dsardone
Members-
Posts
16 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by dsardone
-
Difficulty removing trojans on malwarebytes
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Thank you so much for all of your help. I don't appear to be having any issues at the moment. I appreciate it very much. Have a great day. -Donna -
Difficulty removing trojans on malwarebytes
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
ComboFix 10-05-22.01 - Bandlady 05/24/2010 17:46:55.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.415 [GMT -4:00] Running from: c:\documents and settings\Bandlady\My Documents\Downloads\ComboFix.exe Command switches used :: c:\documents and settings\Bandlady\Desktop\cfscript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\windows\system32\cmddupd.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\WinSoftware c:\documents and settings\All Users\Application Data\WinSoftware\WinAntiVirus 2005\AV.log . ((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 ))))))))))))))))))))))))))))))) . 2010-05-24 21:06 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Bandlady\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-05-24 21:04 . 2010-05-24 21:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-05-24 21:03 . 2010-05-24 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2010-05-24 19:17 . 2010-05-24 19:17 -------- d-----w- c:\program files\ESET 2010-05-21 02:19 . 2010-05-21 02:19 503808 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcp71.dll 2010-05-21 02:19 . 2010-05-21 02:19 499712 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\jmc.dll 2010-05-21 02:19 . 2010-05-21 02:19 348160 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcr71.dll 2010-05-21 02:19 . 2010-05-21 02:19 12800 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-d3d.dll 2010-05-21 02:19 . 2010-05-21 02:19 61440 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-sse.dll 2010-05-21 02:19 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-21 02:18 . 2010-05-21 02:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-05-21 02:18 . 2010-05-21 02:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-05-21 02:18 . 2010-05-21 02:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-05-21 02:18 . 2010-05-21 02:18 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-21 02:18 . 2010-05-24 16:29 -------- d-----w- c:\windows\system32\drivers\Avg 2010-05-19 11:42 . 2010-05-20 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-05-19 11:42 . 2010-05-19 11:42 -------- d-----w- c:\program files\Alwil Software 2010-05-15 20:56 . 2010-05-15 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-24 21:08 . 2004-04-16 01:24 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-24 21:06 . 2009-06-30 13:03 -------- d-----w- c:\program files\Common Files\Adobe AIR 2010-05-24 19:07 . 2004-01-28 16:27 -------- d-----w- c:\program files\Common Files\Java 2010-05-22 22:52 . 2009-11-29 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-05-21 02:18 . 2004-01-28 16:27 -------- d-----w- c:\program files\Java 2010-05-21 02:14 . 2009-06-02 17:05 -------- d-----w- c:\program files\AVG 2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-17 11:46 . 2010-01-08 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-17 11:40 . 2009-06-02 17:09 -------- d-----w- c:\program files\CCleaner 2010-04-29 19:39 . 2010-03-27 01:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2010-03-27 01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-02 22:13 . 2010-04-02 22:13 388096 ----a-r- c:\documents and settings\Bandlady\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-04-02 22:13 . 2010-04-02 22:13 -------- d-----w- c:\program files\TrendMicro 2010-04-02 13:50 . 2010-02-25 15:19 0 ----a-w- c:\documents and settings\Bandlady\Local Settings\Application Data\prvlcl.dat 2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer 2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ((((((((((((((((((((((((((((( SnapShot@2010-05-23_00.58.29 ))))))))))))))))))))))))))))))))))))))))) . + 2010-05-24 19:15 . 2010-05-24 19:15 16384 c:\windows\Temp\Perflib_Perfdata_1b4.dat + 2010-05-24 21:06 . 2010-05-24 21:06 24576 c:\windows\Installer\66487c.msi + 2010-05-24 21:06 . 2010-05-24 21:06 27648 c:\windows\Installer\664877.msi + 2006-12-02 02:54 . 2006-12-02 02:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll + 2006-12-02 02:54 . 2006-12-02 02:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll + 2006-12-02 02:54 . 2006-12-02 02:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll + 2010-05-24 21:09 . 2010-05-24 21:09 3940352 c:\windows\Installer\664881.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800] "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-05-21 02:18 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/20/2010 10:18 PM 216200] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/20/2010 10:18 PM 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/20/2010 10:16 PM 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/20/2010 10:16 PM 308064] . Contents of the 'Scheduled Tasks' folder 2004-02-04 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12] 2010-05-24 c:\windows\Tasks\User_Feed_Synchronization-{6C8CFF52-5244-4E20-9804-72B3CC883E3B}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com/?o=20011&l=dis uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s FF - ProfilePath - c:\documents and settings\Bandlady\Application Data\Mozilla\Firefox\Profiles\og4r9c14.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q= FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Bandlady\Application Data\Move Networks\plugins\npqmp071505000010.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-24 17:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2010-05-24 17:54:07 ComboFix-quarantined-files.txt 2010-05-24 21:54 ComboFix2.txt 2010-05-24 17:52 ComboFix3.txt 2010-05-23 01:02 ComboFix4.txt 2003-09-19 09:16 Pre-Run: 100,932,153,344 bytes free Post-Run: 100,889,018,368 bytes free - - End Of File - - B0F9777759CA0029D049A203BEFB0CC4 -
Difficulty removing trojans on malwarebytes
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Hi, Things seem to be running fine, except ESET still detected 5 items, as you'll see below. I uninstalled adobe reader, but should I do anything with my other adobe programs that I have installed? For the Eset, I copied the list of of files to notepad. I didn't see any other options for saving a log file, so I hope this is what you needed. C:\Documents and Settings\All Users\Application Data\WinSoftware\WinAntiVirus 2005\Quarantine\Install_AIM.exezvsrtkjp Win32/Adware.WBug.A application C:\Qoobox\Quarantine\C\WINDOWS\iduredoxira.dll.vir a variant of Win32/Cimag.CK trojan C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\pmiwvaw.sys.vir a variant of Win32/Rootkit.Kryptik.BI trojan C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP5\A0006495.dll a variant of Win32/Cimag.CK trojan C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP6\A0006716.sys a variant of Win32/Rootkit.Kryptik.BI trojan Thanks -
Difficulty removing trojans on malwarebytes
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Ok, thanks. ComboFix 10-05-22.01 - Bandlady 05/24/2010 13:43:19.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.459 [GMT -4:00] Running from: c:\documents and settings\Bandlady\My Documents\Downloads\ComboFix.exe Command switches used :: c:\documents and settings\Bandlady\Desktop\cfscript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\documents and settings\NetworkService\Application Data\qvjsge.dat" "c:\windows\Gwudogisey.dat" "c:\windows\Mricahowil.bin" "c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat" "c:\windows\TEMP\90008102.tmp" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\NetworkService\Application Data\qvjsge.dat c:\windows\Gwudogisey.dat c:\windows\Mricahowil.bin c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PMIWVAW -------\Service_pmiwvaw ((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 ))))))))))))))))))))))))))))))) . 2010-05-21 02:19 . 2010-05-21 02:19 503808 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcp71.dll 2010-05-21 02:19 . 2010-05-21 02:19 499712 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\jmc.dll 2010-05-21 02:19 . 2010-05-21 02:19 348160 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcr71.dll 2010-05-21 02:19 . 2010-05-21 02:19 12800 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-d3d.dll 2010-05-21 02:19 . 2010-05-21 02:19 61440 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-sse.dll 2010-05-21 02:19 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-21 02:18 . 2010-05-21 02:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-05-21 02:18 . 2010-05-21 02:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-05-21 02:18 . 2010-05-21 02:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-05-21 02:18 . 2010-05-21 02:18 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-21 02:18 . 2010-05-24 16:29 -------- d-----w- c:\windows\system32\drivers\Avg 2010-05-19 11:42 . 2010-05-20 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-05-19 11:42 . 2010-05-19 11:42 -------- d-----w- c:\program files\Alwil Software 2010-05-15 20:56 . 2010-05-15 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-22 22:52 . 2009-11-29 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-05-21 02:19 . 2004-01-28 16:27 -------- d-----w- c:\program files\Common Files\Java 2010-05-21 02:18 . 2004-01-28 16:27 -------- d-----w- c:\program files\Java 2010-05-21 02:14 . 2009-06-02 17:05 -------- d-----w- c:\program files\AVG 2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-17 11:46 . 2010-01-08 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-17 11:40 . 2009-06-02 17:09 -------- d-----w- c:\program files\CCleaner 2010-04-29 19:39 . 2010-03-27 01:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2010-03-27 01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-02 22:13 . 2010-04-02 22:13 388096 ----a-r- c:\documents and settings\Bandlady\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-04-02 22:13 . 2010-04-02 22:13 -------- d-----w- c:\program files\TrendMicro 2010-04-02 13:50 . 2010-02-25 15:19 0 ----a-w- c:\documents and settings\Bandlady\Local Settings\Application Data\prvlcl.dat 2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer 2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ((((((((((((((((((((((((((((( SnapShot@2010-05-23_00.58.29 ))))))))))))))))))))))))))))))))))))))))) . + 2010-05-24 17:49 . 2010-05-24 17:49 16384 c:\windows\Temp\Perflib_Perfdata_190.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800] "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-05-21 02:18 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls] cmsttmac REG_SZ c:\windows\system32\cmddupd.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/20/2010 10:18 PM 216200] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/20/2010 10:18 PM 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/20/2010 10:16 PM 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/20/2010 10:16 PM 308064] . Contents of the 'Scheduled Tasks' folder 2004-02-04 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12] 2010-05-24 c:\windows\Tasks\User_Feed_Synchronization-{6C8CFF52-5244-4E20-9804-72B3CC883E3B}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com/?o=20011&l=dis uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: aol.com\free FF - ProfilePath - c:\documents and settings\Bandlady\Application Data\Mozilla\Firefox\Profiles\og4r9c14.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q= FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Bandlady\Application Data\Move Networks\plugins\npqmp071505000010.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-24 13:49 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3908) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Dell AIO Printer A940\dlbabmon.exe . ************************************************************************** . Completion time: 2010-05-24 13:52:43 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-24 17:52 ComboFix2.txt 2010-05-23 01:02 ComboFix3.txt 2003-09-19 09:16 Pre-Run: 101,272,936,448 bytes free Post-Run: 101,228,949,504 bytes free - - End Of File - - D3FB3D4404CB7053EF5E8465B75FB45C Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4139 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/24/2010 2:01:11 PM mbam-log-2010-05-24 (14-01-11).txt Scan type: Quick scan Objects scanned: 127494 Time elapsed: 5 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) SystemLook v1.0 by jpshortstuff (11.01.10) Log created at 14:04 on 24/05/2010 by Bandlady (Administrator - Elevation successful) ========== filefind ========== Searching for "rboji.*" No files found. -=End Of File=- -
Difficulty removing trojans on malwarebytes
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Hi, For the virus total, you said I was to paste this file into the upload a file box right? c:\windows\system32\cmddupd.dll It is not reading it, it gives me an error, it says "file not found" Should I try it in another tab, such as Hash search? Thanks -
Difficulty removing trojans on malwarebytes
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
ComboFix 10-05-22.01 - Bandlady 05/22/2010 20:53:17.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.696 [GMT -4:00] Running from: c:\documents and settings\Bandlady\My Documents\Downloads\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F} c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}\chrome.manifest c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}\chrome\content\_cfg.js c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}\chrome\content\overlay.xul c:\documents and settings\Bandlady\Local Settings\Application Data\{A9E7E9B9-F85B-4DD8-9B35-379A48D6BF5F}\install.rdf c:\windows\iduredoxira.dll c:\windows\system32\drivers\abbora.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_VAPSpy -------\Service_fqgi -------\Service_VAPSpy ((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 ))))))))))))))))))))))))))))))) . 2010-05-21 02:19 . 2010-05-21 02:19 503808 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcp71.dll 2010-05-21 02:19 . 2010-05-21 02:19 499712 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\jmc.dll 2010-05-21 02:19 . 2010-05-21 02:19 348160 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-17e3e26a-n\msvcr71.dll 2010-05-21 02:19 . 2010-05-21 02:19 12800 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-d3d.dll 2010-05-21 02:19 . 2010-05-21 02:19 61440 ----a-w- c:\documents and settings\Bandlady\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-371df80f-n\decora-sse.dll 2010-05-21 02:19 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll 2010-05-21 02:18 . 2010-05-21 02:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-05-21 02:18 . 2010-05-21 02:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-05-21 02:18 . 2010-05-21 02:18 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-05-21 02:18 . 2010-05-21 02:18 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-05-21 02:18 . 2010-05-22 21:46 -------- d-----w- c:\windows\system32\drivers\Avg 2010-05-19 11:42 . 2010-05-20 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software 2010-05-19 11:42 . 2010-05-19 11:42 -------- d-----w- c:\program files\Alwil Software 2010-05-15 20:58 . 2010-05-22 22:26 120 ----a-w- c:\windows\Gwudogisey.dat 2010-05-15 20:58 . 2010-05-22 13:24 0 ----a-w- c:\windows\Mricahowil.bin 2010-05-15 20:56 . 2010-05-23 00:58 755200 ----a-w- c:\windows\system32\drivers\pmiwvaw.sys 2010-05-15 20:56 . 2010-05-15 20:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-22 22:52 . 2009-11-29 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-05-21 02:19 . 2004-01-28 16:27 -------- d-----w- c:\program files\Common Files\Java 2010-05-21 02:18 . 2004-01-28 16:27 -------- d-----w- c:\program files\Java 2010-05-21 02:14 . 2009-06-02 17:05 -------- d-----w- c:\program files\AVG 2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-05-20 21:23 . 2004-07-14 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-05-17 11:46 . 2010-01-08 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-17 11:40 . 2009-06-02 17:09 -------- d-----w- c:\program files\CCleaner 2010-05-16 10:50 . 2010-05-16 10:50 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat 2010-05-15 20:56 . 2010-05-15 20:56 20 ----a-w- c:\documents and settings\NetworkService\Application Data\qvjsge.dat 2010-04-29 19:39 . 2010-03-27 01:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-29 19:39 . 2010-03-27 01:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-02 22:13 . 2010-04-02 22:13 388096 ----a-r- c:\documents and settings\Bandlady\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-04-02 22:13 . 2010-04-02 22:13 -------- d-----w- c:\program files\TrendMicro 2010-04-02 13:50 . 2010-02-25 15:19 0 ----a-w- c:\documents and settings\Bandlady\Local Settings\Application Data\prvlcl.dat 2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer 2010-03-10 06:15 . 2002-08-29 11:00 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-24 13:11 . 2002-08-29 11:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800] "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-05-21 02:18 12464 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls] cmsttmac REG_SZ c:\windows\system32\cmddupd.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/20/2010 10:18 PM 216200] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/20/2010 10:18 PM 242896] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [5/20/2010 10:16 PM 916760] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [5/20/2010 10:16 PM 308064] --- Other Services/Drivers In Memory --- *Deregistered* - pmiwvaw . Contents of the 'Scheduled Tasks' folder 2004-02-04 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12] 2010-05-23 c:\windows\Tasks\User_Feed_Synchronization-{6C8CFF52-5244-4E20-9804-72B3CC883E3B}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com/?o=20011&l=dis uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: aol.com\free FF - ProfilePath - c:\documents and settings\Bandlady\Application Data\Mozilla\Firefox\Profiles\og4r9c14.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q= FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Bandlady\Application Data\Move Networks\plugins\npqmp071505000010.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - HKLM-Run-Nfizokaratiqef - c:\windows\iduredoxira.dll MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-22 20:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmiwvaw] . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2432) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\AVG\AVG9\avgnsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Dell AIO Printer A940\dlbabmon.exe c:\windows\TEMP\90008102.tmp . ************************************************************************** . Completion time: 2010-05-22 21:02:03 - machine was rebooted ComboFix-quarantined-files.txt 2010-05-23 01:02 ComboFix2.txt 2003-09-19 09:16 Pre-Run: 101,243,703,296 bytes free Post-Run: 101,280,669,696 bytes free - - End Of File - - 1529233ED68817B4D286F9C614048047 -
Difficulty removing trojans on malwarebytes
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Actually scratch that, that was the dds I attached in the first post. duh! Here is the gmer. My apologies! and Thank you! GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-05-22 20:34:45 Windows 5.1.2600 Service Pack 3 Running: rtoj2o79.exe; Driver: C:\DOCUME~1\Bandlady\LOCALS~1\Temp\ufrdqpog.sys ---- Kernel code sections - GMER 1.0.15 ---- ? rboji.sys The system cannot find the file specified. ! ? C:\WINDOWS\system32\drivers\pmiwvaw.sys A device attached to the system is not functioning. PAGE Ntfs.sys F73D2E55 4 Bytes CALL 86F154D9 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3328] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 86FAC010 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \FileSystem\Fastfat \Fat BAFA1D20 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service (*** hidden *** ) [bOOT] pmiwvaw <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\pmiwvaw@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\pmiwvaw@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\pmiwvaw@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\pmiwvaw@Group Boot Bus Extender Reg HKLM\SYSTEM\ControlSet003\Services\pmiwvaw@Type 1 Reg HKLM\SYSTEM\ControlSet003\Services\pmiwvaw@Start 0 Reg HKLM\SYSTEM\ControlSet003\Services\pmiwvaw@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\pmiwvaw@Group Boot Bus Extender ---- EOF - GMER 1.0.15 ---- -
Difficulty removing trojans on malwarebytes
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Hi Melboy, Thank you for your response! I actually did the gmer scan already, I attached it as a zip file in my original post, unless you are referring to something else or I did it incorrectly? Let me know if you'd like me to run it again. -
Difficulty removing trojans on malwarebytes
dsardone posted a topic in Resolved Malware Removal Logs
Hi, I have been having trouble removing some trojans after multiple malware bytes and virus scans. Here are the logs that are requested. Thank you in advance. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4121 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/22/2010 9:17:38 PM mbam-log-2010-05-22 (21-17-38).txt Scan type: Quick scan Objects scanned: 126882 Time elapsed: 4 minute(s), 49 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: C:\WINDOWS\Temp\90008102.tmp (Trojan.Downloader) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Temp\90008102.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. Attach.zip ark.zip -
Continuous infection with XP antivirus 2010
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Everything seems to be running very smoothly now. I can't thank you enough for your help and time. -
Continuous infection with XP antivirus 2010
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3930 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/4/2010 2:25:28 PM mbam-log-2010-04-04 (14-25-28).txt Scan type: Quick scan Objects scanned: 110105 Time elapsed: 3 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) -
Continuous infection with XP antivirus 2010
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
ComboFix 10-04-01.02 - Bandlady 04/03/2010 15:22:44.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.642 [GMT -4:00] Running from: c:\documents and settings\Bandlady\My Documents\Downloads\ComboFix.exe Command switches used :: c:\documents and settings\Bandlady\Desktop\cfscript.txt AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FILE :: "c:\windows\Gwudogisey.dat" "c:\windows\Mricahowil.bin" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Gwudogisey.dat c:\windows\Mricahowil.bin . ((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 ))))))))))))))))))))))))))))))) . 2010-04-03 03:26 . 2010-04-03 03:26 -------- d-----w- c:\program files\Avira 2010-04-02 22:13 . 2010-04-02 22:13 388096 ----a-r- c:\documents and settings\Bandlady\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-04-02 22:13 . 2010-04-02 22:13 -------- d-----w- c:\program files\TrendMicro 2010-03-31 15:18 . 2010-03-31 15:18 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer 2010-03-27 01:11 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-27 01:11 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-27 00:39 . 2010-03-27 00:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-03-11 13:18 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-02 22:30 . 2009-11-29 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-04-02 22:30 . 2009-06-02 17:05 -------- d-----w- c:\program files\AVG 2010-04-02 13:50 . 2010-02-25 15:19 0 ----a-w- c:\documents and settings\Bandlady\Local Settings\Application Data\prvlcl.dat 2010-04-01 02:26 . 2004-01-28 16:46 96512 ------w- c:\windows\system32\drivers\atapi.sys 2010-03-31 15:52 . 2004-07-14 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-03-31 15:21 . 2009-06-02 17:09 -------- d-----w- c:\program files\CCleaner 2010-03-31 15:18 . 2010-01-08 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-22 13:27 . 2004-01-28 16:57 -------- d-----w- c:\program files\Modem Helper 2010-01-07 13:33 . 2009-06-30 13:03 38208 ----a-w- c:\documents and settings\Bandlady\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe . ((((((((((((((((((((((((((((( SnapShot@2010-04-02_22.58.16 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-12 04:02 . 2009-07-12 04:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll + 2009-07-12 04:02 . 2009-07-12 04:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll + 2009-07-12 04:02 . 2009-07-12 04:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll + 2009-07-12 04:02 . 2009-07-12 04:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll + 2009-07-12 04:02 . 2009-07-12 04:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll + 2009-07-12 04:02 . 2009-07-12 04:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll + 2009-07-12 04:02 . 2009-07-12 04:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll + 2009-07-12 04:02 . 2009-07-12 04:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll + 2009-07-12 04:02 . 2009-07-12 04:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll + 2009-07-12 04:02 . 2009-07-12 04:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll + 2009-07-12 04:02 . 2009-07-12 04:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll + 2009-07-12 04:02 . 2009-07-12 04:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll + 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll + 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll + 2010-04-03 11:43 . 2010-04-03 11:43 16384 c:\windows\Temp\Perflib_Perfdata_108.dat + 2009-07-12 04:02 . 2009-07-12 04:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll + 2009-07-12 04:02 . 2009-07-12 04:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll + 2009-07-12 04:05 . 2009-07-12 04:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll + 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll + 2010-04-03 03:25 . 2010-04-03 03:25 219648 c:\windows\Installer\f5afa5.msi + 2009-07-12 04:02 . 2009-07-12 04:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll + 2009-07-12 04:02 . 2009-07-12 04:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800] "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-06-02 16:59 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= S3 VAPSpy;VAPSpy;\??\c:\program files\Common Files\WinSoftware\VAPSpy.SYS --> c:\program files\Common Files\WinSoftware\VAPSpy.SYS [?] --- Other Services/Drivers In Memory --- *Deregistered* - avgio *Deregistered* - avipbb . Contents of the 'Scheduled Tasks' folder 2004-02-04 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12] 2010-04-03 c:\windows\Tasks\User_Feed_Synchronization-{6C8CFF52-5244-4E20-9804-72B3CC883E3B}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com/?o=20011&l=dis uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: aol.com\free FF - ProfilePath - c:\documents and settings\Bandlady\Application Data\Mozilla\Firefox\Profiles\og4r9c14.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q= FF - plugin: c:\documents and settings\Bandlady\Application Data\Move Networks\plugins\npqmp071505000010.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-03 15:27 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2010-04-03 15:28:46 ComboFix-quarantined-files.txt 2010-04-03 19:28 ComboFix2.txt 2010-04-02 23:02 Pre-Run: 100,473,290,752 bytes free Post-Run: 100,431,396,864 bytes free - - End Of File - - BE96AF85356ECD319E5F605D02332637 Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 3:38:17 PM, on 4/3/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Dell AIO Printer A940\dlbabmon.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=20011&l=dis R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.playfirst.com/play/game/dinerda...h2.1.0.0.67.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE -- End of file - 6211 bytes -
Continuous infection with XP antivirus 2010
dsardone replied to dsardone's topic in Resolved Malware Removal Logs
Hi! Thanks so much for your prompt response. I disabled TeaTimer and here are the logs that you requested. ComboFix 10-04-01.02 - Bandlady 04/02/2010 18:50:48.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.766 [GMT -4:00] Running from: c:\documents and settings\Bandlady\My Documents\Downloads\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Bandlady\Local Settings\Application Data\{C9E9E8EE-7AA3-4586-9C26-6B96AA3FA099} c:\documents and settings\Bandlady\Local Settings\Application Data\{C9E9E8EE-7AA3-4586-9C26-6B96AA3FA099}\chrome.manifest c:\documents and settings\Bandlady\Local Settings\Application Data\{C9E9E8EE-7AA3-4586-9C26-6B96AA3FA099}\chrome\content\_cfg.js c:\documents and settings\Bandlady\Local Settings\Application Data\{C9E9E8EE-7AA3-4586-9C26-6B96AA3FA099}\chrome\content\overlay.xul c:\documents and settings\Bandlady\Local Settings\Application Data\{C9E9E8EE-7AA3-4586-9C26-6B96AA3FA099}\install.rdf c:\windows\AppPatch\AcAdProc.dll c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53 c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\dirty_dishes.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\foodtray.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\heart1.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\heart2.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\heart3.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\menu_down.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\menu_up.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\mop_prop.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\accessories\ticket.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a1.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a2.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a3.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a4.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\music\mainmenumusic.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\baby_cry.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\chef_cook1.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\closing_time.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\customer_ditch.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\dialog_down.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\dialog_up.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\drink_table.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\expert.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\highchair_deliver.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\highchair_pickup.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\keystroke2.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\level_lose.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\level_win.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\menu_click.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\menu_rollover.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\mop_pickup.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\mop_spill.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_bring_check_1_snd.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_deliver_food_1_snd.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_dropoff_drinks_1.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_food_ready_1_snd.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_gain_heart_1.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_get_drinks_1_snd.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_menu_down.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_party_arrive_1_snd.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_pencil_write_2.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_pickup_food_1_snd.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_seat_people_snd.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\spill.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\table_drink.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\audio\sfx\tip_2.ogg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\flo_lose.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\flo_win.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\fullscreendialog.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\high_score_menu_bg.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\levelintro.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\levelintro.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\levelover.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\longdialog.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\longdialog.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\mainmenu.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\mainmenu_logo.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\popup.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\popup.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\textfield.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\backgrounds\upgrade_lines.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowdown_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowdown_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowdown_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowup_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowup_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\arrowup_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\checkbox_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\checkbox_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\checkbox_rotated_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\checkbox_rotated_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\decor_highlight.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\decor_normal.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\decor_selected.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_1.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_2.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_3.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_1.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_2.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_3.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a1.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a2.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a3.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\left_arrow_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\left_arrow_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\left_arrow_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_mask.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_mask.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\map_button_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\map_button_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\map_button_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\right_arrow_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\right_arrow_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\right_arrow_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\upgrade_down.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\upgrade_over.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\upgrade_up.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\buttons\welcome_player.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\actionpoints.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\career.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\customer.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\endless.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\global.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\config\powerups.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cook\stove.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\arrow.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\click.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\click2.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\grab.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\cursor\open.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\anim.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\anim.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\blue.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\blue_legs.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\legs.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\red.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\dad_male\red_legs.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\anim.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\anim.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\blue.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\blue_legs.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\legs.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\red.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\kid_male\red_legs.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\anim.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\anim.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\baby.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\baby.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\blue.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\blue_baby.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\blue_legs.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\legs.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\red.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\red_baby.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\mom_female\red_legs.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\anim.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\anim.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\blue.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\blue_legs.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\legs.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\red.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\customers\young_female\red_legs.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\idle.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\idle.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\lower.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\lower.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\upper.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\flo\upper.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\fonts\mercurius.mvec c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\bench.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\bench.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\blue_highchairbaby.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\chair.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\chair.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\dirt2top.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\dirt4top.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\dishcart.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\dishcart.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\green_highchairbaby.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\highchair_prop_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\highchair_prop_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\highchairbaby.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\highchairbaby.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\luxury_bench.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\luxury_bench.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\mop_station_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\mop_station_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\mop_station_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\podium.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\podium_heart.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\podium_heart.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\purple_highchairbaby.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\radio.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\red_highchairbaby.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\spill.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\spill.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\stereo.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\ticketstation.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\ticketstation.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\furniture\yellow_highchairbaby.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\family.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help_dividerline.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help1_colormatch1.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help1_colormatch2.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help1_noise.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help1_score.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_cleardishes.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_givecheck.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_pickupfood.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_servefood.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\help\help2_takeorder.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\hiscore\local-hs-bb.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\hiscore\p1icon.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_1.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_2.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_3.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_4.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_5.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\career_1_6.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\endless_1_1.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_a.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_b.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_c.bin c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\playfirstlogo.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\background.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\blue.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\green.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\green.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\grey.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\red.pal c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\cup1.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\food.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\food.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\frames\2_0.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\frames\2_1.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\people\cook.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\people\cook.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\props\cup_prop1.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\2top.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\2top.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\4top.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\4top.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_0.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_1.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrades.xml c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\restaurants\tableshadow.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\careerupgrade.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\choosedifficulty.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\closeconfirm.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\entername.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\game.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\getmoregames.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\help1.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\help2.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\hiscore.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\hiscoreinfo.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\hiscoresubmit.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\levelintro.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\levelover.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\loading.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\mainloop.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\mainmenu.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\ok.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\pause.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\style.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\upgrade.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\upsell.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\scripts\yesno.lua c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\splash\aol_logo.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\splash\playfirst_logo.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\strings.xml c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\angersmoke.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\angersmoke.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\bubbles\request_bubble.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\bubbles\request_mop.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\bubbles\request_rejectmeal.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\chairflags.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\chairflags.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\check.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\checkmark.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\closed.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\coinflip.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\coinflip.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\decor_lines.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\dollar.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\expert.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\foodpoof.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\foodpoof.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\heartgrow.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\heartgrow.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\jar.anm c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\jar.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\lives_icon.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\noisering.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_d.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_e.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_f.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\tablenumber_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\tablenumber_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\traynumber.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\tutorialarrow.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\tutorialbox.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\ui_base.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\ui_hand.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\ui_timer_off.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\ui_timer_on.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgradeanim.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_a.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_b.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_c.png c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\upsell\dd1.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\upsell\dd2.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\upsell\dd3.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\assets\upsell\dd4.jpg c:\windows\Downloaded Program Files\DinerDash2.1.0.0.53\dinerdash2.exe c:\windows\Downloaded Program Files\RdxIE.dll c:\windows\system32\curity~1 c:\windows\system32\drivers\fad.sys Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 ))))))))))))))))))))))))))))))) . 2010-04-02 22:13 . 2010-04-02 22:13 388096 ----a-r- c:\documents and settings\Bandlady\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-04-02 22:13 . 2010-04-02 22:13 -------- d-----w- c:\program files\TrendMicro 2010-03-31 15:18 . 2010-03-31 15:18 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer 2010-03-28 00:24 . 2010-03-28 00:24 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer 2010-03-27 01:11 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-27 01:11 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-27 00:39 . 2010-03-27 00:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-03-11 13:18 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-02 22:30 . 2009-11-29 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-04-02 22:30 . 2009-06-02 17:05 -------- d-----w- c:\program files\AVG 2010-04-02 13:50 . 2010-02-25 15:19 0 ----a-w- c:\documents and settings\Bandlady\Local Settings\Application Data\prvlcl.dat 2010-04-01 02:26 . 2004-01-28 16:46 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-03-31 15:52 . 2004-07-14 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-03-31 15:21 . 2009-06-02 17:09 -------- d-----w- c:\program files\CCleaner 2010-03-31 15:18 . 2010-01-08 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-22 13:27 . 2004-01-28 16:57 -------- d-----w- c:\program files\Modem Helper 2010-01-29 12:57 . 2010-01-20 01:26 0 ----a-w- c:\windows\Mricahowil.bin 2010-01-29 12:57 . 2010-01-20 01:26 120 ----a-w- c:\windows\Gwudogisey.dat 2010-01-07 13:33 . 2009-06-30 13:03 38208 ----a-w- c:\documents and settings\Bandlady\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672] "PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800] "Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2008-07-10 14:51 289064 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2008-05-27 14:50 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2009-06-02 16:59 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= S3 VAPSpy;VAPSpy;\??\c:\program files\Common Files\WinSoftware\VAPSpy.SYS --> c:\program files\Common Files\WinSoftware\VAPSpy.SYS [?] . Contents of the 'Scheduled Tasks' folder 2004-02-04 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 00:12] 2010-04-02 c:\windows\Tasks\User_Feed_Synchronization-{6C8CFF52-5244-4E20-9804-72B3CC883E3B}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.ask.com/?o=20011&l=dis uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s Trusted Zone: aol.com\free FF - ProfilePath - c:\documents and settings\Bandlady\Application Data\Mozilla\Firefox\Profiles\og4r9c14.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q= FF - plugin: c:\documents and settings\Bandlady\Application Data\Move Networks\plugins\npqmp071505000010.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - ORPHANS REMOVED - - - - HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe Notify-avgrsstarter - avgrsstx.dll MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-02 18:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3672) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Dell AIO Printer A940\dlbabmon.exe . ************************************************************************** . Completion time: 2010-04-02 19:02:03 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-02 23:02 Pre-Run: 99,973,595,136 bytes free Post-Run: 100,523,356,160 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn - - End Of File - - 5B74BE74CD86825F4BFFAC33461BAA8D Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 6:30:52 PM, on 4/2/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Dell AIO Printer A940\dlbabmon.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe C:\WINDOWS\System32\svchost.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=20011&l=dis R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1990b1125eb627...ip/RdxIE601.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.playfirst.com/play/game/dinerda...h2.1.0.0.67.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file) O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE -- End of file - 6659 bytes -
Continuous infection with XP antivirus 2010
dsardone posted a topic in Resolved Malware Removal Logs
Hello, First of all thanks for any help/advice you can provide me. I am on my Dell desktop and have been infected with xp antivirus 2010 about 5 consecutive times. I am up to date with the latest Malwarebytes and have done scans to remove it each time. It will appear to be alright for a couple of days, until the virus returns again. Here are the logs that you have requested and again, thanks for your time and help. -Donna Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3930 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/2/2010 2:27:44 PM mbam-log-2010-04-02 (14-27-44).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 163320 Time elapsed: 32 minute(s), 36 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 6 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully. DDS (Ver_10-03-17.01) - NTFSx86 Run by Bandlady at 14:33:34.12 on Fri 04/02/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.385 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE svchost.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\WINDOWS\system32\svchost.exe -k netsvcs C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Dell AIO Printer A940\dlbabmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Documents and Settings\Bandlady\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== ark.zip Attach.zip -
I'm sorry, I realize I should posting in my own thread and not someone else's. I will do that.
-
Hi there, Before I peruse the self help guide for removing xp 2010, what would be your advice if malware bytes is not detecting xp 2010 at all? I had the virus in full force last week, was able to delete it. but am still having symptoms when I google search (sites are spam/hijacked, and my browser will turn into what appears to be a windows explorer folder, and crash. I think this is still the xp 2010 virus). Anyway, I updated MB today (I have free version)and after 3 scans, still nothing comes up at all. Nor with my antivirus (AVG), spybot or adaware. Would the next step be to download hijackthis? THank you so much for your help.