Jump to content

Trojans infections, Malwarebytes Pro not fixing the problem.


Recommended Posts

Hello,

I've got several problems all I believe stemming from the same original single infection by av.exe about two weeks ago. As soon as I was infected I installed Malwarebytes, Hijack This, and several registry cleaners that got good reviews or mentions either here or on Cnet. I ran them all one after the other for several days deleting suspicious files, etc. at first Malwarebytes couldn't update it's definitions I tracked down that problem and supposedly fixed it and upgraded to the Pro version but I wonder if it is really updated or if the problem is no longer a trojan infection but a random bit of code or some scrap file that has been altered or something that I can't find.

Every few full scans (maybe 1 out of 3) I run with Malwarebytes Pro after updating has been catching a series of different Trojans, last week before I deleted some registry files Malwarebytes Pro had a pop up in the corner saying it was blocking access to malicious IP addresses. There were about 5 different ones but since then I have ruthlessly deleted some registry files and that's not happening anymore. Then I ran another scan with Malwarebytes and it found a couple more infections. I am still having a few problems with my computer.

I am going to un-install Java next, but want to wait till I hear from this forum before doing so.

I am attaching only the scan logs requested in the above pinned thread topics, I do have MANY malwarebytes logs and Hijack this logs that I can post, I just updated Malwarebytes and quick scanned and it came up clean but I am still having the following problems:

The remnant problems are :

- Google search results page links redirect through two different "search" sites one with a green grided sphere logo the other with a blue curly "Q" swirl logo.

- At the moment I cannot boot in regular mode only in Safe modes (I'm using Safe with Networking at the moment) the blue screen of "nope you have to use safe mode still" shows an error code of 0x00000050 (0xa562D000, 0x00000000, 0x805e9a0b, 0x00000000) which has been listed as a bsod but I have gotten it, run scans had it go away then run malawarebytes found baddies deleted and rebooted and it comes back again.

- I think this is a result of DDS disabling my sound card and CD rom are not working.

Here are the requested logs mentioned in the above pinned forum topics.

I ran Defogger two weeks ago and haven't re-enabled anything since then that maybe why it didn't ask to reboot my computer when I ran it this time but here is the error log anyway

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 23:38 on 22/03/2010 (Administrator)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

Here's the DDS Log:

-=E.O.F=-

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK

Run by Administrator at 23:39:46.14 on Mon 03/22/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1593 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"

uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [NeroHomeFirstStart] c:\program files\common files\ahead\lib\NMFirstStart.exe

mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"

mRun: [WinampAgent] c:\program files\winamp\winampa.exe

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [iMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [lxdvmon.exe] "c:\program files\lexmark x5400 series\lxdvmon.exe"

mRun: [lxdvamon] "c:\program files\lexmark x5400 series\lxdvamon.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [PhilipsDM] "c:\program files\philips\philips device manager\bin\DeviceManager.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: musicmatch.com\online

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205053318185

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} - hxxp://www.sunbelt-software.com/dell/CounterSpy.CAB

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\zgm29rcj.default\

FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\zgm29rcj.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S0 isafg;isafg;c:\windows\system32\drivers\dtnf.sys --> c:\windows\system32\drivers\dtnf.sys [?]

S0 oyqwp;oyqwp;c:\windows\system32\drivers\elcmjmv.sys --> c:\windows\system32\drivers\elcmjmv.sys [?]

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-3-5 28552]

S0 pshb;pshb;c:\windows\system32\drivers\vytojbjt.sys --> c:\windows\system32\drivers\vytojbjt.sys [?]

S0 rlrtssgu;rlrtssgu;c:\windows\system32\drivers\dninr.sys --> c:\windows\system32\drivers\dninr.sys [?]

S0 wutnnoy;wutnnoy;c:\windows\system32\drivers\vlkdnkmc.sys --> c:\windows\system32\drivers\vlkdnkmc.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]

S2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service --> c:\windows\system32\lxdvcoms.exe -service [?]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-3-5 236368]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-8-30 197648]

S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2005-8-30 31248]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-5 19160]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-3-5 38224]

S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2005-8-30 290889]

S4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2005-8-30 585792]

S4 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2005-8-30 262215]

=============== Created Last 30 ================

2010-03-19 01:23:05 0 d-----w- C:\fixwareout

2010-03-18 06:57:28 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-03-12 00:41:01 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-10 03:39:55 0 d-----w- c:\windows\system32\XPToolsLicenseComponent

2010-03-10 03:39:55 0 d-----w- c:\program files\XP Registry Cleaner

2010-03-05 21:36:55 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-03-05 21:03:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-05 21:02:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-05 21:02:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-05 20:17:02 882 ----a-w- c:\documents and settings\administrator\.recently-used.xbel

2010-03-05 20:17:02 0 d-----w- c:\documents and settings\administrator\.thumbnails

2010-03-05 20:16:44 0 d-----w- c:\docume~1\admini~1\applic~1\Corel Photo Album

2010-03-05 20:15:43 0 d-----w- c:\documents and settings\administrator\.gimp-2.6

2010-03-05 18:42:01 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-03-05 18:41:26 0 d-----w- c:\program files\Panda Security

2010-03-05 18:20:33 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure

2010-03-04 15:55:46 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

==================== Find3M ====================

2010-03-18 07:24:35 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-03-12 17:50:58 872064 ----a-w- c:\windows\system32\drivers\iaStor.sys

2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2009-09-14 00:27:08 251 ----a-w- c:\program files\wt3d.ini

2009-11-08 03:12:48 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009110720091108\index.dat

============= FINISH: 23:41:12.00 ===============

gmer_2_.zip

Link to post
Share on other sites

Hello sukisukie! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install any software or hardware, while work on.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

Link to post
Share on other sites

The Combo Fix log follows but a few notes before you get to it... I was unable to save the program as combo-fix.exe ... should have been able to but couldn't dunno why.. and .. I had to run the program twice when I ran it the first time it forced my computer to reboot three times the last one booted to a blue screen while attempting to load into safe mode the program did not create any logs as a result of that first scan, on the up side when I manually rebooted it managed to load not in safe mode ok.

I ran the scan again not in safe mode and it worked fine the log generated from that second scan follows:

ComboFix 10-03-24.02 - Robert Hamilton 03/24/2010 21:33:43.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1407 [GMT -5:00]

Running from: c:\documents and settings\Administrator\My Documents\Downloads\Combo-Fix.exe

AV: Trend Micro PC-cillin Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\system32\Thumbs.db

.

((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))

.

2010-03-25 01:54 . 2010-03-25 01:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2010-03-23 05:06 . 2010-03-23 05:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Thunderbird

2010-03-23 05:06 . 2010-03-23 05:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Thunderbird

2010-03-19 01:23 . 2010-03-19 02:20 -------- d-----w- C:\fixwareout

2010-03-18 07:19 . 2010-03-18 07:26 -------- d-----w- c:\program files\Windows Live Safety Center

2010-03-18 07:10 . 2010-03-17 16:35 309248 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zgm29rcj.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll

2010-03-18 07:00 . 2010-03-18 07:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Leadertech

2010-03-18 06:57 . 2010-03-18 06:57 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-03-18 06:37 . 2010-03-18 06:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM

2010-03-16 20:58 . 2010-03-16 20:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AskToolbar

2010-03-15 02:43 . 2010-03-17 00:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\uhuilf

2010-03-15 02:43 . 2010-03-15 02:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-03-12 00:41 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-03-11 21:39 . 2010-03-18 06:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-03-11 04:51 . 2010-03-11 04:51 -------- d-----w- c:\documents and settings\Robert Hamilton\Application Data\AVG8

2010-03-10 06:57 . 2010-03-10 06:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird

2010-03-10 06:57 . 2010-03-10 06:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird

2010-03-10 03:39 . 2010-03-10 03:46 -------- d-----w- c:\program files\XP Registry Cleaner

2010-03-10 03:39 . 2010-03-10 03:39 -------- d-----w- c:\windows\system32\XPToolsLicenseComponent

2010-03-07 01:06 . 2010-03-07 01:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Thunderbird

2010-03-07 01:06 . 2010-03-07 01:06 -------- d-----w- c:\documents and settings\LocalService\Application Data\Thunderbird

2010-03-05 21:03 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-05 21:02 . 2010-03-05 21:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-05 21:02 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-05 20:56 . 2010-03-05 20:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2010-03-05 20:20 . 2010-03-05 20:20 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-03-05 20:17 . 2010-03-05 20:17 -------- d-----w- c:\documents and settings\Administrator\.thumbnails

2010-03-05 20:16 . 2010-03-05 20:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Corel Photo Album

2010-03-05 20:16 . 2010-03-05 20:16 77096 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-05 20:16 . 2010-03-05 20:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Corel Photo Album

2010-03-05 20:15 . 2010-03-05 20:17 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6

2010-03-05 18:42 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2010-03-05 18:41 . 2010-03-05 18:41 -------- d-----w- c:\program files\Panda Security

2010-03-05 18:20 . 2010-03-05 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure

2010-03-05 04:49 . 2010-03-05 04:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2010-03-05 04:49 . 2010-03-05 04:49 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer

2010-03-04 15:55 . 2010-03-05 21:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-02-26 14:13 . 2010-03-18 02:43 -------- d-----w- c:\documents and settings\Robert Hamilton\Local Settings\Application Data\Temp

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-25 02:37 . 2006-10-05 06:44 -------- d-----w- c:\documents and settings\Robert Hamilton\Application Data\uTorrent

2010-03-25 02:28 . 2007-11-13 16:47 -------- d-----w- c:\program files\Steam

2010-03-25 01:59 . 2006-09-05 01:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-03-23 05:06 . 2007-11-14 20:53 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-03-18 07:29 . 2009-05-12 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-18 07:26 . 2009-05-12 14:58 -------- d-----w- c:\program files\NOS

2010-03-18 07:24 . 2007-05-20 21:05 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-03-18 07:24 . 2007-05-20 21:05 88 --sh--r- c:\windows\system32\46B56D9E6A.sys

2010-03-18 05:15 . 2007-11-10 15:40 -------- d-----w- c:\documents and settings\Robert Hamilton\Application Data\.purple

2010-03-17 04:03 . 2007-12-08 19:58 -------- d-----w- c:\documents and settings\Robert Hamilton\Application Data\gtk-2.0

2010-03-12 17:50 . 2006-08-29 02:46 872064 ----a-w- c:\windows\system32\drivers\iastor.sys

2010-03-05 21:24 . 2010-02-02 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-03-05 21:24 . 2010-02-06 21:14 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-05 21:23 . 2008-05-12 02:20 -------- d-----w- c:\program files\Trojan Remover

2010-03-05 21:02 . 2009-10-07 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-05 20:27 . 2008-05-12 02:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-03-05 20:13 . 2007-11-15 23:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-03-05 17:58 . 2008-05-12 02:08 -------- d-----w- c:\documents and settings\Robert Hamilton\Application Data\Spyware Terminator

2010-02-28 05:52 . 2009-09-18 18:07 1 ----a-w- c:\documents and settings\Robert Hamilton\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys

2010-02-28 02:56 . 2009-11-26 18:12 79488 ----a-w- c:\documents and settings\Robert Hamilton\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-02-19 04:22 . 2010-02-19 04:22 -------- d-----w- c:\program files\Firefly Studios

2010-02-19 04:22 . 2006-08-29 03:10 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-19 04:07 . 2010-02-19 04:06 -------- d-----w- c:\program files\Might and Magic Classics

2010-02-19 04:01 . 2009-05-05 02:29 -------- d-----w- c:\program files\Might and Magic VI

2010-02-19 00:27 . 2010-02-19 00:27 -------- d-----w- c:\program files\Coupons

2010-02-14 00:33 . 2007-11-10 15:38 -------- d-----w- c:\program files\Pidgin

2010-02-02 04:36 . 2010-02-02 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-02-02 04:36 . 2010-02-02 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-01-31 21:08 . 2006-08-29 03:22 -------- d-----w- c:\program files\Google

2010-01-05 10:00 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll

2010-01-05 10:00 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-01-05 10:00 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll

2009-12-31 16:50 . 2005-08-16 09:18 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-09-14 00:27 . 2009-09-14 00:27 251 ----a-w- c:\program files\wt3d.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2009-09-02 19:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-24 68856]

"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]

"Steam"="c:\program files\Steam\Steam.exe" [2010-02-20 1217872]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"PhilipsLime"="c:\program files\Philips\Philips Lime Service\bin\LimeAlive.exe" [2006-06-09 159744]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-09-19 288560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-02-13 35328]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-13 8429568]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-13 81920]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]

"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]

"lxdvmon.exe"="c:\program files\Lexmark X5400 Series\lxdvmon.exe" [2008-08-05 455336]

"lxdvamon"="c:\program files\Lexmark X5400 Series\lxdvamon.exe" [2008-08-05 25256]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2006-07-13 651264]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

c:\documents and settings\Robert Hamilton\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]

2003-06-18 06:00 45056 ------w- c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]

2005-11-08 17:30 16384 ----a-w- c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]

2006-03-02 09:00 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2005-05-15 07:04 332800 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

2005-10-05 08:12 94208 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2006-08-29 03:22 169984 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2005-06-17 12:56 139264 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2007-04-13 03:44 8429568 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE_OEM]

2005-08-16 00:38 20553 ----a-w- c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]

2005-08-30 21:36 823362 ----a-w- c:\program files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]

2005-10-14 16:01 122880 ------w- c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"tmproxy"=2 (0x2)

"TmPfw"=2 (0x2)

"Tmntsrv"=2 (0x2)

"PcCtlCom"=2 (0x2)

"NetSvc"=3 (0x3)

"IAANTMon"=2 (0x2)

"ELService"=2 (0x2)

"Creative Service for CDROM Access"=2 (0x2)

"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Lexmark X5400 Series\\lxdvmon.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdvjswx.exe"=

"c:\\WINDOWS\\system32\\lxdvcoms.exe"=

"c:\\Program Files\\Lexmark X5400 Series\\lxdvamon.exe"=

"c:\\Program Files\\Lexmark X5400 Series\\FRun.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2 demo\\left4dead2.exe"=

"c:\\Program Files\\Steam\\SteamApps\\chimerasame\\zombie panic! source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/5/2010 1:42 PM 28552]

R2 lxdv_device;lxdv_device;c:\windows\system32\lxdvcoms.exe -service --> c:\windows\system32\lxdvcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/5/2010 4:03 PM 236368]

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 4:36 PM 197648]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 4:36 PM 31248]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/5/2010 4:02 PM 19160]

S0 isafg;isafg;c:\windows\system32\drivers\dtnf.sys --> c:\windows\system32\drivers\dtnf.sys [?]

S0 oyqwp;oyqwp;c:\windows\system32\drivers\elcmjmv.sys --> c:\windows\system32\drivers\elcmjmv.sys [?]

S0 pshb;pshb;c:\windows\system32\drivers\vytojbjt.sys --> c:\windows\system32\drivers\vytojbjt.sys [?]

S0 rlrtssgu;rlrtssgu;c:\windows\system32\drivers\dninr.sys --> c:\windows\system32\drivers\dninr.sys [?]

S0 wutnnoy;wutnnoy;c:\windows\system32\drivers\vlkdnkmc.sys --> c:\windows\system32\drivers\vlkdnkmc.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 4:08 PM 135664]

S4 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 4:36 PM 290889]

S4 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 4:36 PM 585792]

S4 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 4:36 PM 262215]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 21:08]

2010-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 21:08]

.

.

------- Supplementary Scan -------

.

uStart Page = https://rm.accesshr.hhsc.state.tx.us/ENG/ca...%20~%20--->

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Copy to Semagic - c:\program files\Semagic\copy.htm

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: Semagic - c:\program files\Semagic\link.htm

Trusted Zone: musicmatch.com\online

FF - ProfilePath - c:\documents and settings\Robert Hamilton\Application Data\Mozilla\Firefox\Profiles\7h75my93.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fhl%3Den%26shva%3D1%26ui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&ss=1&scc=1&ltmpl=default&ltmplcache=2&hl=en#drafts/126e83dfc4fd14f2|https://wit.twc.state.tx.us/WORKINTEXAS/wtx?pageid=JV_HOME&ctx=1267328855627

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3224)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2010-03-24 21:45:07

ComboFix-quarantined-files.txt 2010-03-25 02:45

Pre-Run: 63,332,433,920 bytes free

Post-Run: 63,298,351,104 bytes free

- - End Of File - - 5C0332EA3E831F4AE6226AE935912945

And here's a new HJT log :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:50:24 PM, on 3/24/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Lexmark X5400 Series\lxdvmon.exe

C:\Program Files\Lexmark X5400 Series\lxdvamon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

C:\Program Files\Steam\Steam.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxdvcoms.exe

C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://rm.accesshr.hhsc.state.tx.us/ENG/ca...%20~%20--->

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [lxdvmon.exe] "C:\Program Files\Lexmark X5400 Series\lxdvmon.exe"

O4 - HKLM\..\Run: [lxdvamon] "C:\Program Files\Lexmark X5400 Series\lxdvamon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup

O4 - HKCU\..\Run: [steam] C:\Program Files\Steam\Steam.exe -silent

O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0

O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe"

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103472 -"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)" -"http://www.gamespyarcade.com/software/webgames/sicktwisted/fivefinger/fivefinger_index.htm"

O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205053318185

O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: lxdv_device - - C:\WINDOWS\system32\lxdvcoms.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9551 bytes

Link to post
Share on other sites

Don't worry!

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    iaStor.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 15:28 on 25/03/2010 by Robert Hamilton (Administrator - Elevation successful)

========== filefind ==========

Searching for "iaStor.sys"

C:\drivers\storage\sata\onboard\iastor.sys --a--- 872064 bytes [02:46 29/08/2006] [17:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963

C:\i386\iaStor.sys --a--- 872064 bytes [04:40 03/09/2006] [17:33 17/06/2005] 9A65E42664D1534B68512CAAD0EFE963

C:\WINDOWS\system32\drivers\iastor.sys --a--- 872064 bytes [02:46 29/08/2006] [17:50 12/03/2010] 9A65E42664D1534B68512CAAD0EFE963

-=End Of File=-

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

FCopy::
C:\i386\iaStor.sys | C:\WINDOWS\system32\drivers\iastor.sys

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.