Jump to content

Chitka Malware, Big Red X in middle of browser, Advertise Today popups...


Recommended Posts

Hello. Five days ago I caught Chitka Malware; at the same time a red X one-quarter of an inch square began appearing in the middle of my browser page (it makes copying and pasting from text in the browser near the red X impossible), as did a popup in the lower right hand corner of the my screen that says Advertise, and Today, and includes the text of recent searches I've made.

My browser also redirects one time in five or so when I click on a link. The red X disappears when I click

I've run Malwarebytes Anti-Malware Pro but it detects none of these things. Nor does my copy of AVG Free. Smart Popup Blocker does not stop any of these things. Simple AdBlock sometimes removes the Chitka popup, and sometimes it doesn't.

Here is the DDS.txt and ATTACH.txt as requested on the page, http://forums.malwarebytes.org//index.php?showtopic=9573 titled "I'm infected. What Do I Do Now?"

Thank you for any help you can give me. S. and B. Schirmer

DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33

Run by newjohndoe at 2:29:31 on 2013-04-28

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.1132 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ================

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe

C:\Program Files\Common Files\Nuance\dgnsvc.exe

C:\ASUS.SYS\config\DVMExportService.exe

P:\Program Files\Java\bin\jqs.exe

e:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

e:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe

e:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe

\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Program Files\ASUS\TurboV EVO\TurboVHelp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ASUS\TurboV EVO\TurboV_EVO.exe

C:\Program Files\ASUS\Six Engine\SixEngine.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\QFan3\QFanHelp.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\WINDOWS\diskediag.exe

C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\WINDOWS\stidraw32.exe

C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

P:\Program Files\WinZip\WZQKPICK32.EXE

E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Microsoft Works\msworks.exe

C:\Program Files\Microsoft Works\wkswp.exe

C:\Program Files\Microsoft Works\wkgdcach.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

C:\Program Files\Microsoft Works\WksWP.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

C:\WINDOWS\notepad.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

C:\Program Files\Microsoft Works\WksWP.exe

C:\Program Files\Microsoft Works\WksWP.exe

C:\Program Files\Microsoft Works\WksWP.exe

C:\Program Files\Microsoft Works\WksWP.exe

P:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe

E:\Program Files\wbridge5\Wbridge5.exe

P:\Chrome\Application\chrome.exe

P:\Chrome\Application\chrome.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.google.com/ie

uSearch Page = hxxp://www.google.com

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>

uURLSearchHooks: SearchHook Class: {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} -

dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll

BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - p:\program files\java\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll

BHO: SpeedBit Link Verification Helper: {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} - p:\program files\downloadaccelplus\LinkVerifier.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - p:\program files\java\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - p:\program files\java\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SimpleAdblock Class: {FFCB3198-32F3-4E8B-9539-4324694ED664} - c:\program files\common files\simple adblock\SimpleAdblock.dll

TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll

uRun: [iSUSPM] c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe -scheduler

mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1

mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe

mRun: [TurboV Help] "c:\program files\asus\turbov evo\TurboVHelp.exe"

mRun: [TurboV EVO] "c:\program files\asus\turbov evo\TurboV_EVO.exe" -b

mRun: [six Engine] "c:\program files\asus\six engine\SixEngine.exe" -b

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [QFan Help] "c:\program files\qfan3\QFanHelp.exe"

mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe

mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"

mRun: [QuickTime Task] "p:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [MemoryMangerExi] c:\windows\diskediag.exe

mRun: [bCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"

mRun: [DNS7reminder] "p:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini"

mRun: [startCCC] "p:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRunOnce: [Z1] cmd /c "e:\program files\mbar\mbar.exe" /cleanup /s

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - p:\program files\winzip\WZQKPICK32.EXE

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1

mPolicies-Explorer: NoDriveTypeAutoRun = dword:145

IE: &Download with &DAP - p:\program files\downloadaccelplus\dapextie.htm

IE: &Verify with DAP - p:\program files\downloadaccelplus\dapverify.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download &all with DAP - p:\program files\downloadaccelplus\dapextie2.htm

IE: Search the Web - c:\program files\sweetim\toolbars\internet explorer\resources\menuext.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 192.168.1.254

TCP: Interfaces\{5F2F77E2-A052-4406-9D10-E8F4DF4223CC} : DHCPNameServer = 192.168.1.254

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\newjohndoe\application data\mozilla\firefox\profiles\p5n82ypw.default\

FF - prefs.js: browser.search.selectedEngine - Search

FF - prefs.js: browser.startup.homepage - www.google.com

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\14.2.0\npsitesafety.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll

FF - plugin: c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_146.dll

FF - plugin: c:\windows\system32\npdeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

FF - plugin: e:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL

FF - plugin: e:\program files\google\picasa3\npPicasa3.dll

FF - plugin: p:\program files\java\bin\plugin2\npjp2.dll

FF - plugin: p:\program files\quicktime\plugins\npqtplugin.dll

FF - plugin: p:\program files\quicktime\plugins\npqtplugin2.dll

FF - plugin: p:\program files\quicktime\plugins\npqtplugin3.dll

FF - plugin: p:\program files\quicktime\plugins\npqtplugin4.dll

FF - plugin: p:\program files\quicktime\plugins\npqtplugin5.dll

FF - plugin: p:\program files\quicktime\plugins\npqtplugin6.dll

FF - plugin: p:\program files\quicktime\plugins\npqtplugin7.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]

R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [2010-8-6 257064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 255968]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 297168]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-2-13 33112]

R2 AsSysCtrlService;ASUS System Control Service;c:\program files\asus\assysctrlservice\1.00.05\AsSysCtrlService.exe [2011-3-5 109056]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2009-10-26 223464]

R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2011-6-4 296808]

R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [2009-7-17 319488]

R2 MBAMScheduler;MBAMScheduler;e:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-9-12 418376]

R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-14 701512]

R2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\14.2.0\ToolbarUpdater.exe [2013-3-1 968880]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-7 22856]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-4-27 40776]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-4-26 64904]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-4-26 146568]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-3-5 2127728]

S2 5613;5613;\??\c:\docume~1\newjoh~1\locals~1\temp\5613.sys --> c:\docume~1\newjoh~1\locals~1\temp\5613.sys [?]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 167264]

S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [2011-3-14 11264]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-4-27 35144]

S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;p:\program files\sony\sound organizer\sony.earth\PACSPTISVR.exe [2010-11-19 157024]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2013-04-28 02:46:45 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-04-28 02:38:07 143688 ----a-w- c:\windows\system32\drivers\6FC03202.sys

2013-04-28 02:20:20 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2013-04-26 02:00:45 -------- d-----w- c:\program files\MSXML 4.0

2013-04-24 21:03:42 -------- d-----w- C:\Sony_SoundOrganizer_2F70A8C8665241a6ABC5BCF09F756BC3

2013-04-22 06:47:34 -------- d-----w- c:\documents and settings\newjohndoe\application data\JAM Software

2013-04-19 12:52:23 275696 ----a-w- c:\windows\system32\mucltui.dll

2013-04-19 12:52:23 214256 ----a-w- c:\windows\system32\muweb.dll

2013-04-19 12:52:23 17136 ----a-w- c:\windows\system32\mucltui.dll.mui

2013-04-19 12:45:38 -------- d-----w- c:\documents and settings\all users\application data\MFAData

2013-04-19 07:55:41 -------- d-----w- c:\documents and settings\newjohndoe\local settings\application data\Google

2013-04-19 06:59:27 -------- d-----w- c:\documents and settings\all users\application data\Sony Corporation

2013-04-19 06:44:12 -------- d-----w- c:\documents and settings\newjohndoe\application data\Nuance

2013-04-19 06:21:14 -------- d-----w- c:\documents and settings\newjohndoe\application data\FLEXnet

2013-04-19 06:19:08 -------- d-----w- c:\program files\common files\IVA

2013-04-19 06:18:54 -------- d-----w- c:\program files\common files\Nuance

2013-04-19 06:16:39 -------- d-----w- c:\windows\Speech

2013-04-19 06:16:39 -------- d-----w- c:\documents and settings\all users\application data\Nuance

2013-04-19 04:06:22 -------- d--h--w- C:\$AVG

2013-04-19 03:43:25 -------- d--h--w- c:\documents and settings\newjohndoe\local settings\application data\PCHealth

2013-04-19 03:38:59 -------- d-----w- c:\program files\msn gaming zone

2013-04-19 03:16:50 -------- d-----w- c:\documents and settings\all users\application data\AVG10

2013-04-01 06:20:47 409600 ----a-w- c:\windows\system32\wrap_oal.dll

2013-04-01 06:20:47 114688 ----a-w- c:\windows\system32\OpenAL32.dll

2013-04-01 06:20:47 -------- d-----w- c:\program files\OpenAL

2013-04-01 06:04:54 -------- d-sh--w- c:\windows\system32\AI_RecycleBin

2013-04-01 06:04:08 -------- d-sh--w- C:\AI_RecycleBin

2013-04-01 06:04:02 -------- d--h--w- c:\documents and settings\newjohndoe\application data\Strongvault

.

==================== Find3M ====================

.

2013-04-11 17:56:48 71192 ----a-w- c:\windows\system32\atimpc32.dll

2013-04-11 17:56:48 71192 ----a-w- c:\windows\system32\amdpcom32.dll

2013-04-11 17:54:48 6850048 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2013-04-11 17:45:58 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll

2013-04-11 17:44:52 306176 ----a-w- c:\windows\system32\ati2dvag.dll

2013-04-11 17:22:50 212992 ----a-w- c:\windows\system32\atipdlxx.dll

2013-04-11 17:22:38 163840 ----a-w- c:\windows\system32\Oemdspif.dll

2013-04-11 17:22:30 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2013-04-11 17:22:22 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2013-04-11 17:22:10 192512 ----a-w- c:\windows\system32\ati2evxx.dll

2013-04-11 17:20:52 643072 ----a-w- c:\windows\system32\ati2evxx.exe

2013-04-11 17:19:36 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2013-04-11 17:05:46 4844064 ----a-w- c:\windows\system32\ati3duag.dll

2013-04-11 16:49:06 18964480 ----a-w- c:\windows\system32\atioglxx.dll

2013-04-11 16:43:58 2380672 ----a-w- c:\windows\system32\ativvaxx.dll

2013-04-11 16:43:02 307200 ----a-w- c:\windows\system32\atiiiexx.dll

2013-04-11 16:27:58 163840 ----a-w- c:\windows\system32\atiapfxx.exe

2013-04-11 16:23:36 929792 ----a-w- c:\windows\system32\atikvmag.dll

2013-04-11 16:18:52 245760 ----a-w- c:\windows\system32\atiadlxx.dll

2013-04-11 16:18:32 17408 ----a-w- c:\windows\system32\atitvo32.dll

2013-04-11 16:17:48 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2013-04-11 16:15:54 495616 ----a-w- c:\windows\system32\atiok3x2.dll

2013-04-11 16:13:08 663552 ----a-w- c:\windows\system32\ati2cqag.dll

2013-04-04 18:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-03-08 15:13:14 71024 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-08 15:13:14 691568 -c--a-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-02 03:12:59 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys

2013-03-02 01:25:02 1867264 ----a-w- c:\windows\system32\win32k.sys

2013-02-27 07:56:51 2067456 ----a-w- c:\windows\system32\mstscax.dll

2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys

2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys

2010-03-25 15:02:12 3782272 ----a-w- c:\program files\AiSuite.exe

2010-01-10 02:55:16 811648 -c--a-w- c:\program files\RegSchdTask.exe

2009-12-29 01:19:28 461440 ----a-w- c:\program files\CpuLevelUpHook64.exe

2009-12-29 01:19:26 326272 ----a-w- c:\program files\CpuLevelUpHook32.exe

2009-12-29 01:19:24 589440 -c--a-w- c:\program files\CpuLevelUpHookLaunch.exe

2009-12-29 01:19:22 887936 ----a-w- c:\program files\CpuLevelUpHelp.exe

2009-06-29 20:25:36 69632 ----a-w- c:\program files\AsAcpi.dll

2009-01-23 00:44:28 876 -c--a-w- c:\program files\asus.reg

2009-01-23 00:44:28 292 -c--a-w- c:\program files\epu.reg

2008-01-28 16:58:18 57344 ----a-w- c:\program files\AsInsHelp.dll

2007-10-11 18:51:00 53248 -c--a-w- c:\program files\HookKey32.dll

2007-10-11 18:50:56 48128 -c--a-w- c:\program files\HookKey64.dll

2007-08-08 14:48:42 69632 -c--a-w- c:\program files\HookKey.dll

2005-09-09 21:31:12 40960 ----a-w- c:\program files\AsUninsHlp.dll

.

============= FINISH: 2:30:10.23 ===============

ATTACH.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 3/5/2011 5:54:41 AM

System Uptime: 4/27/2013 10:39:56 PM (4 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P7P55D-E PRO

Processor: Intel® Core i5 CPU 750 @ 2.67GHz | LGA1156 | 2675/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 20 GiB total, 0.943 GiB free.

D: is CDROM ()

E: is FIXED (NTFS) - 98 GiB total, 38.98 GiB free.

P: is FIXED (NTFS) - 293 GiB total, 203.052 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP759: 4/26/2013 5:43:40 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe Digital Editions 2.0

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.1)

AI Suite

Amazing Slow Downer (remove only)

AMD Catalyst Install Manager

Amnesia - The Dark Descent Demo

Apple Software Update

ASUS VGA Driver

ATI AVIVO Codecs

ATI Catalyst Registration

ATI Stream SDK v2 Developer

Audacity 2.0.2

AVG 2011

Batman: Arkham Asylum - Demo

Bing Bar Platform

Browser Configuration Utility

Canon MX330 series MP Drivers

Canon Utilities Easy-PhotoPrint EX

Catalyst Control Center

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

ccc-utility

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

CCleaner

Comic Seer

Company of Heroes Singleplayer Demo

Compatibility Pack for the 2007 Office system

Digital Voice Editor 3

DivX Setup

Download Accelerator Plus (DAP)

Dragon NaturallySpeaking 11

EPU-6 Engine

ERValue5.0

Express Gate

Fallout 3

Google Chrome

Google Earth Plug-in

Google Update Helper

Half-Life 2

Half-Life 2: Episode One

Half-Life 2: Episode Two

HEED 4 build 22 version 12.02.28

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB954550-v5)

HVAC-Calc Residential

Java 6 Update 33

JMicron JMB36X Driver

K-Lite Mega Codec Pack 9.3.0

Left 4 Dead

Left 4 Dead 2

Malwarebytes Anti-Malware version 1.75.0.1300

marvell 91xx driver

Mass Effect 2 Demo

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Default Manager

Microsoft Halo Trial

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

Microsoft Works 6.0

Microsoft Works and Money 2002 Setup Launcher

Mozilla Firefox 20.0.1 (x86 en-US)

MSN

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 Parser and SDK

MSXML 6 Service Pack 2 (KB973686)

Nero OEM

NVIDIA PhysX

OpenAL

PC Probe II

Penumbra Episode 1 Demo

Picasa 3

Platform

Portal

QuickTime

REALTEK GbE & FE Ethernet PCI-E NIC Driver

Renesas Electronics USB 3.0 Host Controller Driver

REScheck 4.4.3.0 (Current User)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB2647516)

Security Update for Windows Internet Explorer 8 (KB2675157)

Security Update for Windows Internet Explorer 8 (KB2699988)

Security Update for Windows Internet Explorer 8 (KB2722913)

Security Update for Windows Internet Explorer 8 (KB2744842)

Security Update for Windows Internet Explorer 8 (KB2792100)

Security Update for Windows Internet Explorer 8 (KB2797052)

Security Update for Windows Internet Explorer 8 (KB2799329)

Security Update for Windows Internet Explorer 8 (KB2809289)

Security Update for Windows Internet Explorer 8 (KB2817183)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Simple Adblock

Sony Player Plug-in for Windows Media Player

Sound Organizer

Steam

Team Fortress 2

The Walking Dead

TreeSize Free V2.7

TurboV EVO

Unlocker 1.9.1

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB976662)

VC80CRTRedist - 8.0.50727.6195

VIA Platform Device Manager

Visual C++ 9.0 Runtime for Dragon NaturallySpeaking

Wbridge5 4.9

WebFldrs XP

Windows Imaging Component

Windows Internet Explorer 8

Windows Live ID Sign-in Assistant

Windows Media Format 11 runtime

Windows Media Player Firefox Plugin

Windows Presentation Foundation

Windows XP Service Pack 3

WinRAR 4.20 (32-bit)

WinZip 16.5

Works Suite OS Pack

XML Paper Specification Shared Components Pack 1.0

Youtube Downloader HD v. 2.9.5

.

==== Event Viewer Messages From Past Week ========

.

4/27/2013 10:40:36 PM, error: Service Control Manager [7000] - The SeaPort service failed to start due to the following error: The system cannot find the path specified.

4/27/2013 10:38:18 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.

4/26/2013 5:51:07 PM, error: Service Control Manager [7000] - The 5613 service failed to start due to the following error: The system cannot find the file specified.

4/26/2013 5:49:32 PM, error: Service Control Manager [7034] - The vToolbarUpdater14.2.0 service terminated unexpectedly. It has done this 1 time(s).

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Hello ShawnSchirmer

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download
AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+

Gringo

Link to post
Share on other sites

Thanks very much for the help, Gringo. Here are the three files you requested:

*****THIS IS THE CHECKUP.TXT*****

Results of screen317's Security Check version 0.99.63

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

AVG 2011

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.75.0.1300

CCleaner

Java 6 Update 33

Java version out of Date!

Adobe Flash Player 11.5.502.146

Adobe Reader 10.1.1 Adobe Reader out of Date!

Mozilla Firefox (20.0.1)

````````Process Check: objlist.exe by Laurent````````

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 40% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log``````````````````````

******THIS IS THE ADWCLEANER TXT*****

# AdwCleaner v2.300 - Logfile created 04/28/2013 at 18:48:40

# Updated 28/04/2013 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : newjohndoe - JOHNDOENEW

# Boot Mode : Normal

# Running from : P:\Temp Internet Files mved 42013 from C\Temporary Internet Files\Content.IE5\WGSNKGY4\adwcleaner[1].exe

# Option [Delete]

***** [services] *****

Stopped & Deleted : vToolbarUpdater14.2.0

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\DeviceVM

Folder Deleted : C:\Program Files\Common Files\AVG Secure Search

***** [Registry] *****

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F7652513C62FF63448CFF05163719DB7

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Documents and Settings\newjohndoe\Application Data\Mozilla\Firefox\Profiles\p5n82ypw.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Documents and Settings\newjohndoe\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v [unable to get version]

File : C:\Documents and Settings\newjohndoe\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [20769 octets] - [26/04/2013 00:40:06]

AdwCleaner[R2].txt - [20795 octets] - [26/04/2013 00:50:53]

AdwCleaner[R3].txt - [2135 octets] - [28/04/2013 18:47:55]

AdwCleaner[s1].txt - [347 octets] - [24/04/2013 23:41:40]

AdwCleaner[s2].txt - [355 octets] - [26/04/2013 00:43:58]

AdwCleaner[s3].txt - [21347 octets] - [26/04/2013 00:51:03]

AdwCleaner[s4].txt - [2093 octets] - [28/04/2013 18:48:40]

########## EOF - C:\AdwCleaner[s4].txt - [2153 octets] ##########

*****THIS IS THE ROGUEKILLER TXT*****

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : newjohndoe [Admin rights]

Mode : Remove -- Date : 04/28/2013 19:02:59

| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤

[sUSP PATH] diskediag.exe -- C:\WINDOWS\diskediag.exe [-] -> KILLED [TermProc]

[sUSP PATH] stidraw32.exe -- C:\WINDOWS\stidraw32.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 4 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Run : MemoryMangerExi (C:\WINDOWS\diskediag.exe) [-] -> DELETED

[services][ROGUE ST] HKLM\[...]\ControlSet001\Services\5613 (C:\Documents and Settings\newjohndoe\Local Settings\Temp\5613.sys) -> DELETED

[services][ROGUE ST] HKLM\[...]\ControlSet003\Services\5613 (C:\Documents and Settings\newjohndoe\Local Settings\Temp\5613.sys) -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : atapi.sys -> HOOKED ([iNLINE] atapi.sys @ 0xF72E3852)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST31000528AS +++++

--- User ---

[MBR] aa291ed75f5e158f3149d4d066f0d384

[bSP] 08131a3dc49e771a00a481a554d2c356 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 20002 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 40965750 | Size: 99998 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 245762370 | Size: 300002 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_04282013_02d1902.txt >>

RKreport[1]_S_04282013_02d1902.txt ; RKreport[2]_D_04282013_02d1902.txt

Link to post
Share on other sites

  • Staff

Hello ShawnSchirmer

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

Sad to say, ComboFix won't complete its run.

When, as instructed, I download ComboFix, after some useful looking activity I get an Error

message, "You cannot rename ComboFix as ComboFix[1] Please use another name, preferably made up of

alphanumeric characters." When I click OK, everything vanishes. There is no form of ComboFix anywhere except Prefetch. I deleted everything related to ComboFix, downloaded again (I tried from each of the three sites and got the same result each time).

I also get this message box, but I don't know whether it relates to ComboFix. It reads, "RUNDLL An exception occurred while trying to run "Shell32.dll,Control_RunDLL wscui.cpi"

My computer is behaving much better, though. Everything that was wrong, that I described in my initial post, is gone in the testing I've done in IE and in Chrome. However, a minor problem I didn't note what with all the major ones, persists: When I type www.google.com into my browser, or try to execute any sort of google search, I get a 403 Forbidden page.

Also, I wondered about the redirects I was getting last night, and saw references in my search for answers to a file called C:\WINDOWS\system32\drivers\etc\hosts. Some sites referred to a localhost and associated number, but said file also includes

For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

::1 localhost

--Is it possible those examples are what was causing the redirects, and should I be alert for that kind of thing in the future.

Thanks very much.

Link to post
Share on other sites

Entirely my error. I did use IE, but from habit clicked "Run" instead of "Save". Small wonder it wasn't working as expected.

Since ComboFix seemed to run as intended I did a little surfing and none of the problems have appeared. The only thing recurring is the Forbidden 403 page I get in my Chrome browser when I type www.google.com in my Address bar or otherwise try to perform a Google search. When I try to access Google in IE, I get the similar "The website declined to show this webpage."

Is there anyway to restore my Googling abilities?

*****HERE IS THE COMBOFIX LOG*****

ComboFix 13-04-28.01 - newjohndoe 04/29/2013 6:44.1.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2949 [GMT -4:00]

Running from: c:\documents and settings\newjohndoe\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\windows\system32\Cache

c:\windows\system32\Cache\26c630d098e22dd5.fb

c:\windows\system32\Cache\272512937d9e61a4.fb

c:\windows\system32\Cache\287204568329e189.fb

c:\windows\system32\Cache\28bc8f716fd76a47.fb

c:\windows\system32\Cache\2c53092c95605355.fb

c:\windows\system32\Cache\31a0997e9a5b5eb3.fb

c:\windows\system32\Cache\32c84fe32bb74d60.fb

c:\windows\system32\Cache\3917078cb68ec657.fb

c:\windows\system32\Cache\590ba23ce359fd0c.fb

c:\windows\system32\Cache\610289e025a3ee9a.fb

c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb

c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb

c:\windows\system32\Cache\6d03dad1035885d3.fb

c:\windows\system32\Cache\95f567698be8a182.fb

c:\windows\system32\Cache\969c7c5584517810.fb

c:\windows\system32\Cache\a8556537add6dfc5.fb

c:\windows\system32\Cache\ad10a52aff5e038d.fb

c:\windows\system32\Cache\c1fa887b03019701.fb

c:\windows\system32\Cache\c4d28dca2e7648be.fb

c:\windows\system32\Cache\d201ef9910cd39de.fb

c:\windows\system32\Cache\d2e94710a5708128.fb

c:\windows\system32\Cache\d5204683d96cdf5a.fb

c:\windows\system32\Cache\d5e28ee91f446e71.fb

c:\windows\system32\Cache\d79b9dfe81484ec4.fb

c:\windows\system32\Cache\dd3bee8933d96101.fb

c:\windows\system32\Cache\e0de16f883bea794.fb

c:\windows\system32\Cache\ed21d79c06a91f27.fb

c:\windows\system32\Cache\f998975c9cc711ee.fb

c:\windows\system32\ijl11.dll

c:\windows\system32\Memman.vxd

c:\windows\system32\SET466.tmp

c:\windows\system32\SET46B.tmp

c:\windows\system32\skinboxer43.dll

c:\windows\XSxS

P:\install.exe

p:\temp internet files mved 42013 from c\Temporary Internet Files\ab_392.tmp

.

.

((((((((((((((((((((((((( Files Created from 2013-03-28 to 2013-04-29 )))))))))))))))))))))))))))))))

.

.

2013-04-29 06:32 . 2013-04-29 06:32 562154 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2013-04-28 02:38 . 2013-04-28 02:38 143688 ---ha-w- c:\windows\system32\drivers\6FC03202.sys

2013-04-26 21:53 . 2013-04-26 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI

2013-04-26 02:00 . 2013-04-26 02:00 -------- d-----w- c:\program files\MSXML 4.0

2013-04-24 21:03 . 2013-04-24 21:03 -------- d-----w- C:\Sony_SoundOrganizer_2F70A8C8665241a6ABC5BCF09F756BC3

2013-04-22 06:47 . 2013-04-22 06:47 -------- d-----w- c:\documents and settings\newjohndoe\Application Data\JAM Software

2013-04-19 12:52 . 2012-06-02 19:18 275696 ---ha-w- c:\windows\system32\mucltui.dll

2013-04-19 12:52 . 2012-06-02 19:18 214256 ---ha-w- c:\windows\system32\muweb.dll

2013-04-19 12:45 . 2013-04-19 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2013-04-19 10:25 . 2013-04-19 10:25 -------- d-----w- c:\program files\Microsoft Silverlight

2013-04-19 07:55 . 2013-04-28 09:00 -------- d-----w- c:\documents and settings\newjohndoe\Local Settings\Application Data\Google

2013-04-19 06:59 . 2013-04-24 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

2013-04-19 06:44 . 2013-04-19 06:44 -------- d-----w- c:\documents and settings\newjohndoe\Application Data\Nuance

2013-04-19 06:21 . 2013-04-19 06:21 -------- d-----w- c:\documents and settings\newjohndoe\Application Data\FLEXnet

2013-04-19 06:19 . 2013-04-19 06:19 -------- d-----w- c:\program files\Common Files\IVA

2013-04-19 06:18 . 2013-04-19 06:19 -------- d-----w- c:\program files\Common Files\Nuance

2013-04-19 06:16 . 2013-04-19 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2013-04-19 06:16 . 2013-04-19 06:20 -------- d-----w- c:\windows\Speech

2013-04-19 06:16 . 2013-04-19 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance

2013-04-19 04:06 . 2013-04-19 04:06 -------- d-----w- C:\$AVG

2013-04-19 03:43 . 2013-04-19 03:43 -------- d--h--w- c:\documents and settings\newjohndoe\Local Settings\Application Data\PCHealth

2013-04-19 03:16 . 2013-04-19 12:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10

2013-04-19 02:42 . 2013-04-19 02:42 -------- d-----w- c:\program files\Microsoft.NET

2013-04-01 06:20 . 2013-04-01 06:20 409600 ---ha-w- c:\windows\system32\wrap_oal.dll

2013-04-01 06:20 . 2013-04-01 06:20 114688 ---ha-w- c:\windows\system32\OpenAL32.dll

2013-04-01 06:20 . 2013-04-01 06:20 -------- d-----w- c:\program files\OpenAL

2013-04-01 06:04 . 2013-04-01 06:30 -------- d-sh--w- c:\windows\system32\AI_RecycleBin

2013-04-01 06:04 . 2013-04-01 06:30 -------- d-----w- C:\AI_RecycleBin

2013-04-01 06:04 . 2013-04-01 06:30 -------- d--h--w- c:\documents and settings\newjohndoe\Application Data\Strongvault

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-04-11 17:56 . 2011-03-06 07:28 71192 ---ha-w- c:\windows\system32\atimpc32.dll

2013-04-11 17:56 . 2011-03-06 07:28 71192 ---ha-w- c:\windows\system32\amdpcom32.dll

2013-04-11 17:54 . 2011-03-06 07:28 6850048 ---ha-w- c:\windows\system32\drivers\ati2mtag.sys

2013-04-11 17:45 . 2011-03-06 07:28 442368 ---ha-w- c:\windows\system32\ATIDEMGX.dll

2013-04-11 17:44 . 2011-03-06 07:28 306176 ---ha-w- c:\windows\system32\ati2dvag.dll

2013-04-11 17:22 . 2011-03-06 07:28 212992 ---ha-w- c:\windows\system32\atipdlxx.dll

2013-04-11 17:22 . 2011-03-06 07:28 163840 ---ha-w- c:\windows\system32\Oemdspif.dll

2013-04-11 17:22 . 2011-03-06 07:28 26112 ---ha-w- c:\windows\system32\Ati2mdxx.exe

2013-04-11 17:22 . 2011-03-06 07:28 43520 ---ha-w- c:\windows\system32\ati2edxx.dll

2013-04-11 17:22 . 2011-03-06 07:28 192512 ---ha-w- c:\windows\system32\ati2evxx.dll

2013-04-11 17:20 . 2011-03-06 07:28 643072 ---ha-w- c:\windows\system32\ati2evxx.exe

2013-04-11 17:19 . 2011-03-06 07:28 53248 ---ha-w- c:\windows\system32\ATIDDC.DLL

2013-04-11 17:05 . 2011-03-06 07:28 4844064 ---ha-w- c:\windows\system32\ati3duag.dll

2013-04-11 16:49 . 2011-03-06 07:28 18964480 ---ha-w- c:\windows\system32\atioglxx.dll

2013-04-11 16:43 . 2011-03-06 07:28 2380672 ---ha-w- c:\windows\system32\ativvaxx.dll

2013-04-11 16:43 . 2011-03-06 07:28 307200 ---ha-w- c:\windows\system32\atiiiexx.dll

2013-04-11 16:27 . 2011-03-06 07:28 163840 ---ha-w- c:\windows\system32\atiapfxx.exe

2013-04-11 16:23 . 2011-03-06 07:28 929792 ---ha-w- c:\windows\system32\atikvmag.dll

2013-04-11 16:18 . 2011-03-06 07:28 245760 ---ha-w- c:\windows\system32\atiadlxx.dll

2013-04-11 16:18 . 2011-03-06 07:28 17408 ---ha-w- c:\windows\system32\atitvo32.dll

2013-04-11 16:17 . 2011-03-06 07:28 53248 ---ha-w- c:\windows\system32\drivers\ati2erec.dll

2013-04-11 16:15 . 2011-03-06 07:28 495616 ---ha-w- c:\windows\system32\atiok3x2.dll

2013-04-11 16:13 . 2011-03-06 07:28 663552 ---ha-w- c:\windows\system32\ati2cqag.dll

2013-04-04 18:50 . 2011-03-07 07:58 22856 ---ha-w- c:\windows\system32\drivers\mbam.sys

2013-03-08 15:13 . 2012-04-13 02:10 691568 -c-ha-w- c:\windows\system32\FlashPlayerApp.exe

2013-03-08 15:13 . 2011-08-15 01:08 71024 -c-ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-03-08 08:36 . 2004-08-04 12:00 293376 ---ha-w- c:\windows\system32\winsrv.dll

2013-03-07 01:32 . 2004-08-04 12:00 2149888 ---ha-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50 . 2004-08-03 22:59 2028544 ---ha-w- c:\windows\system32\ntkrnlpa.exe

2013-03-02 03:12 . 2013-02-13 05:18 33112 ---ha-w- c:\windows\system32\drivers\avgtpx86.sys

2013-03-02 01:25 . 2004-08-04 12:00 1867264 ---ha-w- c:\windows\system32\win32k.sys

2013-02-27 07:56 . 2011-03-05 10:50 2067456 ---ha-w- c:\windows\system32\mstscax.dll

2013-02-12 00:32 . 2008-04-13 18:56 12928 ---h--w- c:\windows\system32\drivers\usb8023x.sys

2013-02-12 00:32 . 2004-08-04 12:00 12928 ---ha-w- c:\windows\system32\drivers\usb8023.sys

2010-03-25 15:02 . 2011-03-13 23:57 3782272 ----a-w- c:\program files\AiSuite.exe

2010-01-10 02:55 . 2011-03-13 23:57 811648 -c--a-w- c:\program files\RegSchdTask.exe

2009-12-29 01:19 . 2011-03-13 23:57 461440 ----a-w- c:\program files\CpuLevelUpHook64.exe

2009-12-29 01:19 . 2011-03-13 23:57 326272 ----a-w- c:\program files\CpuLevelUpHook32.exe

2009-12-29 01:19 . 2011-03-13 23:57 589440 -c--a-w- c:\program files\CpuLevelUpHookLaunch.exe

2009-12-29 01:19 . 2011-03-13 23:57 887936 ----a-w- c:\program files\CpuLevelUpHelp.exe

2009-06-29 20:25 . 2011-03-13 23:57 69632 ----a-w- c:\program files\AsAcpi.dll

2009-01-23 00:44 . 2011-03-13 23:57 876 -c--a-w- c:\program files\asus.reg

2009-01-23 00:44 . 2011-03-13 23:57 292 -c--a-w- c:\program files\epu.reg

2008-01-28 16:58 . 2011-03-13 23:57 57344 ----a-w- c:\program files\AsInsHelp.dll

2007-10-11 18:51 . 2011-03-13 23:57 53248 -c--a-w- c:\program files\HookKey32.dll

2007-10-11 18:50 . 2011-03-13 23:57 48128 -c--a-w- c:\program files\HookKey64.dll

2007-08-08 14:48 . 2011-03-13 23:57 69632 -c--a-w- c:\program files\HookKey.dll

2005-09-09 21:31 . 2011-03-13 23:57 40960 ----a-w- c:\program files\AsUninsHlp.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{D5974A72-C81C-4DC3-BE77-A8A7BBC8864E}]

2012-10-13 13:00 431784 ----a-w- p:\program files\DownloadAccelPlus\LinkVerifier.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2011-06-04 222496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-08-11 40983152]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-10-19 36864]

"TurboV Help"="c:\program files\ASUS\TurboV EVO\TurboVHelp.exe" [2010-07-07 1089664]

"TurboV EVO"="c:\program files\ASUS\TurboV EVO\TurboV_EVO.exe" [2010-07-07 9936000]

"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2009-11-27 7274496]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-08-01 2345592]

"QFan Help"="c:\program files\QFan3\QFanHelp.exe" [2010-03-25 611968]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]

"QuickTime Task"="p:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]

"DNS7reminder"="p:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2010-10-27 328992]

"StartCCC"="p:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-04-11 98304]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

WinZip Quick Pick.lnk - p:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]

2010-03-24 21:26 243544 ----a-w- c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"AdobeFlashPlayerUpdateSvc"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"p:\\Program Files\\Mass Effect 2 Demo\\Binaries\\MassEffect2.exe"=

"p:\\Program Files\\Mass Effect 2 Demo\\MassEffect2Launcher.exe"=

"c:\\WINDOWS\\system32\\msiexec.exe"=

"e:\\Program Files\\Steam\\SteamApps\\common\\batman arkham asylum - demo\\Binaries\\ShippingPC-BmGame.exe"=

"e:\\Program Files\\Steam\\SteamApps\\common\\Company of Heroes SP Demo\\RelicCOH.exe"=

"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

"e:\\Program Files\\Steam\\SteamApps\\common\\the walking dead\\WalkingDead101.exe"=

"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"51001:TCP"= 51001:TCP:Dragon Smart Phone Server

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]

R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [8/6/2010 4:53 AM 257064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 255968]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2/13/2013 1:18 AM 33112]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]

R2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 2:16 PM 223464]

R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [6/4/2011 10:12 AM 296808]

R2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [7/17/2009 4:25 PM 319488]

R2 MBAMScheduler;MBAMScheduler;e:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/12/2012 4:38 PM 418376]

R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/14/2011 3:51 PM 701512]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/7/2011 3:58 AM 22856]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [4/26/2010 9:27 PM 64904]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [4/26/2010 9:28 PM 146568]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/5/2011 7:05 AM 2127728]

S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [3/5/2011 7:09 AM 109056]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 4:02 PM 7391072]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 4:38 PM 167264]

S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [3/14/2011 4:31 AM 11264]

S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;p:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [11/19/2010 1:18 PM 157024]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ixquick.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Download with &DAP - p:\program files\DownloadAccelPlus\dapextie.htm

IE: &Verify with DAP - p:\program files\DownloadAccelPlus\dapverify.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download &all with DAP - p:\program files\DownloadAccelPlus\dapextie2.htm

IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\documents and settings\newjohndoe\Application Data\Mozilla\Firefox\Profiles\p5n82ypw.default\

FF - prefs.js: browser.startup.homepage - www.google.com

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-Microsoft Default Manager - c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe

HKLM-Run-BCU - c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe

AddRemove-Google Chrome - c:\documents and settings\newjohndoe\Local Settings\Application Data\Google\Chrome\Application\26.0.1410.64\Installer\setup.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2013-04-29 06:46

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(840)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

.

Completion time: 2013-04-29 06:52:27

ComboFix-quarantined-files.txt 2013-04-29 10:52

.

Pre-Run: 1,192,620,032 bytes free

Post-Run: 1,556,254,720 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 27D65BCF78D97BED67B1FF9FFE5C47BA

*************************************************************************

Gringo, if you have time (I don't know if extraneous questions are welcome in this context),

1. I notice that since I bought Malwarebytes PRO yesterday, that now there's a large file, of roughly 100MB, under "Processes" in "Windows Task Manager" (whereas before buying the license, it only appeared when I was actively running Malwarebytes. Does that mean Malwarebytes is now always running in the background?

2. Assuming things are reasonably well healed, can I simply repeat the steps you've been kind enough to advise me to try in the future, when I catch malware of adware AVG or Malwarebytes can't get rid of?

3. Can you refer me to a book or website that will enable me to learn more about fixing computers when this kind of thing happens?

Thank you,

Shawn

Link to post
Share on other sites

  • Staff

Hello

1.If you bought Malwarebytes PRO then it is always running but not actively scanning

2. this is not a good idea - the programs that we use are not supported in the commercial sense, meaning if something goes wrong you will find it harder to get support

3. they have a school here to learn about removing malware - but you will find allot of great information in the forums, just need to weed it out a little and start following some of the techs - you will learn who the real good ones are

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737

Then I want you to do the following

  • Start Internet Explorer.
  • click on "safety"
  • click on "Delete Browsing History"
  • make sure all boxes are checked
  • click on "Delete"
  • click on "Tools",
  • click "Internet Options".
  • On the "Advanced" tab, click "Reset"
  • put a check mark next to "Delete Personal Settings"
  • click "Reset" to confirm
  • when complete click the "Close" button
  • restart IE

Gringo

Link to post
Share on other sites

Pardon my confusion but as I read your directions, it says go to the linked website, THEN open IE. What browser should I open the linked page in prior to opening IE? Also, fwiw, when I open IE there's no 'safety' button I'm aware of. Some sites consider that synonymous with InPrivate Browsing, but some don't.

Also, at what point do I run or save the Microsoft Fixit program that appears when I click on the Fixit button in the linked page?

Link to post
Share on other sites

  • Staff

Pardon my confusion but as I read your directions, it says go to the linked website, THEN open IE. - you can go to the fixit page in any browser you want to when you get there click on the button and follow the prompts and run what it asks you

What browser should I open the linked page in prior to opening IE? - use which ever one you want if IE happens to be the one you use then you do not have to open another one

Also, fwiw, when I open IE there's no 'safety' button I'm aware of. Some sites consider that synonymous with InPrivate Browsing, but some don't. - in the same area where it has the InPrivate Browsing you will also see the delete browsing history

gringo

Link to post
Share on other sites

  • Staff

Hello ShawnSchirmer

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\documents and settings\newjohndoe\Application Data\Strongvault

DDS::
IE: Search the Web - c:\program files\SweetIM\Toolbars\Internet Explorer\resources\menuext.html

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  1. report from Combofix
  2. let me know of any problems you may have had
  3. How is the computer doing now after running the script?

Gringo

Link to post
Share on other sites

<p> </p>

<div>I dragged CFScript.txt into ComboFix.exe, but as soon as they overlapped, the "Run" or "Save" window for ComboFix appeared. I had no way of knowing if it accepted CFScript.txt. I did go ahead and run ComboFix. Here is the log. </div>

<div> </div>

<div>I still cannot access Google.com from either Chrome or IE. Everything else seems fine. </div>

<div> </div>

<div> </div>

<div>ComboFix 13-04-29.01 - newjohndoe 05/01/2013   4:59.2.4 - x86</div>

<div>Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3582.1378 [GMT -4:00]</div>

<div>Running from: c:\documents and settings\newjohndoe\Desktop\ComboFix.exe</div>

<div>Command switches used :: c:\documents and settings\newjohndoe\Desktop\CFScript.txt</div>

<div>AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>c:\documents and settings\newjohndoe\Application Data\Strongvault</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((   Files Created from 2013-04-01 to 2013-05-01  )))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>2013-04-28 02:38 . 2013-04-28 02:38<span class="Apple-tab-span" style="white-space:pre"> </span>143688<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\6FC03202.sys</div>

<div>2013-04-26 21:53 . 2013-04-26 21:53<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\ATI</div>

<div>2013-04-26 02:00 . 2013-04-26 02:00<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSXML 4.0</div>

<div>2013-04-24 21:03 . 2013-04-24 21:03<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\Sony_SoundOrganizer_2F70A8C8665241a6ABC5BCF09F756BC3</div>

<div>2013-04-22 06:47 . 2013-04-22 06:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\JAM Software</div>

<div>2013-04-19 12:52 . 2012-06-02 19:18<span class="Apple-tab-span" style="white-space:pre"> </span>275696<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\mucltui.dll</div>

<div>2013-04-19 12:52 . 2012-06-02 19:18<span class="Apple-tab-span" style="white-space:pre"> </span>214256<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\muweb.dll</div>

<div>2013-04-19 12:45 . 2013-04-19 12:45<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\MFAData</div>

<div>2013-04-19 10:25 . 2013-04-19 10:25<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Microsoft Silverlight</div>

<div>2013-04-19 07:55 . 2013-04-28 09:00<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Local Settings\Application Data\Google</div>

<div>2013-04-19 06:59 . 2013-04-24 21:08<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Sony Corporation</div>

<div>2013-04-19 06:44 . 2013-04-19 06:44<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\Nuance</div>

<div>2013-04-19 06:21 . 2013-04-19 06:21<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\FLEXnet</div>

<div>2013-04-19 06:19 . 2013-04-19 06:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\IVA</div>

<div>2013-04-19 06:18 . 2013-04-19 06:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\Nuance</div>

<div>2013-04-19 06:16 . 2013-04-19 06:16<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\FLEXnet</div>

<div>2013-04-19 06:16 . 2013-04-19 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\Speech</div>

<div>2013-04-19 06:16 . 2013-04-19 06:16<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Nuance</div>

<div>2013-04-19 04:06 . 2013-04-19 04:06<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\$AVG</div>

<div>2013-04-19 03:43 . 2013-04-19 03:43<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Local Settings\Application Data\PCHealth</div>

<div>2013-04-19 03:16 . 2013-04-19 12:45<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\AVG10</div>

<div>2013-04-19 02:42 . 2013-04-19 02:42<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Microsoft.NET</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>2013-04-11 17:56 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>71192<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atimpc32.dll</div>

<div>2013-04-11 17:56 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>71192<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\amdpcom32.dll</div>

<div>2013-04-11 17:54 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>6850048<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\ati2mtag.sys</div>

<div>2013-04-11 17:45 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>442368<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ATIDEMGX.dll</div>

<div>2013-04-11 17:44 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>306176<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2dvag.dll</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>212992<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atipdlxx.dll</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>163840<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Oemdspif.dll</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>26112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Ati2mdxx.exe</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>43520<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2edxx.dll</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>192512<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2evxx.dll</div>

<div>2013-04-11 17:20 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>643072<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2evxx.exe</div>

<div>2013-04-11 17:19 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ATIDDC.DLL</div>

<div>2013-04-11 17:05 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>4844064<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati3duag.dll</div>

<div>2013-04-11 16:49 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>18964480<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atioglxx.dll</div>

<div>2013-04-11 16:43 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>2380672<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ativvaxx.dll</div>

<div>2013-04-11 16:43 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>307200<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiiiexx.dll</div>

<div>2013-04-11 16:27 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>163840<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiapfxx.exe</div>

<div>2013-04-11 16:23 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>929792<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atikvmag.dll</div>

<div>2013-04-11 16:18 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>245760<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiadlxx.dll</div>

<div>2013-04-11 16:18 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>17408<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atitvo32.dll</div>

<div>2013-04-11 16:17 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\ati2erec.dll</div>

<div>2013-04-11 16:15 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>495616<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiok3x2.dll</div>

<div>2013-04-11 16:13 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>663552<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2cqag.dll</div>

<div>2013-04-04 18:50 . 2011-03-07 07:58<span class="Apple-tab-span" style="white-space:pre"> </span>22856<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\mbam.sys</div>

<div>2013-04-01 06:20 . 2013-04-01 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>409600<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\wrap_oal.dll</div>

<div>2013-04-01 06:20 . 2013-04-01 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>114688<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\OpenAL32.dll</div>

<div>2013-03-08 15:13 . 2012-04-13 02:10<span class="Apple-tab-span" style="white-space:pre"> </span>691568<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerApp.exe</div>

<div>2013-03-08 15:13 . 2011-08-15 01:08<span class="Apple-tab-span" style="white-space:pre"> </span>71024<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerCPLApp.cpl</div>

<div>2013-03-08 08:36 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>293376<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\winsrv.dll</div>

<div>2013-03-07 01:32 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>2149888<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntoskrnl.exe</div>

<div>2013-03-07 00:50 . 2004-08-03 22:59<span class="Apple-tab-span" style="white-space:pre"> </span>2028544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntkrnlpa.exe</div>

<div>2013-03-02 03:12 . 2013-02-13 05:18<span class="Apple-tab-span" style="white-space:pre"> </span>33112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\avgtpx86.sys</div>

<div>2013-03-02 01:25 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>1867264<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\win32k.sys</div>

<div>2013-02-27 07:56 . 2011-03-05 10:50<span class="Apple-tab-span" style="white-space:pre"> </span>2067456<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\mstscax.dll</div>

<div>2013-02-12 00:32 . 2008-04-13 18:56<span class="Apple-tab-span" style="white-space:pre"> </span>12928<span class="Apple-tab-span" style="white-space:pre"> </span>------w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\usb8023x.sys</div>

<div>2013-02-12 00:32 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>12928<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\usb8023.sys</div>

<div>2010-03-25 15:02 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>3782272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AiSuite.exe</div>

<div>2010-01-10 02:55 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>811648<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\RegSchdTask.exe</div>

<div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>461440<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHook64.exe</div>

<div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>326272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHook32.exe</div>

<div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>589440<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHookLaunch.exe</div>

<div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>887936<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHelp.exe</div>

<div>2009-06-29 20:25 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>69632<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsAcpi.dll</div>

<div>2009-01-23 00:44 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>876<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\asus.reg</div>

<div>2009-01-23 00:44 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>292<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\epu.reg</div>

<div>2008-01-28 16:58 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>57344<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsInsHelp.dll</div>

<div>2007-10-11 18:51 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey32.dll</div>

<div>2007-10-11 18:50 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>48128<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey64.dll</div>

<div>2007-08-08 14:48 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>69632<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey.dll</div>

<div>2005-09-09 21:31 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>40960<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsUninsHlp.dll</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>*Note* empty entries & legit default entries are not shown </div>

<div>REGEDIT4</div>

<div>.</div>

<div>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2011-06-04 222496]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-08-11 40983152]</div>

<div>"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-10-19 36864]</div>

<div>"TurboV Help"="c:\program files\ASUS\TurboV EVO\TurboVHelp.exe" [2010-07-07 1089664]</div>

<div>"TurboV EVO"="c:\program files\ASUS\TurboV EVO\TurboV_EVO.exe" [2010-07-07 9936000]</div>

<div>"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2009-11-27 7274496]</div>

<div>"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-08-01 2345592]</div>

<div>"QFan Help"="c:\program files\QFan3\QFanHelp.exe" [2010-03-25 611968]</div>

<div>"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]</div>

<div>"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]</div>

<div>"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]</div>

<div>"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]</div>

<div>"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]</div>

<div>"QuickTime Task"="p:\program files\QuickTime\qttask.exe" [2010-11-29 421888]</div>

<div>"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]</div>

<div>"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]</div>

<div>"DNS7reminder"="p:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2010-10-27 328992]</div>

<div>"StartCCC"="p:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-04-11 98304]</div>

<div>"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [bU]</div>

<div>.</div>

<div>c:\documents and settings\All Users\Start Menu\Programs\Startup\</div>

<div>Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]</div>

<div>WinZip Quick Pick.lnk - p:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]</div>

<div>BootExecute<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ   <span class="Apple-tab-span" style="white-space:pre"> </span>autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]</div>

<div>@="Driver"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]</div>

<div>2010-03-24 21:26<span class="Apple-tab-span" style="white-space:pre"> </span>243544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]</div>

<div>"AdobeFlashPlayerUpdateSvc"=3 (0x3)</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</div>

<div>"%windir%\\system32\\sessmgr.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=</div>

<div>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</div>

<div>"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=</div>

<div>"p:\\Program Files\\Mass Effect 2 Demo\\Binaries\\MassEffect2.exe"=</div>

<div>"p:\\Program Files\\Mass Effect 2 Demo\\MassEffect2Launcher.exe"=</div>

<div>"c:\\WINDOWS\\system32\\msiexec.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\batman arkham asylum - demo\\Binaries\\ShippingPC-BmGame.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\Company of Heroes SP Demo\\RelicCOH.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\the walking dead\\WalkingDead101.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]</div>

<div>"51001:TCP"= 51001:TCP:Dragon Smart Phone Server</div>

<div>.</div>

<div>R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]</div>

<div>R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]</div>

<div>R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [8/6/2010 4:53 AM 257064]</div>

<div>R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 255968]</div>

<div>R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]</div>

<div>R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2/13/2013 1:18 AM 33112]</div>

<div>R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]</div>

<div>R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [6/4/2011 10:12 AM 296808]</div>

<div>R2 MBAMScheduler;MBAMScheduler;e:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/12/2012 4:38 PM 418376]</div>

<div>R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/14/2011 3:51 PM 701512]</div>

<div>R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]</div>

<div>R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]</div>

<div>R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]</div>

<div>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/7/2011 3:58 AM 22856]</div>

<div>R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [4/26/2010 9:27 PM 64904]</div>

<div>R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [4/26/2010 9:28 PM 146568]</div>

<div>R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/5/2011 7:05 AM 2127728]</div>

<div>S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [3/5/2011 7:09 AM 109056]</div>

<div>S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 4:02 PM 7391072]</div>

<div>S2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 2:16 PM 223464]</div>

<div>S2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [7/17/2009 4:25 PM 319488]</div>

<div>S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 4:38 PM 167264]</div>

<div>S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [3/14/2011 4:31 AM 11264]</div>

<div>S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;p:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [11/19/2010 1:18 PM 157024]</div>

<div>.</div>

<div>.</div>

<div>------- Supplementary Scan -------</div>

<div>.</div>

<div>uSearchAssistant = hxxp://www.google.com/ie</div>

<div>uSearchURL,(Default) = hxxp://www.google.com/search?q=%s</div>

<div>TCP: DhcpNameServer = 192.168.1.254</div>

<div>FF - ProfilePath - c:\documents and settings\newjohndoe\Application Data\Mozilla\Firefox\Profiles\p5n82ypw.default\</div>

<div>FF - prefs.js: browser.startup.homepage - www.google.com</div>

<div>.</div>

<div>- - - - ORPHANS REMOVED - - - -</div>

<div>.</div>

<div>Toolbar-Locked - (no file)</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</div>

<div>Rootkit scan 2013-05-01 05:03</div>

<div>Windows 5.1.2600 Service Pack 3 NTFS</div>

<div>.</div>

<div>scanning hidden processes ...  </div>

<div>.</div>

<div>scanning hidden autostart entries ... </div>

<div>.</div>

<div>HKLM\Software\Microsoft\Windows\CurrentVersion\Run</div>

<div>  HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? </div>

<div>.</div>

<div>scanning hidden files ...  </div>

<div>.</div>

<div>scan completed successfully</div>

<div>hidden files: 0</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>--------------------- LOCKED REGISTRY KEYS ---------------------</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]</div>

<div>@Denied: (A 2) (Everyone)</div>

<div>@="FlashBroker"</div>

<div>"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]</div>

<div>"Enabled"=dword:00000001</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]</div>

<div>@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]</div>

<div>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]</div>

<div>@Denied: (A 2) (Everyone)</div>

<div>@="IFlashBroker5"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]</div>

<div>@="{00020424-0000-0000-C000-000000000046}"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]</div>

<div>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</div>

<div>"Version"="1.0"</div>

<div>.</div>

<div>--------------------- DLLs Loaded Under Running Processes ---------------------</div>

<div>.</div>

<div>- - - - - - - > 'winlogon.exe'(836)</div>

<div>c:\windows\system32\Ati2evxx.dll</div>

<div>c:\windows\system32\atiadlxx.dll</div>

<div>.</div>

<div>- - - - - - - > 'explorer.exe'(8128)</div>

<div>c:\windows\system32\WININET.dll</div>

<div>c:\windows\system32\ieframe.dll</div>

<div>c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll</div>

<div>c:\windows\system32\webcheck.dll</div>

<div>c:\windows\system32\WPDShServiceObj.dll</div>

<div>c:\windows\system32\PortableDeviceTypes.dll</div>

<div>c:\windows\system32\PortableDeviceApi.dll</div>

<div>.</div>

<div>Completion time: 2013-05-01  05:03:53</div>

<div>ComboFix-quarantined-files.txt  2013-05-01 09:03</div>

<div>ComboFix2.txt  2013-04-29 10:52</div>

<div>.</div>

<div>Pre-Run: 1,392,050,176 bytes free</div>

<div>Post-Run: 1,393,979,392 bytes free</div>

<div>.</div>

<div>- - End Of File - - 64E01921395094C97B40E53E3A009A88</div>

<div> </div>

Link to post
Share on other sites

<p>Sorry, Gringo. My post was truncated for some reason. Below is the ComboFix log. I still can't access www.google.com from IE or Chrome. Everything else seems fine. </p>

<p> </p>

<p> </p>

<div>ComboFix 13-04-29.01 - newjohndoe 05/01/2013   4:59.2.4 - x86</div>

<div>Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3582.1378 [GMT -4:00]</div>

<div>Running from: c:\documents and settings\newjohndoe\Desktop\ComboFix.exe</div>

<div>Command switches used :: c:\documents and settings\newjohndoe\Desktop\CFScript.txt</div>

<div>AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>c:\documents and settings\newjohndoe\Application Data\Strongvault</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((   Files Created from 2013-04-01 to 2013-05-01  )))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>2013-04-28 02:38 . 2013-04-28 02:38<span class="Apple-tab-span" style="white-space:pre"> </span>143688<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\6FC03202.sys</div>

<div>2013-04-26 21:53 . 2013-04-26 21:53<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\ATI</div>

<div>2013-04-26 02:00 . 2013-04-26 02:00<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSXML 4.0</div>

<div>2013-04-24 21:03 . 2013-04-24 21:03<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\Sony_SoundOrganizer_2F70A8C8665241a6ABC5BCF09F756BC3</div>

<div>2013-04-22 06:47 . 2013-04-22 06:47<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\JAM Software</div>

<div>2013-04-19 12:52 . 2012-06-02 19:18<span class="Apple-tab-span" style="white-space:pre"> </span>275696<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\mucltui.dll</div>

<div>2013-04-19 12:52 . 2012-06-02 19:18<span class="Apple-tab-span" style="white-space:pre"> </span>214256<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\muweb.dll</div>

<div>2013-04-19 12:45 . 2013-04-19 12:45<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\MFAData</div>

<div>2013-04-19 10:25 . 2013-04-19 10:25<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Microsoft Silverlight</div>

<div>2013-04-19 07:55 . 2013-04-28 09:00<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Local Settings\Application Data\Google</div>

<div>2013-04-19 06:59 . 2013-04-24 21:08<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Sony Corporation</div>

<div>2013-04-19 06:44 . 2013-04-19 06:44<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\Nuance</div>

<div>2013-04-19 06:21 . 2013-04-19 06:21<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Application Data\FLEXnet</div>

<div>2013-04-19 06:19 . 2013-04-19 06:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\IVA</div>

<div>2013-04-19 06:18 . 2013-04-19 06:19<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Common Files\Nuance</div>

<div>2013-04-19 06:16 . 2013-04-19 06:16<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\FLEXnet</div>

<div>2013-04-19 06:16 . 2013-04-19 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\Speech</div>

<div>2013-04-19 06:16 . 2013-04-19 06:16<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\Nuance</div>

<div>2013-04-19 04:06 . 2013-04-19 04:06<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>C:\$AVG</div>

<div>2013-04-19 03:43 . 2013-04-19 03:43<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\newjohndoe\Local Settings\Application Data\PCHealth</div>

<div>2013-04-19 03:16 . 2013-04-19 12:45<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\documents and settings\All Users\Application Data\AVG10</div>

<div>2013-04-19 02:42 . 2013-04-19 02:42<span class="Apple-tab-span" style="white-space:pre"> </span>--------<span class="Apple-tab-span" style="white-space:pre"> </span>d-----w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\Microsoft.NET</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>2013-04-11 17:56 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>71192<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atimpc32.dll</div>

<div>2013-04-11 17:56 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>71192<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\amdpcom32.dll</div>

<div>2013-04-11 17:54 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>6850048<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\ati2mtag.sys</div>

<div>2013-04-11 17:45 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>442368<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ATIDEMGX.dll</div>

<div>2013-04-11 17:44 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>306176<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2dvag.dll</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>212992<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atipdlxx.dll</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>163840<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Oemdspif.dll</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>26112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\Ati2mdxx.exe</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>43520<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2edxx.dll</div>

<div>2013-04-11 17:22 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>192512<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2evxx.dll</div>

<div>2013-04-11 17:20 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>643072<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2evxx.exe</div>

<div>2013-04-11 17:19 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ATIDDC.DLL</div>

<div>2013-04-11 17:05 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>4844064<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati3duag.dll</div>

<div>2013-04-11 16:49 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>18964480<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atioglxx.dll</div>

<div>2013-04-11 16:43 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>2380672<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ativvaxx.dll</div>

<div>2013-04-11 16:43 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>307200<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiiiexx.dll</div>

<div>2013-04-11 16:27 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>163840<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiapfxx.exe</div>

<div>2013-04-11 16:23 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>929792<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atikvmag.dll</div>

<div>2013-04-11 16:18 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>245760<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiadlxx.dll</div>

<div>2013-04-11 16:18 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>17408<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atitvo32.dll</div>

<div>2013-04-11 16:17 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\ati2erec.dll</div>

<div>2013-04-11 16:15 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>495616<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\atiok3x2.dll</div>

<div>2013-04-11 16:13 . 2011-03-06 07:28<span class="Apple-tab-span" style="white-space:pre"> </span>663552<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ati2cqag.dll</div>

<div>2013-04-04 18:50 . 2011-03-07 07:58<span class="Apple-tab-span" style="white-space:pre"> </span>22856<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\mbam.sys</div>

<div>2013-04-01 06:20 . 2013-04-01 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>409600<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\wrap_oal.dll</div>

<div>2013-04-01 06:20 . 2013-04-01 06:20<span class="Apple-tab-span" style="white-space:pre"> </span>114688<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\OpenAL32.dll</div>

<div>2013-03-08 15:13 . 2012-04-13 02:10<span class="Apple-tab-span" style="white-space:pre"> </span>691568<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerApp.exe</div>

<div>2013-03-08 15:13 . 2011-08-15 01:08<span class="Apple-tab-span" style="white-space:pre"> </span>71024<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\FlashPlayerCPLApp.cpl</div>

<div>2013-03-08 08:36 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>293376<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\winsrv.dll</div>

<div>2013-03-07 01:32 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>2149888<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntoskrnl.exe</div>

<div>2013-03-07 00:50 . 2004-08-03 22:59<span class="Apple-tab-span" style="white-space:pre"> </span>2028544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\ntkrnlpa.exe</div>

<div>2013-03-02 03:12 . 2013-02-13 05:18<span class="Apple-tab-span" style="white-space:pre"> </span>33112<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\avgtpx86.sys</div>

<div>2013-03-02 01:25 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>1867264<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\win32k.sys</div>

<div>2013-02-27 07:56 . 2011-03-05 10:50<span class="Apple-tab-span" style="white-space:pre"> </span>2067456<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\mstscax.dll</div>

<div>2013-02-12 00:32 . 2008-04-13 18:56<span class="Apple-tab-span" style="white-space:pre"> </span>12928<span class="Apple-tab-span" style="white-space:pre"> </span>------w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\usb8023x.sys</div>

<div>2013-02-12 00:32 . 2004-08-04 12:00<span class="Apple-tab-span" style="white-space:pre"> </span>12928<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\windows\system32\drivers\usb8023.sys</div>

<div>2010-03-25 15:02 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>3782272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AiSuite.exe</div>

<div>2010-01-10 02:55 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>811648<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\RegSchdTask.exe</div>

<div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>461440<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHook64.exe</div>

<div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>326272<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHook32.exe</div>

<div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>589440<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHookLaunch.exe</div>

<div>2009-12-29 01:19 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>887936<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\CpuLevelUpHelp.exe</div>

<div>2009-06-29 20:25 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>69632<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsAcpi.dll</div>

<div>2009-01-23 00:44 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>876<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\asus.reg</div>

<div>2009-01-23 00:44 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>292<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\epu.reg</div>

<div>2008-01-28 16:58 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>57344<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsInsHelp.dll</div>

<div>2007-10-11 18:51 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>53248<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey32.dll</div>

<div>2007-10-11 18:50 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>48128<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey64.dll</div>

<div>2007-08-08 14:48 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>69632<span class="Apple-tab-span" style="white-space:pre"> </span>-c--a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\HookKey.dll</div>

<div>2005-09-09 21:31 . 2011-03-13 23:57<span class="Apple-tab-span" style="white-space:pre"> </span>40960<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\AsUninsHlp.dll</div>

<div>.</div>

<div>.</div>

<div>(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))</div>

<div>.</div>

<div>.</div>

<div>*Note* empty entries & legit default entries are not shown </div>

<div>REGEDIT4</div>

<div>.</div>

<div>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2011-06-04 222496]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]</div>

<div>"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2010-08-11 40983152]</div>

<div>"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-10-19 36864]</div>

<div>"TurboV Help"="c:\program files\ASUS\TurboV EVO\TurboVHelp.exe" [2010-07-07 1089664]</div>

<div>"TurboV EVO"="c:\program files\ASUS\TurboV EVO\TurboV_EVO.exe" [2010-07-07 9936000]</div>

<div>"Six Engine"="c:\program files\ASUS\Six Engine\SixEngine.exe" [2009-11-27 7274496]</div>

<div>"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-08-01 2345592]</div>

<div>"QFan Help"="c:\program files\QFan3\QFanHelp.exe" [2010-03-25 611968]</div>

<div>"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]</div>

<div>"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]</div>

<div>"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]</div>

<div>"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]</div>

<div>"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]</div>

<div>"QuickTime Task"="p:\program files\QuickTime\qttask.exe" [2010-11-29 421888]</div>

<div>"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]</div>

<div>"NUSB3MON"="c:\program files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]</div>

<div>"DNS7reminder"="p:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2010-10-27 328992]</div>

<div>"StartCCC"="p:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-04-11 98304]</div>

<div>"BCU"="c:\program files\DeviceVM\Browser Configuration Utility\BCU.exe" [bU]</div>

<div>.</div>

<div>c:\documents and settings\All Users\Start Menu\Programs\Startup\</div>

<div>Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]</div>

<div>WinZip Quick Pick.lnk - p:\program files\WinZip\WZQKPICK32.EXE [2012-4-4 603536]</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]</div>

<div>BootExecute<span class="Apple-tab-span" style="white-space:pre"> </span>REG_MULTI_SZ   <span class="Apple-tab-span" style="white-space:pre"> </span>autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]</div>

<div>@="Driver"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bing Bar]</div>

<div>2010-03-24 21:26<span class="Apple-tab-span" style="white-space:pre"> </span>243544<span class="Apple-tab-span" style="white-space:pre"> </span>----a-w-<span class="Apple-tab-span" style="white-space:pre"> </span>c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]</div>

<div>"AdobeFlashPlayerUpdateSvc"=3 (0x3)</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]</div>

<div>"%windir%\\system32\\sessmgr.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=</div>

<div>"%windir%\\Network Diagnostic\\xpnetdiag.exe"=</div>

<div>"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=</div>

<div>"p:\\Program Files\\Mass Effect 2 Demo\\Binaries\\MassEffect2.exe"=</div>

<div>"p:\\Program Files\\Mass Effect 2 Demo\\MassEffect2Launcher.exe"=</div>

<div>"c:\\WINDOWS\\system32\\msiexec.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\batman arkham asylum - demo\\Binaries\\ShippingPC-BmGame.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\Company of Heroes SP Demo\\RelicCOH.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\the walking dead\\WalkingDead101.exe"=</div>

<div>"e:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=</div>

<div>"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=</div>

<div>.</div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]</div>

<div>"51001:TCP"= 51001:TCP:Dragon Smart Phone Server</div>

<div>.</div>

<div>R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]</div>

<div>R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]</div>

<div>R0 mv91xx;mv91xx;c:\windows\system32\drivers\mv91xx.sys [8/6/2010 4:53 AM 257064]</div>

<div>R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 255968]</div>

<div>R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]</div>

<div>R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2/13/2013 1:18 AM 33112]</div>

<div>R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]</div>

<div>R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [6/4/2011 10:12 AM 296808]</div>

<div>R2 MBAMScheduler;MBAMScheduler;e:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/12/2012 4:38 PM 418376]</div>

<div>R2 MBAMService;MBAMService;e:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/14/2011 3:51 PM 701512]</div>

<div>R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]</div>

<div>R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]</div>

<div>R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]</div>

<div>R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/7/2011 3:58 AM 22856]</div>

<div>R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [4/26/2010 9:27 PM 64904]</div>

<div>R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [4/26/2010 9:28 PM 146568]</div>

<div>R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/5/2011 7:05 AM 2127728]</div>

<div>S2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.05\AsSysCtrlService.exe [3/5/2011 7:09 AM 109056]</div>

<div>S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [1/31/2012 4:02 PM 7391072]</div>

<div>S2 BCUService;Browser Configuration Utility Service;c:\program files\DeviceVM\Browser Configuration Utility\BCUService.exe [10/26/2009 2:16 PM 223464]</div>

<div>S2 DvmMDES;DeviceVM Meta Data Export Service;c:\asus.sys\config\DVMExportService.exe [7/17/2009 4:25 PM 319488]</div>

<div>S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 4:38 PM 167264]</div>

<div>S3 ICDUSB3;ICDUSB3;c:\windows\system32\drivers\ICDUSB3.sys [3/14/2011 4:31 AM 11264]</div>

<div>S3 PACSPTISVR-Sound_Organizer;PACSPTISVR-Sound_Organizer;p:\program files\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [11/19/2010 1:18 PM 157024]</div>

<div>.</div>

<div>.</div>

<div>------- Supplementary Scan -------</div>

<div>.</div>

<div>uSearchAssistant = hxxp://www.google.com/ie</div>

<div>uSearchURL,(Default) = hxxp://www.google.com/search?q=%s</div>

<div>TCP: DhcpNameServer = 192.168.1.254</div>

<div>FF - ProfilePath - c:\documents and settings\newjohndoe\Application Data\Mozilla\Firefox\Profiles\p5n82ypw.default\</div>

<div>FF - prefs.js: browser.startup.homepage - www.google.com</div>

<div>.</div>

<div>- - - - ORPHANS REMOVED - - - -</div>

<div>.</div>

<div>Toolbar-Locked - (no file)</div>

<div>.</div>

<div>.</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net</div>

<div>Rootkit scan 2013-05-01 05:03</div>

<div>Windows 5.1.2600 Service Pack 3 NTFS</div>

<div>.</div>

<div>scanning hidden processes ...  </div>

<div>.</div>

<div>scanning hidden autostart entries ... </div>

<div>.</div>

<div>HKLM\Software\Microsoft\Windows\CurrentVersion\Run</div>

<div>  HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? </div>

<div>.</div>

<div>scanning hidden files ...  </div>

<div>.</div>

<div>scan completed successfully</div>

<div>hidden files: 0</div>

<div>.</div>

<div>**************************************************************************</div>

<div>.</div>

<div>--------------------- LOCKED REGISTRY KEYS ---------------------</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]</div>

<div>@Denied: (A 2) (Everyone)</div>

<div>@="FlashBroker"</div>

<div>"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe,-101"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]</div>

<div>"Enabled"=dword:00000001</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]</div>

<div>@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_171_ActiveX.exe"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]</div>

<div>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]</div>

<div>@Denied: (A 2) (Everyone)</div>

<div>@="IFlashBroker5"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]</div>

<div>@="{00020424-0000-0000-C000-000000000046}"</div>

<div>.</div>

<div>[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]</div>

<div>@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"</div>

<div>"Version"="1.0"</div>

<div>.</div>

<div>--------------------- DLLs Loaded Under Running Processes ---------------------</div>

<div>.</div>

<div>- - - - - - - > 'winlogon.exe'(836)</div>

<div>c:\windows\system32\Ati2evxx.dll</div>

<div>c:\windows\system32\atiadlxx.dll</div>

<div>.</div>

<div>- - - - - - - > 'explorer.exe'(8128)</div>

<div>c:\windows\system32\WININET.dll</div>

<div>c:\windows\system32\ieframe.dll</div>

<div>c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll</div>

<div>c:\windows\system32\webcheck.dll</div>

<div>c:\windows\system32\WPDShServiceObj.dll</div>

<div>c:\windows\system32\PortableDeviceTypes.dll</div>

<div>c:\windows\system32\PortableDeviceApi.dll</div>

<div>.</div>

<div>Completion time: 2013-05-01  05:03:53</div>

<div>ComboFix-quarantined-files.txt  2013-05-01 09:03</div>

<div>ComboFix2.txt  2013-04-29 10:52</div>

<div>.</div>

<div>Pre-Run: 1,392,050,176 bytes free</div>

<div>Post-Run: 1,393,979,392 bytes free</div>

<div>.</div>

<div>- - End Of File - - 64E01921395094C97B40E53E3A009A88</div>

<div> </div>

Link to post
Share on other sites

  • Staff

Hello ShawnSchirmer

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737

Then I want you to do the following

  • Start Internet Explorer.
  • click on "safety"
  • click on "Delete Browsing History"
  • make sure all boxes are checked
  • click on "Delete"
  • click on "Tools",
  • click "Internet Options".
  • On the "Advanced" tab, click "Reset"
  • put a check mark next to "Delete Personal Settings"
  • click "Reset" to confirm
  • when complete click the "Close" button
  • restart IE

Gringo

Link to post
Share on other sites

Uh-oh.

Even though my browser issues seem resolved with the exception of not being able to use Google in three browsers, I'm now having unprecedented problems opening .wps files. I just permanently lost an 8MB file detailing a building I'm designing. Works wasn't opening it (I've never had that problem before) so I tried opening it in Wordpad just to see if that worked, and my 8MB file turned into a 4KB file. Only a recent backup saved most of forty hours work. Other essential Word files are now impossible to open.

I don't know if any of the programs we ran contributed to or caused this. Is there anyway to pinpoint the source of the problem without destroying data?

Thanks,

Shawn

Link to post
Share on other sites

I refreshed several times in the last two hours but your latest post did not appear until after I posted number 22. I see you posted number 21 over two hours ago, but it only just now appeared.

In light of my previous post, 22, shall I go ahead and execute the instructions in your post 21, or is there something else I should do.

Link to post
Share on other sites

  • Staff

Hello ShawnSchirmer

We need to reset Chrome back to defaults to completely clear out what is going on.

We can keep the bookmarks by exporting them - Export Bookmarks

Then I need you to go Google Sync and sign into your account

scroll down untill you see the "Stop and Clear" button and click on button

At the prompt click on "Ok"

Now we need to uninstall chrome

I want you to uninstall Chrome and if asked about user data or settings then remove this also

restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome

After you have Chrome reinstalled please check things out and let me know how it is doing.

Gringo

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.