320EBFA.dll 2006-04-03 15:50:32 104 --sha-r- c:\windows\system32\2F0320EBFA.sys 2008-05-16 04:01:00 4184 -csha-w- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 23:40:16.50 =============== Attach.zip
  18. I completed the uninstall of Limewire after running OTM so that it would not affect your code. All processes killed ========== FILES ========== C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-5ad921e7 moved successfully. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-75b5bcd8 moved successfully. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-35d73af9 moved successfully. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-6006b500 moved successfully. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CL2VGTQR folder moved successfully. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OHU3GH2F folder moved successfully. I:\funny shows\because you love me instrumental.wmv moved successfully. I:\Incomplete\T-3545425-better.mp3 moved successfully. I:\LimeWire\big girls dont cry.mp3 moved successfully. I:\LimeWire\lost boys golden girls 192kb.mp3 moved successfully. I:\LimeWire\my name is christmas carol.mp3 moved successfully. I:\music downloads\blue october independently happy live.wm moved successfully. I:\music downloads\garbage as heaven is wide.wm moved successfully. I:\My Documents\Preston\Little_Shop_of_Treasures_msgh-setup.exe moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 376899 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: Owner ->Temp folder emptied: 92905638 bytes ->Temporary Internet Files folder emptied: 9781449 bytes ->Java cache emptied: 121073773 bytes ->FireFox cache emptied: 87982929 bytes ->Google Chrome cache emptied: 86845699 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 3346091 bytes %systemroot%\System32 .tmp files removed: 5528081 bytes Windows Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 43128 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 389.00 mb OTM by OldTimer - Version 3.1.3.0 log created on 12232009_233004 Files moved on Reboot... Registry entries deleted on Reboot...
  19. KASPERSKY ONLINE SCANNER 7.0: scan report Wednesday, December 23, 2009 Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Wednesday, December 23, 2009 18:09:47 Records in database: 3404437 Scan settings scan using the following database extended Scan archives yes Scan e-mail databases yes Scan area My Computer A:\ C:\ D:\ E:\ I:\ Scan statistics Objects scanned 167881 Threats found 13 Infected objects found 22 Suspicious objects found 0 Scan duration 05:57:31 File name Threat Threats count C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-5ad921e7 Infected: Trojan-Downloader.Java.OpenConnection.ap 1 C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\31\5facab1f-75b5bcd8 Infected: Trojan-Downloader.Java.OpenConnection.ap 1 C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-35d73af9 Infected: Trojan-Downloader.Java.OpenConnection.ap 1 C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\50\2ce40a72-6006b500 Infected: Trojan-Downloader.Java.OpenConnection.ap 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\critical_warning.html.vir Infected: Trojan.JS.Hoax.b 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\fosutozi.dll.vir Infected: Trojan.Win32.Monder.cvpj 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\lolajeyo.dll.vir Infected: Trojan.Win32.Monder.cvqs 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\nusoyeta.dll.vir Infected: Trojan.Win32.Monder.cvqe 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\_logon_.exe.zip Infected: Trojan.Win32.Vilsel.pqd 1 C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026628.dll Infected: Trojan.Win32.Monder.cvpj 1 C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026629.dll Infected: Trojan.Win32.Monder.cvqs 1 C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026630.dll Infected: Trojan.Win32.Monder.cvqe 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CL2VGTQR\102[1].exe Infected: Trojan.Win32.Swisyn.srb 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OHU3GH2F\102[1].exe Infected: Trojan.Win32.Swisyn.srb 1 I:\funny shows\because you love me instrumental.wmv Infected: Trojan-Downloader.WMA.Wimad.t 1 I:\Incomplete\T-3545425-better.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1 I:\LimeWire\big girls dont cry.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 I:\LimeWire\lost boys golden girls 192kb.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1 I:\LimeWire\my name is christmas carol.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 I:\music downloads\blue october independently happy live.wm Infected: Trojan-Downloader.WMA.Wimad.m 1 I:\music downloads\garbage as heaven is wide.wm Infected: Trojan-Downloader.WMA.Wimad.m 1 I:\My Documents\Preston\Little_Shop_of_Treasures_msgh-setup.exe Infected: Trojan.Win32.Inject.tqm 1 Selected area has been scanned.
  20. Okay so I just finished running the code you sent in combofix here is the log: ComboFix 09-12-21.08 - Owner 12/23/2009 7:10.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.200 [GMT -6:00] Running from: c:\documents and settings\Owner\Desktop\kahdah.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\wininit.dll I:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 ))))))))))))))))))))))))))))))) . 2009-12-22 12:11 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-22 12:11 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-22 12:11 . 2009-12-23 03:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-22 00:46 . 2009-12-22 00:46 97792 ----a-w- c:\windows\system32\ULISSvPFvF.dll 2009-12-20 10:37 . 2009-12-20 10:37 -------- d--h--w- c:\windows\PIF 2009-12-19 13:14 . 2009-12-19 13:14 552 ----a-w- c:\windows\system32\d3d8caps.dat 2009-12-02 22:49 . 2009-12-02 22:50 -------- dc----w- C:\holiday card 3 2009-11-26 00:40 . 2009-11-26 00:40 -------- dc----w- C:\nov 25, 2009 2009-11-25 09:25 . 2009-12-14 12:50 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-23 12:52 . 2009-04-20 22:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype 2009-12-23 01:55 . 2009-04-04 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-12-20 20:54 . 2009-02-05 22:56 7912 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-22 18:00 . 2008-11-23 19:47 -------- d-----w- c:\program files\Veetle 2009-11-20 02:49 . 2006-05-05 03:42 223672 -c-ha-w- c:\windows\system32\mlfcache.dat 2009-11-06 21:01 . 2009-11-06 21:01 188928 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PlaySushiFF.dll 2009-11-02 01:01 . 2004-10-30 06:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer 2009-11-02 00:39 . 2009-11-02 00:37 -------- d-----w- c:\program files\iTunes 2009-11-02 00:39 . 2009-11-02 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-11-02 00:38 . 2004-10-30 06:47 -------- d-----w- c:\program files\iPod 2009-11-02 00:38 . 2007-08-17 00:23 -------- d-----w- c:\program files\Common Files\Apple 2009-11-02 00:36 . 2009-11-02 00:35 -------- d-----w- c:\program files\QuickTime 2009-10-29 05:48 . 2004-08-04 12:00 662016 ------w- c:\windows\system32\wininet.dll 2009-10-29 02:58 . 2009-10-29 02:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe 2009-10-24 19:15 . 2004-09-23 21:55 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-10-21 06:00 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 06:00 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 14:58 . 2004-08-04 12:00 263552 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:53 . 2004-08-04 12:00 266752 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:54 . 2004-08-04 12:00 69632 ----a-w- c:\windows\system32\raschap.dll 2009-10-12 13:54 . 2004-08-04 12:00 112128 ----a-w- c:\windows\system32\rastls.dll 2009-09-25 05:56 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2006-09-27 02:46 . 2006-09-26 22:07 152 --sha-r- c:\windows\system32\2F0320EBFA.dll 2006-04-03 15:50 . 2005-10-29 04:50 104 --sha-r- c:\windows\system32\2F0320EBFA.sys 2008-05-16 04:01 . 2005-10-29 04:40 4184 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SansaDispatch"="c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2008-12-06 79872] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-03-27 24103720] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-04 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768] "IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2001-06-12 69632] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "VTTimer"="VTTimer.exe" [2005-03-08 53248] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-21 148888] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488] "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Event Planner Reminder.lnk - c:\program files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [2005-8-30 25896] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] Ralink Wireless Utility.lnk - c:\program files\Ralink\Common\RaUI.exe [2009-8-26 1634304] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ZDWLan Utility.lnk backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DACSMiniApp] 2008-03-13 18:05 128256 -c--a-w- c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dwStart] 2004-08-05 01:13 405504 -c--a-w- c:\program files\PCSecurityShield\The Shield Firewall\FireWall.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2008-11-16 21:50 133104 ----atw- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-10-29 02:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] 2008-06-09 16:16 2363392 -c--a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] 2006-03-30 21:45 313472 -c--a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"= "c:\\Program Files\\TVAnts\\Tvants.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\Ralink\Common\RalinkRegistryWriter.exe [8/26/2009 3:49 PM 75040] R3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [8/24/2006 4:44 AM 477696] S2 gupdate1c9b4ecb122e84a;Google Update Service (gupdate1c9b4ecb122e84a);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2009 12:14 AM 133104] S3 athrusb;Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [7/14/2008 5:31 PM 446976] S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [7/19/2008 8:31 AM 20608] S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\FarDrive.sys [5/19/2004 10:53 PM 142169] S3 PhSerUsb;PHILOG USB Serial Driver;c:\windows\system32\drivers\PhSerUsb.sys [6/29/2006 5:20 PM 48896] S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [8/26/2009 3:49 PM 16512] S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [8/21/2009 7:38 PM 644096] S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [6/9/2008 7:49 PM 104320] S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\ZDCndis5.SYS --> c:\windows\system32\ZDCndis5.SYS [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2008-06-09 16:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.dogpile.com/ uSearch Page = hxxp://www.google.com uDefault_Search_URL = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearch Bar = hxxp://www.google.com/ie uInternet Settings,ProxyOverride = <local>;*.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {{EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\PlaySushi\PSText.dll LSP: c:\windows\system32\ULISSvPFvF.dll FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\snfg2ydz.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q= FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Veetle\Player\npvlc.dll FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-ares - c:\program files\Ares\Ares.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-23 07:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = c:\documents and settings\Owner\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?.lnk?tform=&is-debug=&rom-version=&part-number=&product-name=&content-class=common_conten scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-12-23 07:24:38 ComboFix-quarantined-files.txt 2009-12-23 13:24 ComboFix2.txt 2009-12-23 03:05 Pre-Run: 9,141,927,936 bytes free Post-Run: 9,115,074,560 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin - - End Of File - - 56ACC2FBF661C5D1D75F4278A9DE583E
  21. After the first time I ran combofix, malwarebytes opened so I ran that. Sorry if I wasn't supposed to do that. Here is the Malwarebytes log: Malwarebytes' Anti-Malware 1.42 Database version: 3413 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 12/23/2009 6:28:37 AM mbam-log-2009-12-23 (06-28-37).txt Scan type: Full Scan (C:\|I:\|) Objects scanned: 291791 Time elapsed: 1 hour(s), 53 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 3 Registry Values Infected: 3 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 43 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\doriyubi.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{976be64d-2a63-482c-b389-eb86607128c9} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{976be64d-2a63-482c-b389-eb86607128c9} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f79e15ba-5c4e-475f-8695-ead91ac3fbb9} (Trojan.Vundo.H) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vorigarup (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{f79e15ba-5c4e-475f-8695-ead91ac3fbb9} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gitimeyaw (Trojan.Vundo.H) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\doriyubi.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\doriyubi.dll -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\wibotelo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\doriyubi.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\lizasaja.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mahagiyu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mazileve.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mivojova.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ruyupuno.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sadokike.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yaladuri.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yudegoku.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP39\A0022513.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP39\A0023514.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0023523.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0023532.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0023569.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0023570.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0023571.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0024532.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0024534.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0024543.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP40\A0024545.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0024554.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0024557.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0025554.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026554.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026576.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026625.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026626.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026631.dll (Trojan.Fakeinit) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026632.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{6588E4C1-2551-4389-B877-3C5A50F92FD7}\RP41\A0026665.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C9MNKD6J\exe[1].exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\IS2010.exe.vir (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\bawayeka.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\bokenayo.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\gabowuto.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\tatiberu.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\warosami.dll.tmp.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper86.dll.vir (Trojan.Fakeinit) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon86.exe.vir (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate86.exe.vir (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\Local.dtd (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Macromedia\SwUpdate\Ui.dtd (Malware.Trace) -> Quarantined and deleted successfully.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.