browser redirects after being infected by Total PC Defender 2010

p_s_92 · May 8, 2010

Hello All,

First, thanks to all volunteers who support this forum selflessly and assist people like me.

On May 5, I was getting popups from Total PC Defender 2010. I updated Malwarebytes(http://www.malwarebytes.org/) on May 5, ran a full scan which caught and deleted lot of malware. It asked for reboot which I did. Ran a full scan after that which detected nothing else so i assumed my machine was clean.

But, my browser(Firefox 3.6.3) is getting redirected from a Google search. It is opening sites like surfing2cash and Stopzilla spyware remover. Opera was also getting redirected, but today it seems normal. Internet Explorer is not redirected.

Ran Spybot search and Destroy(http://www.safer-networking.org/en/) which detected Fraudreg and removed it.

As per the thread http://forums.techguy.org/virus-other-malw...elp-needed.html ran Dirquery(http://ad13.geekstogo.com/DirQuery.exe) typed the following bolded text into that window:

\Device\Ide\IdePort3

Then, hit Enter. The program generated a file on your desktop called DirQuery.txt. Its contents are

Running from: C:\Documents and Settings\Admin\Desktop\DirQuery.exe

Log file at : C:\Documents and Settings\Admin\Desktop\DirQuery.txt

The driver that owns the link:

\Device\Ide\IdePort3

is located at:

atapi.sys

and the device link is:

\Driver\atapi

The path to the driver from the registry is:

system32\drivers\tskA.tmp.

tried to use the Avenger(http://swandog46.geekstogo.com/avenger2/download.php) tool to restore the copy by moving the C:\WINDOWS\ServicePackFiles\i386\atapi.sys to C:\win\system32\drivers, and it said in log, that no rootkits were found and file was moved successfully. But, TDSkiller claims TDSS rootkit is there and hooked to atapi.sys

Looked at the thread http://forums.techguy.org/virus-other-malw...elp-needed.html as I suspect I am infected with a rootkit TDSS. Ran TDSkiller(http://support.kaspersky.com/downloa...tdsskiller.zip) which claims my atapi.sys is infected with TDSS. Says, it will be removed on reboot, but the redirects still persist after rebooting. Ran F-Secure's Blacklight rootkit eliminator(http://www.f-secure.com/en_EMEA/prod...es/blacklight/) which could not find anything. Ran the rkill(http://www.technibble.com/rkill-repa...l-of-the-week/) tool also, but that did not fix the issue.

Ran TrojanRemover(http://www.simplysup.com/tremover/download.html) which also said machine was clean. I ran Combofix in Windows safe mode which deleted some files noted below:

c:\windows\System32\BSTIeprintctl1.dll

c:\windows\system32\Cache

c:\windows\system32\SHELLLNK.TLB

C:\zip.exe

Updated and ran full Superantispyware scan which found a trojan DRV, cleaned it, rebooted it. i inspected the Windows hosts file earlier which has nothing except the standard one line referring 127.0.0.1 to localhost. Download CCleaner from download.com, ran it, rebooted, ran its registry fix. Tried Rootrepeal, rkill which also did not find anything.

Then, as per the instructions at http://forums.malwarebytes.org/index.php?showtopic=9573

I ran Malwarebytes full scan again, after updating it whose log is attached. I am attaching two logs of Malware. One which caught some infections on May 5(May5_malwarebyteslog), and one ran yesterday(May8_malwarebyteslog) which claims my machine is clean, though there are still browser redirects with Firefox. Had Mcafee as my antivirus, removed that, installed Avast, ran a full scan after updating it which did not catch anything.

Used DeFogger but it did not ask reboot my machine after the Finished message and i did not get any error message too. Log is posted as i was not allowed to attach it.

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 16:02 on 08/05/2010 (Admin)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

Ran DDS and its log are attached(DDS.txt and DDSAttach.txt).

Tried to run GMER rootkit scanner which was freezing, next time i tried to run it, it rebooted my machine. Am attaching a log(ark.txt) which was produced from as far as it could run.

I had IIS running which i have disabled now. I have also installed Zonealarm's free firewall after i got infected. Initially, I had just the XP's firewall.

Any advice would be welcome.

P.S. When I tried to preview the post, I could not see the files I attached so am reattaching them. Don't know if they were removed when i did the preview thread.

May5_Malwarebyteslog.txt

May8_Malwarebyteslog.txt

ark.txt

May5_Malwarebyteslog.txt

May8_Malwarebyteslog.txt

DDS.txt

DDSAttach.txt

ark.txt

gringo_pr · May 8, 2010

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

1.Please do not run any other tool untill instructed to do so!
2.Please reply to this thread, do not start another!
3.Please tell me about any problems that have occurred during the fix.
4.Please tell me of any other symptoms you may be having as these can help also.
5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.When the tool is finished, it will produce a report for you.

Now that you have thrown every tool known to man at this thing

Malwarebytes

DirQuery

Avenger

TDSkiller

Combofix

Blacklight rootkit eliminator

rkill

TrojanRemover

Superantispyware

Spybot search and Destroy

Hitman Pro 3.5

please don't run any more scans unless I ask you to. it makes it very hard to follow what is going on if you do things on your own

extra combofix report

I need to see one of the extra reports combofix makes

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

C:\ComboFix.txt

click ok
copy and paste the report into this topic for me to review

I would like to see a new GMER scan please use the settings below

Gmer

Download GMER Rootkit Scanner from here.

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
[*]Then click the Scan button & wait for it to finish
[*]Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
[*]Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

"information and logs"

In your next post I need the following

old Log from Combofix
new log from GMER
let me know of any problems you may have had
NO more running scans on your own!

Gringo

p_s_92 · May 9, 2010

Hello Gringo,

Thanks for your welcome and your selfless contribution to this forum for folks like me.

I will remember all your points and follow them. Sorry, i ran many tools. I thought i had a infection which i could fix by using one of those tools myself which is why i used so many of them.

The combofix report is below and attached also as combofixmay8.txt.

ComboFix 10-05-05.0B - Admin 05/08/2010 18:47:05.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.3163 [GMT -4:00]

Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - Kitty had a snack :blink:

.

((((((((((((((((((((((((( Files Created from 2010-04-08 to 2010-05-08 )))))))))))))))))))))))))))))))

.

2010-05-08 02:05 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-05-08 02:05 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-05-08 02:05 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-05-08 02:05 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-05-08 02:05 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-05-08 02:05 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-05-08 02:05 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-05-08 02:05 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-05-08 02:05 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-05-08 02:04 . 2010-05-08 02:04 -------- d-----w- c:\program files\Alwil Software

2010-05-08 02:04 . 2010-05-08 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-05-08 01:13 . 2010-05-08 01:13 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2010-05-08 01:13 . 2009-11-22 19:42 69000 ----a-w- c:\windows\system32\zlcomm.dll

2010-05-08 01:13 . 2009-11-22 19:42 103816 ----a-w- c:\windows\system32\zlcommdb.dll

2010-05-08 01:13 . 2010-05-08 01:13 -------- d-----w- c:\windows\system32\ZoneLabs

2010-05-08 01:13 . 2009-11-22 19:42 1238408 ----a-w- c:\windows\system32\zpeng25.dll

2010-05-08 01:13 . 2010-05-08 01:13 -------- d-----w- c:\program files\Zone Labs

2010-05-08 01:12 . 2010-05-08 22:46 -------- d-----w- c:\windows\Internet Logs

2010-05-08 00:46 . 2010-05-08 00:46 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Opera

2010-05-08 00:45 . 2010-05-08 00:46 -------- d-----w- c:\program files\Opera

2010-05-08 00:30 . 2010-05-08 19:49 -------- d-----w- C:\New Folder

2010-05-07 23:51 . 2010-05-07 23:51 127420 ----a-w- C:\ComboFix.zip

2010-05-07 23:09 . 2010-05-07 23:09 -------- d-----w- c:\program files\CCleaner

2010-05-07 22:15 . 2010-05-07 22:15 -------- d-sh--w- c:\documents and settings\Assessment\IETldCache

2010-05-07 22:06 . 2010-05-07 22:06 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-05-07 22:06 . 2010-05-07 22:06 -------- d-----w- c:\program files\HJT

2010-05-07 22:05 . 2010-02-28 00:46 3691384 ----a-w- c:\documents and settings\Admin\Application Data\Simply Super Software\Trojan Remover\dqbF3.exe

2010-05-07 22:01 . 2010-05-07 22:01 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-05-07 21:53 . 2010-05-08 00:12 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-05-07 21:53 . 2010-05-07 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-05-07 21:53 . 2010-05-07 21:53 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-05-07 00:49 . 2010-05-07 00:49 63488 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-05-07 00:29 . 2010-05-07 00:44 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-05-07 00:28 . 2010-05-07 00:49 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-07 00:28 . 2010-05-07 00:28 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com

2010-05-06 19:08 . 2010-05-06 19:08 -------- d-----w- C:\ERDNT

2010-05-06 19:08 . 2010-05-06 19:08 -------- d-----w- C:\regbackupmay62010

2010-05-06 18:14 . 2006-06-19 16:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2010-05-06 18:14 . 2006-05-25 18:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2010-05-06 18:14 . 2005-08-26 04:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2010-05-06 18:14 . 2002-03-06 04:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2010-05-06 18:14 . 2003-02-02 23:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2010-05-06 18:14 . 2010-05-06 18:14 -------- d-----w- c:\program files\Trojan Remover

2010-05-06 18:14 . 2010-05-06 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2010-05-06 18:14 . 2010-05-06 18:14 -------- d-----w- c:\documents and settings\Admin\Application Data\Simply Super Software

2010-05-06 16:09 . 2010-05-06 16:09 0 ----a-w- C:\backup.reg

2010-05-06 15:46 . 2010-05-06 16:09 574 ----a-w- C:\cleanup.bat

2010-04-29 12:52 . 2010-04-29 12:52 755096 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe

2010-04-28 14:53 . 2010-04-28 14:53 -------- d-----w- c:\program files\Unstoppable Copier

2010-04-28 14:52 . 2010-05-07 22:07 -------- d-----w- c:\documents and settings\Admin\Application Data\TeraCopy

2010-04-28 14:52 . 2010-04-28 14:52 -------- d-----w- c:\program files\TeraCopy

2010-04-26 23:06 . 2010-04-26 23:06 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\hfemtwkxt

2010-04-22 13:26 . 2010-04-25 16:52 -------- d-----w- C:\offmcbkup

2010-04-20 19:30 . 2010-04-20 19:30 -------- d-----w- C:\Radia

2010-04-18 16:24 . 2010-04-18 16:24 -------- d-----w- c:\windows\system32\DRM

2010-04-15 12:52 . 2010-04-15 12:52 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll

2010-04-10 20:07 . 2010-04-10 20:07 -------- d-----w- c:\program files\PHP

2010-04-10 20:06 . 2010-04-10 20:06 -------- d-----w- c:\program files\Apache Software Foundation

2010-04-10 19:52 . 2010-04-10 19:52 -------- d-----w- c:\program files\ImageMagick-6.6.1-Q16

2010-04-08 23:07 . 2010-04-08 23:09 -------- d-----w- C:\xampplite

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-08 22:57 . 2009-12-14 20:09 -------- d-----w- c:\program files\Common Files\Akamai

2010-05-08 22:45 . 2010-05-08 02:15 2544703 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2010-05-08 21:54 . 2009-08-24 13:03 -------- d-----w- c:\documents and settings\Admin\Application Data\EditPlus 3

2010-05-08 19:34 . 2010-05-08 19:34 98045 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2010_05_08_15_28_23_small.dmp.zip

2010-05-08 19:28 . 2010-05-08 19:29 287744 ----a-w- c:\windows\Internet Logs\xDB1.tmp

2010-05-08 19:28 . 2010-05-08 19:29 1587712 ----a-w- c:\windows\Internet Logs\xDB2.tmp

2010-05-08 02:20 . 2009-06-15 21:29 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-05-08 02:03 . 2009-06-11 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-08 00:20 . 2009-11-11 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-05-07 22:16 . 2009-06-15 21:29 117760 ----a-w- c:\documents and settings\Assessment\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-07 22:05 . 2009-11-11 19:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-05-06 21:23 . 2009-09-17 20:26 -------- d-----w- c:\program files\Trend Micro

2010-05-06 19:10 . 2006-02-28 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-05-06 12:52 . 2010-02-18 13:52 443344 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-05-06 12:40 . 2010-03-15 18:53 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-05-05 22:11 . 2009-11-11 23:19 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

2010-05-05 22:07 . 2010-02-06 02:34 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-05-05 21:08 . 2009-08-26 18:59 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF

2010-04-29 19:39 . 2009-11-11 23:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 19:39 . 2009-11-11 23:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 19:24 . 2009-08-25 22:04 -------- d-----w- c:\documents and settings\Admin\Application Data\Nitro PDF

2010-04-27 00:04 . 2009-10-09 14:28 -------- d-----w- c:\documents and settings\Admin\Application Data\HPAppData

2010-04-26 19:47 . 2009-11-05 16:48 -------- d-----w- c:\documents and settings\Admin\Application Data\Download Manager

2010-04-24 19:43 . 2010-01-17 20:33 -------- d-----w- c:\program files\Files

2010-04-24 01:03 . 2009-12-08 23:53 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc

2010-04-20 14:31 . 2009-06-16 18:48 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-20 00:45 . 2009-08-25 13:19 88744 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-19 20:10 . 2009-06-11 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-07 18:49 . 2009-12-01 15:54 -------- d-----w- c:\documents and settings\Admin\Application Data\XnView

2010-04-07 18:43 . 2010-04-07 18:43 -------- d-----w- c:\program files\XnView

2010-04-05 15:56 . 2010-04-05 15:55 -------- d-----w- c:\documents and settings\scan\Application Data\HPAppData

2010-04-02 15:45 . 2009-11-11 20:09 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-24 20:26 . 2010-03-24 20:26 -------- d-----w- c:\documents and settings\Admin\Application Data\dvdcss

2010-03-24 19:33 . 2010-03-24 19:33 -------- d-----w- c:\documents and settings\Admin\Application Data\IndigoRose

2010-03-24 19:33 . 2010-03-24 19:33 -------- d-----w- c:\program files\AutoPlay Media Studio 7.0 Trial

2010-03-24 19:32 . 2009-08-25 21:29 -------- d-----w- c:\documents and settings\Admin\Application Data\Downloaded Installations

2010-03-19 18:25 . 2009-06-11 17:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-03-19 18:24 . 2010-03-19 18:24 -------- d-----w- c:\program files\R_MANUAL_AD

2010-03-19 15:10 . 2010-03-19 15:10 -------- d-----w- c:\program files\Common Files\RDPrint

2010-03-19 15:10 . 2010-03-19 15:10 2255 ----a-w- c:\windows\PmData.Dat

2010-03-19 15:10 . 2010-03-19 15:10 -------- d-----w- c:\program files\RDS

2010-03-15 18:53 . 2010-03-15 18:53 -------- d-----w- c:\documents and settings\Admin\Application Data\Thunderbird

2010-03-11 15:20 . 2010-03-11 15:19 -------- d-----w- c:\program files\Common Files\Gravic

2010-03-11 15:20 . 2010-03-04 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Gravic

2010-03-11 15:20 . 2010-03-11 15:20 -------- d-----w- c:\program files\Gravic

2010-03-11 15:19 . 2010-03-11 15:19 -------- d-----w- c:\program files\Principia Products

2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-18 13:52 . 2010-02-18 13:52 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-02-18 13:52 . 2010-02-18 13:52 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys

2010-02-18 13:52 . 2010-02-18 13:52 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll

2010-02-18 13:52 . 2010-02-18 19:36 15880 ----a-w- c:\windows\system32\lsdelete.exe

2010-02-18 13:52 . 2010-02-18 13:52 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll

2010-02-18 13:52 . 2010-02-18 13:52 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll

2010-02-17 19:30 . 2010-02-17 19:30 107913 ----a-w- c:\windows\News Rover Uninstaller.exe

2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((( SnapShot_2010-05-07_22.49.46 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-07-12 04:02 . 2009-07-12 04:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll

+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll

+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll

+ 2010-05-08 22:45 . 2010-05-08 22:45 16384 c:\windows\temp\Perflib_Perfdata_3b8.dat

+ 2010-05-08 01:13 . 2009-11-22 19:42 99208 c:\windows\system32\ZoneLabs\zlquarantine.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 65928 c:\windows\system32\ZoneLabs\zatray.exe

+ 2010-05-08 01:13 . 2009-11-22 19:43 20872 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 14216 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 43912 c:\windows\system32\ZoneLabs\lib\zfde.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 85384 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 37256 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\oem_1488.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\oem_1487.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\oem_1486.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 18824 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 10120 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 11144 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 14216 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12168 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 11144 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 29064 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 12680 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 35720 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 38280 c:\windows\system32\ZoneLabs\featuremap.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 98184 c:\windows\system32\ZoneLabs\fbl.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 74632 c:\windows\system32\ZoneLabs\camupd.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 41864 c:\windows\system32\vswmi.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 58248 c:\windows\system32\vsregexp.dll

+ 2006-02-28 12:00 . 2010-05-08 22:49 83950 c:\windows\system32\perfc009.dat

+ 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 141192 c:\windows\system32\ZoneLabs\zlupdate.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 172936 c:\windows\system32\ZoneLabs\vsvault.dll

+ 2010-05-08 01:12 . 2009-11-22 19:42 210824 c:\windows\system32\ZoneLabs\vsdb.dll

+ 2010-05-08 01:13 . 2007-10-11 20:51 832984 c:\windows\system32\ZoneLabs\updating.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 434568 c:\windows\system32\ZoneLabs\ssleay32.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 135048 c:\windows\system32\ZoneLabs\scheduler.dll

+ 2010-05-08 01:13 . 2009-07-14 03:58 722392 c:\windows\system32\ZoneLabs\qrbase.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 119688 c:\windows\system32\ZoneLabs\lib\zui.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 267656 c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:43 175496 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 368008 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 139144 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 376712 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll

+ 2010-05-08 01:12 . 2009-10-10 00:33 579048 c:\windows\system32\ZoneLabs\icslta.dll

+ 2010-05-08 01:13 . 2008-03-17 20:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 109960 c:\windows\system32\vsxml.dll

+ 2010-05-08 01:12 . 2009-11-22 19:42 621960 c:\windows\system32\vsutil.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 299912 c:\windows\system32\vspubapi.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 107912 c:\windows\system32\vsmonapi.dll

+ 2010-05-08 01:12 . 2009-11-22 19:42 227720 c:\windows\system32\vsinit.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 486280 c:\windows\system32\vsdatant.sys

+ 2010-05-08 01:12 . 2009-11-22 19:42 112008 c:\windows\system32\vsdata.dll

+ 2006-02-28 12:00 . 2010-05-08 22:49 483164 c:\windows\system32\perfh009.dat

+ 2010-01-22 19:43 . 2010-05-07 23:05 219024 c:\windows\system32\inetsrv\MetaBase.bin

+ 2010-05-08 02:05 . 2010-05-08 02:05 219648 c:\windows\Installer\298f7a.msi

+ 2009-07-12 04:02 . 2009-07-12 04:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll

+ 2009-07-12 04:02 . 2009-07-12 04:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll

+ 2010-05-08 01:13 . 2009-11-22 19:42 1789320 c:\windows\system32\ZoneLabs\vsruledb.dll

+ 2010-05-08 01:13 . 2009-11-22 19:44 2384240 c:\windows\system32\ZoneLabs\vsmon.exe

+ 2010-05-08 01:13 . 2009-11-22 19:43 1536392 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll

+ 2010-05-08 00:46 . 2010-05-08 00:46 2631680 c:\windows\Installer\367d6.msi

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

c:\documents and settings\Assessment\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2010-05-07 00:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Admin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2009-10-03 04:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2009-10-03 09:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]

2005-01-07 22:07 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]

2007-08-30 19:08 229481 ----a-w- c:\program files\RDS\RMClient\JobHisInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

2009-08-20 18:25 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]

2007-08-30 19:30 49254 ----a-w- c:\program files\RDS\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2006-10-30 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2008-06-13 19:50 16871936 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-08-11 14:47 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]

2010-02-28 00:17 1165192 ----a-w- c:\program files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NitroDriverReadSpool"=2 (0x2)

"LightScribeService"=3 (0x3)

"JavaQuickStarterService"=3 (0x3)

"IviRegMgr"=2 (0x2)

"Microsoft Office Groove Audit Service"=3 (0x3)

"stllssvr"=3 (0x3)

"sofatnet"=2 (0x2)

"RoxMediaDB9"=3 (0x3)

"JRun Default"=2 (0x2)

"JRun Admin"=2 (0x2)

"ColdFusion 8 Search Server"=3 (0x3)

"ColdFusion 8 ODBC Server"=3 (0x3)

"ColdFusion 8 ODBC Agent"=3 (0x3)

"ColdFusion 8 Application Server"=2 (0x2)

"ColdFusion 8 .NET Service"=3 (0x3)

"MySQL"=3 (0x3)

"WinDefend"=2 (0x2)

"Nero BackItUp Scheduler 4.0"=3 (0x3)

"Remark FTP Utility"=3 (0x3)

"Radstgms"=2 (0x2)

"radsched"=2 (0x2)

"radexecd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Adobe\\Flex Builder 3\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\Files\\nbpro.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3306:TCP"= 3306:TCP:MySQL

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"1054:TCP"= 1054:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/18/2010 9:53 AM 64288]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/7/2010 10:05 PM 164048]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/26/2009 10:05 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 68168]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [2/28/2006 8:00 AM 14336]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/7/2010 10:05 PM 19024]

R3 ATNICm5;Allied Telesyn PCI Ethernet Adapter NDIS 5.1 Driver;c:\windows\system32\drivers\atnicm51.sys [9/27/2004 8:28 AM 38144]

S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [5/7/2010 5:53 PM 15944]

S3 Macromedia JRun Admin Server;Macromedia JRun Admin Server;c:\jrun4\bin\jrunsvc.exe [1/22/2010 5:08 PM 65536]

S3 Macromedia JRun CFusion Server;Macromedia JRun CFusion Server;c:\jrun4\bin\jrunsvc.exe [1/22/2010 5:08 PM 65536]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 12872]

S4 ColdFusion 8 .NET Service;ColdFusion 8 .NET Service;c:\coldfusion8dotnetservice\CF8DotNetsvc.exe [1/22/2010 5:10 PM 77824]

S4 ColdFusion 8 ODBC Agent;ColdFusion 8 ODBC Agent;c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swagent.exe "ColdFusion 8 ODBC Agent" --> c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swagent.exe ColdFusion 8 ODBC Agent [?]

S4 ColdFusion 8 ODBC Server;ColdFusion 8 ODBC Server;c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swstrtr.exe "ColdFusion 8 ODBC Server" --> c:\jrun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver54\bin\swstrtr.exe ColdFusion 8 ODBC Server [?]

S4 ColdFusion 8 Search Server;ColdFusion 8 Search Server;c:\jrun4\verity\k2\_nti40\bin\k2admin.exe [1/22/2010 5:06 PM 2743056]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1285864]

S4 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [6/15/2009 12:56 PM 188736]

S4 radexecd;HP OVCM Notify Daemon;c:\program files\Hewlett-Packard\CM\Agent\radexecd.exe [8/15/2007 4:02 PM 258222]

S4 radsched;HP OVCM Scheduler Daemon;c:\program files\Hewlett-Packard\CM\Agent\radsched.exe [7/20/2007 3:54 PM 172208]

S4 Radstgms;HP OVCM MSI Redirector;c:\program files\Hewlett-Packard\CM\Agent\Radstgms.exe [7/20/2007 3:54 PM 315568]

S4 Remark FTP Utility;Remark FTP Utility;c:\program files\Common Files\Gravic\RemarkFTPUtility12.exe [9/25/2009 12:37 PM 65024]

S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 12:52]

2009-11-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-05-07 c:\windows\Tasks\Norton Security Scan for Assessment.job

- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-08-05 22:02]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.famu.edu/

TCP: {073811F5-8595-4AEE-9BAF-861FA628DBD2} = 168.223.2.3,168.223.3.20

FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\pgg04e11.default\

FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll

FF - plugin: c:\program files\Microsoft\Web Platform Installer\NPWPIDetector.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-08 18:57

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

@=""

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

.

Completion time: 2010-05-08 19:02:22

ComboFix-quarantined-files.txt 2010-05-08 23:02

ComboFix2.txt 2010-05-07 23:06

ComboFix3.txt 2009-09-17 01:54

Pre-Run: 126,028,136,448 bytes free

Post-Run: 126,064,828,416 bytes free

- - End Of File - - A02B00CB2C7CC670AE0FB69764BB0EEE

Regarding Gmer, i tried running it after disabling Avast(my anti-virus), but it froze so i don't have its log. I tried running Gmer

in normal mode of windows and no other programs were running. I allowed it 11 hours to finish, but still it did not complete so at the

end I had to manually power off my computer and restart it as Windows also was not responding.

Should I try running Gmer in Safe mode of windows which would allow it to complete?

Please let me know if you need more information.

Thanks for your help.

ComboFixmay8.txt

gringo_pr · May 9, 2010

Greetings

extra combofix report

I need to see one of the extra reports combofix makes

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

C:\qoobox\ComboFix2.txt

click ok
and also do the following
```
C:\qoobox\ComboFix3.txt
```
copy and paste these reports into this topic for me to review

I still would like to see the report from Gmer

"information and logs"

In your next post I need the following

the two combofix reports
the report from GMER
let me know of any problems you may have had
How is the computer doing now?

Gringo

p_s_92 · May 9, 2010

Hi Gringo,

The combofix2.txt and combofix3.txt are attached. When I tried to post the text of ComboFix2.txt and reply I got the message "Request Entity Too Large

The requested resource

/index.php

does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit. "

Apparently, the message length was more than that what is allowed in this text box.

I could not run Gmer as it runs OK for a while, then freezes. I will try again to run it. This is the way I am running it, disable my Avast antivirus until I restart my machine(as i don't know how long GMER may run), I start GMER by double clicking the exe, uncheck the three options you mentioned, click start which seems OK for a while then freezes making me manually reset the machine by resetting power. Am I doing anything wrong while running GMER?

Also, I am attaching the log file of my firewall Zonealarm(Zalog.txt) as i see some strange things like

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (65.197.244.165:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (96.6.40.13:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (77.67.10.140:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (77.67.10.135:Port 3478).,N/A,N/A

and PE,2010/05/09,13:23:22 -4:00 GMT,Java Quick Starter binary,C:\Program Files\Java\jre6\bin\jqsnotify.exe,127.0.0.1:5152,N/A

Quick Starter binary should not be starting up or running as it is not shown in my start up list of programs

Computer seems OK for now, Firefox did not have redirects, but the logs from Zonealarm confuse me.

Thanks for your help and time

ComboFix2.txt

ComboFix3.txt

ZALog.txt

gringo_pr · May 9, 2010

hello

thanks for the logs I will go thru them now.

Are you still getting redirects?

if you keep having problems with gmer then try it this way.

I would like you to delete the Gmer you have now and download this version from here.

GMER:

I would like you to download this "special version of gmer." and save it to your desktop.

Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- devices(don't miss this one) <--this one is different than the picture
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
[*]Then click the Scan button & wait for it to finish.
[*]Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If Gmer runs then please give me the log and pass on the next step.

If Gmer still does not run and Only if it does not run please do the following.

I would like you to try and run Gmer in Safe mode to enter safe mode do the following.

Boot into Safe Mode

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

If Gmer does run to the end please send me the log in your next reply and If it still does not run please let me know and we will try something else

"information and logs"

In your next post I need the following

log from Gmer
let me know of any problems you may have had
How is the computer doing now?

Gringo

p_s_92 · May 9, 2010

Hi,

Thanks for the prompt reply.

Gmer did not run in normal mode of windows. While it was running, suddenly Windows rebooted. I tried to go into safe mode and run it, but i could not go into safe mode as after the below drivers were loaded no further movement was there so i had to reset the machine manually.

C:\Windows\system32\drivers\Lbd.sys

C:\Windows\system32\drivers\DRVMCDB.sys

C:\Windows\system32\drivers\PxHelp20.sys

C:\Windows\system32\drivers\KseCDD.sys

C:\Windows\system32\drivers\Ntfs.sys

C:\Windows\system32\drivers\MDIS.sys

C:\Windows\system32\drivers\mup.sys

Apparently, i can't go into safe mode now.

When I was restarting Windows, I got a message that Windows needs to do a disk consistency test for my hard disks. I canceled the disk consistency checking.

When I finished booting into Windows, I got a message that Windows has recovered from a serious error and wants to send the information

to Microsoft. I wanted to see the error report and found that below files will be sent.

C:\DOCUME~1\Admin\LOCALS~1\Temp\WER73b9.dir00\Mini050910-01.dmp

C:\DOCUME~1\Admin\LOCALS~1\Temp\WER73b9.dir00\sysdata.xml

But, when I wanted to find the location of the files I could not find them.

Since the GMER run terminated prematurely, there are two dump files in location

C:\DOCUME~1\Admin\LOCALS~1\Temp\WER86e2.dir00

called gl5x32s1.exe.hdmp and gl5x32s1.exe.mdmp

I have attached them as called gl5x32s1.exe.hdmp.zip(compressed as the original size was 16MB as this one is some 6MB) and gl5x32s1.exe.mdmp.txt(as gl5x32s1.exe.mdmp may not be allowed to upload so i added a extension .txt to it).

You can view them to determine the cause of error of Gmer terminating prematurely. They appear to be in hex and

I don't have a Hex editor and they make more sense to you than me.

Computer seems to be running OK for now.

If there is any other way, I can run GMER or any other rootkit scanning program, please advise.

Thanks for your help and time.

gl5x32s1.exe.hdmp.zip

gl5x32s1.exe.mdmp.txt

gringo_pr · May 10, 2010

Hello

Ok lets try this one

RootRepeal Beta

Please download RootRepeal Beta and save it to your Desktop.
close all other programs then run it by double-clicking on the file named RootRepeal.exe
Once the main window shows up, please click on the Report button on the bottom of the window.
Next, please click the Scan button.
Another window will pop up asking you to select what to include in the scan. Please uncheck everything except for the Stealth Code checkbox, and then click OK.
Once the program has finished scanning, the results will appear. Click on the Save Report button, and save the report to your Desktop.
Please post the log in you're next reply.

gringo

p_s_92 · May 10, 2010

Hi,

Thanks for your reply. I ran rootrepeal as per your instructions(unchecking everything except Stealth Code). It ran hardly for 2 seconds and it was done. Does it run that quickly? The report is below and also attached.

==================================================

Report Save Time: 2010/05/10 09:21

Program Version: Version 2.0.0.0

Windows Version: Windows XP SP3

==================================================

STEALTH CODE

-------------------

Thanks

Rootrepeal_report.txt

gringo_pr · May 10, 2010

Hello

reading thru the thread I am understanding that all is working at this point , no redirects or anything like that?

gringo

p_s_92 · May 10, 2010

Hi Gringo,

So far, no redirects while I was using Firefox. I guess I should be OK.

Should I be worried about the strange things I saw in the Zonealarm firewall log which are listed below?

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (65.197.244.165:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (96.6.40.13:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (77.67.10.140:Port 3478).,N/A,N/A

ACCESS,2010/05/09,12:40:30 -4:00 GMT,Generic Host Process for Win32 Services was blocked from accepting a connection from the Internet (77.67.10.135:Port 3478).,N/A,N/A

Also, how about that, I can't get into safe mode now?

Thanks for your help.

gringo_pr · May 11, 2010

Hello

please run this tool tp fix booting into safe mode and let me know if it worked

SafeBoot Key Repair

Please download SafeBootKeyRepair ... by sUBs. Save to your desktop.

Double click on SafeBootKeyRepair.exe to run it.
A window will open showing only "Please wait... The process may take a few minutes, so let it run.
When finished, Notepad will open with a report, saved at C:\SafeBoot_Repair.txt
Please copy and paste the contents of the SafeBoot_Repair.txt file in your next reply.

Please try to boot to Safe Mode now... let me know if you still have problems.

All the addresses you have listed are from one company - Akamai Technologies it is a ligit company I would not worry about that to much, it has to do with a program you have installed on your computer

Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts
After the update is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
  [*]Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  [*]Click OK to leave the Temporary Files Window
  [*]Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM
Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

:Kaspersky scan:

Please go to

Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Please post this log in your next reply.

"information and logs"

In your next post I need the following

Log From MBAM
Log From Kaspersky
let me know of any problems you may have had
How is the computer doing now?

Gringo

p_s_92 · May 11, 2010

Hi Gringo,

I am able to get into SafeBoot now.

I updated Java, ran TFC and the quick MBAM scan(after updating its database).

But, Kapersky, I could not as the database update of its engine definitions seems to take forever. I am still trying. Could it be because my Avast antivirus is active which might be blocking something? I am on a fiber optic network connection where a 1MB file can be downloaded in a second, but downloading some 95MB of the definitions seems to indefinite time. I realize distance from server matters, but still the amount to get 95MB is excessive.

Log of MBAM is attached.

Computer seems to be fine now.

My system restore of Windows was always off all the time(before I got the malware till now).

Thanks a lot for your help and time.

MBAMlogMay10.txt

p_s_92 · May 11, 2010

Hi Gringo,

After a few minutes, the Kapersky scan database update gives a message Update Timeout and stops the process.

The whole message is below:

The program is starting. Please wait...

Updates source is selected: http://www.kaspersky.com

File download: packages/kos-extras.jar

null

Updates source is selected: http://downloads2.kaspersky-labs.com/