Jump to content

Posting scan results as instructed


Recommended Posts

Hello,

I am posting my scan results below as instructed.

Thanks in advance for any help.

The forum won't let me post the GMER results, so I will try to attach them.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.2180

8/24/2010 1:11:44 PM

mbam-log-2010-08-24 (13-11-44).txt

Scan type: Quick scan

Objects scanned: 136419

Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Defogger:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 13:58 on 24/08/2010 (Steve)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Steve at 13:59:01.32 on Tue 08/24/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1351 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\CDBurnerXP\NMSAccessU.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\snmp.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe

C:\WINDOWS\Logi_MwX.Exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Steve\Desktop\Defogger.exe

C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://partnerpage.google.com/harnessnature.com

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: WCNetMon Class: {3be313c3-dad6-4da6-801d-75860118a0b5} - c:\program files\blcorp\wccsc\wcpstop\wcpstop.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: {64d5be0c-0c87-4a65-bc7a-654dbf86bdb9} - StoreSync

EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File

uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe

mRun: [CTSysVol] c:\program files\rocketfish\rf5.1\surround mixer\CTSysVol.exe /r

mRun: [nwiz] nwiz.exe /install

mRun: [Logitech Utility] Logi_MwX.Exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit

IE: Append Link Target to Existing PDF

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA}

Trusted Zone: frame.crazywinnings.com

Trusted Zone: frame.crazywinnings.com

DPF: Microsoft XML Parser for Java

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\uo97cxdn.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://partnerpage.google.com/harnessnature.com

FF - prefs.js: keyword.URL - hxxp://www.google.org/cgi-bin/nbbw.cgi?Gw=

FF - plugin: c:\documents and settings\steve\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [2010-6-10 149376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-30 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-30 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-30 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-30 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-30 308136]

R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [2002-10-27 6144]

R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~2\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~2\QBDBMgrN.exe -hvQuickBooksDB18 [?]

S0 szkg5;szkg;c:\windows\system32\drivers\szkg.sys --> c:\windows\system32\drivers\szkg.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]

S3 cpuz132;cpuz132;\??\c:\docume~1\steve\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\steve\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 MTIUSB;MTIUSB;c:\windows\system32\drivers\mtiusb.sys [2009-5-14 11264]

S3 wdm_au8810;Aureal Vortex 8810 Audio Driver (WDM);c:\windows\system32\drivers\adm8810.sys [2002-10-27 584448]

=============== Created Last 30 ================

2010-08-24 18:58:26 0 ----a-w- c:\documents and settings\steve\defogger_reenable

2010-08-24 17:50:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-24 17:50:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-24 17:50:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-20 01:38:51 0 d-sha-r- C:\cmdcons

2010-08-20 01:37:17 98816 ----a-w- c:\windows\sed.exe

2010-08-20 01:37:17 77312 ----a-w- c:\windows\MBR.exe

2010-08-20 01:37:17 256512 ----a-w- c:\windows\PEV.exe

2010-08-20 01:37:17 161792 ----a-w- c:\windows\SWREG.exe

2010-07-30 19:13:19 0 d-----w- c:\docume~1\steve\applic~1\Bitrix Security

==================== Find3M ====================

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-07-01 13:22:55 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-01 00:44:55 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-01 00:44:53 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-01 00:44:43 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys

2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\dllcache\srv.sys

2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll

2010-06-07 22:24:13 164912 ----a-w- c:\windows\system32\vmx_fb.dll

2010-06-07 22:24:13 16432 ----a-w- c:\windows\system32\vmx_mode.dll

2010-06-06 01:47:17 12 ----a-w- c:\docume~1\steve\applic~1\gklupx.dat

============= FINISH: 13:59:36.75 ===============

ark.txt

Link to post
Share on other sites

Hi,

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi Gammo,

Thanks very much for your reply.

Here's whats going on...

I have the paid version of mbam...I have not been able to d/l updates

(MBAM_ERROR_UPDATING (12007,0,WinHttpSendRequest)

Firefox is being redirected, even tho I have installed the "no redirect" app

I have un-installed AVG FREE9 and spybot, thinking that they may have been blocking the ability to update mbam

I have turned off my Belkin router's firewall thinking that it may have been blocking the updates

My machine has been infected by "security suite", I think I have removed it now, but I have thought that in the past few days also....

I ran TDSS Killer as you instructed and it found no problems.

I ran combofix and the log is below:

Note: when I ran combofix I got an error 3 times that said "Exception Processing MessageC0000013 Parameters 75b6bf7c 75b6bf7c 75b6bf7c"

Each time I clicked "try again" repeatedly, but then had to click "continue"

Thank You, I truly appreciate the help!

ComboFix 10-08-26.03 - Steve 08/27/2010 5:22.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1543 [GMT -5:00]

Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))

.

2010-08-26 22:02 . 2010-08-26 22:02 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\VS Revo Group

2010-08-26 22:02 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-08-26 19:06 . 2010-08-26 22:07 -------- d-----w- c:\documents and settings\Steve\Application Data\AVG9

2010-08-26 18:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-26 18:13 . 2010-08-26 20:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-26 18:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-26 15:51 . 2010-08-26 21:57 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2010-08-18 15:03 . 2010-08-20 01:33 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\qiuqqoxue

2010-07-30 19:13 . 2010-08-11 03:27 -------- d-----w- c:\documents and settings\Steve\Application Data\Bitrix Security

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-26 22:07 . 2010-06-30 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-08-26 22:02 . 2010-02-23 22:22 -------- d-----w- c:\program files\VS Revo Group

2010-08-26 19:04 . 2009-03-28 01:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-26 19:04 . 2008-11-02 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-26 17:59 . 2008-11-02 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-08-24 16:30 . 2008-05-29 16:49 5610 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys

2010-08-20 02:02 . 2010-04-28 01:03 -------- d-----w- c:\program files\Citrix

2010-08-20 02:01 . 2008-11-02 21:29 -------- d-----w- c:\program files\Lavasoft

2010-08-20 02:01 . 2009-05-20 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-08-13 19:43 . 2008-12-03 09:42 -------- d-----w- c:\documents and settings\Steve\Application Data\Booc

2010-07-19 14:02 . 2008-11-23 04:37 -------- d-----w- c:\documents and settings\Steve\Application Data\Noow

2010-07-01 13:22 . 2010-07-01 13:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-01 12:12 . 2010-07-01 12:12 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes

2010-07-01 12:12 . 2010-07-01 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-01 00:44 . 2010-07-01 00:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-01 00:44 . 2010-07-01 00:44 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-01 00:44 . 2010-07-01 00:44 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-01 00:44 . 2010-07-01 00:44 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-06-30 12:31 . 2001-08-18 18:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-23 13:44 . 2001-08-18 18:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2001-08-18 18:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2001-08-18 18:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 18:38 . 2008-12-15 14:49 36 -c-ha-w- c:\windows\system32\f9t.dat

2010-06-14 14:31 . 2005-01-13 03:26 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

2010-06-14 07:41 . 2005-02-24 02:44 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-08 23:01 . 2010-06-06 22:09 120 ----a-w- c:\windows\Wxuzedakok.dat

2010-06-08 19:36 . 2010-06-06 22:09 0 ----a-w- c:\windows\Ediyimevoc.bin

2010-06-08 00:16 . 2003-10-30 19:12 106712 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-06 01:47 . 2010-06-06 01:47 12 ----a-w- c:\documents and settings\Steve\Application Data\gklupx.dat

.

((((((((((((((((((((((((((((( SnapShot@2010-08-23_16.19.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-27 09:56 . 2010-08-27 09:56 16384 c:\windows\Temp\Perflib_Perfdata_758.dat

+ 2010-08-27 09:56 . 2010-08-27 09:56 16384 c:\windows\Temp\Perflib_Perfdata_1e0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe" [2007-09-05 57344]

"nwiz"="nwiz.exe" [2003-05-02 323584]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-05-02 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-01 00:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]

backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]

backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^BonziBUDDY.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 -c--a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-06-15 03:59 136176 ----atw- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lwinst Run Profiler]

1998-09-25 10:08 114688 -c--a-w- c:\progra~1\Logitech\WINGMA~1\LWInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Maker Pilot virtual printer agent]

2010-02-19 10:16 94208 -c--a-w- c:\program files\PDF Maker Pilot\Printer\pmpagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 15:50 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2003-03-08 03:00 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCIEClnOnce]

2004-08-06 21:19 292864 -c--a-w- c:\program files\blcorp\WCCSC\WCOC\WCNSCln.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Lavasoft Ad-Aware Service"=2 (0x2)

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [6/10/2010 8:00 PM 149376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/30/2010 7:44 PM 216400]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/30/2010 7:44 PM 243024]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [8/26/2010 10:51 AM 1935656]

R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [10/27/2002 7:58 PM 6144]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/26/2010 1:13 PM 304464]

R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB18 [?]

R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [8/26/2010 10:51 AM 71008]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/26/2010 1:13 PM 20952]

S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\AVG\AVG9\avgemc.exe" --> c:\program files\AVG\AVG9\avgemc.exe [?]

S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:49 PM 135664]

S3 MTIUSB;MTIUSB;c:\windows\system32\drivers\mtiusb.sys [5/14/2009 9:58 AM 11264]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/26/2010 5:02 PM 27064]

S3 wdm_au8810;Aureal Vortex 8810 Audio Driver (WDM);c:\windows\system32\drivers\adm8810.sys [10/27/2002 7:31 PM 584448]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD24

*Deregistered* - klmd24

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\Bartels Home Service LLC 1105804779.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-26 c:\windows\Tasks\Bartels Home Service LLC 1105804931.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-27 c:\windows\Tasks\Bartels Home Service LLC 1105808699.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-27 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-28 15:57]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:49]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:49]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-839522115-725345543-1004Core.job

- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 03:59]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-839522115-725345543-1004UA.job

- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 03:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://partnerpage.google.com/harnessnature.com

uInternet Settings,ProxyServer = http=127.0.0.1:6522

uInternet Settings,ProxyOverride = <local>

IE: Append Link Target to Existing PDF

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

Trusted Zone: frame.crazywinnings.com

Trusted Zone: frame.crazywinnings.com

DPF: Microsoft XML Parser for Java

FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\uo97cxdn.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://partnerpage.google.com/harnessnature.com

FF - prefs.js: keyword.URL - hxxp://www.google.org/cgi-bin/nbbw.cgi?Gw=

FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-anqixvpo - c:\documents and settings\Steve\Local Settings\Application Data\qhfanikjf\xaeshydshdw.exe

HKCU-Run-lfumygyf - c:\documents and settings\Steve\Local Settings\Application Data\juqynjxkt\xauxgikshdw.exe

HKLM-Run-anqixvpo - c:\documents and settings\Steve\Local Settings\Application Data\qhfanikjf\xaeshydshdw.exe

HKLM-Run-lfumygyf - c:\documents and settings\Steve\Local Settings\Application Data\juqynjxkt\xauxgikshdw.exe

MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe

MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-27 05:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2084)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-08-27 05:34:48

ComboFix-quarantined-files.txt 2010-08-27 10:34

ComboFix2.txt 2010-08-24 16:42

ComboFix3.txt 2010-08-23 16:22

ComboFix4.txt 2010-08-20 01:52

Pre-Run: 292,917,678,080 bytes free

Post-Run: 292,950,364,160 bytes free

- - End Of File - - 106258A5D78727E537D6C5349872FCFB

Link to post
Share on other sites

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\documents and settings\Steve\Local Settings\Application Data\qiuqqoxue

File::
c:\windows\Wxuzedakok.dat
c:\windows\Ediyimevoc.bin
c:\documents and settings\Steve\Application Data\gklupx.dat

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^BonziBUDDY.lnk]

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:6522

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Here are the results:

(I had the same "Exception Processing" error as last time, but I clicked "continue" once again)

Thanks!

ComboFix 10-08-26.04 - Steve 08/27/2010 12:15:08.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1431 [GMT -5:00]

Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Steve\Local Settings\Application Data\qiuqqoxue

.

((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))

.

2010-08-26 22:02 . 2010-08-26 22:02 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\VS Revo Group

2010-08-26 22:02 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-08-26 19:06 . 2010-08-26 22:07 -------- d-----w- c:\documents and settings\Steve\Application Data\AVG9

2010-08-26 18:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-26 18:13 . 2010-08-26 20:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-26 18:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-26 15:51 . 2010-08-26 21:57 -------- d-----w- c:\program files\Emsisoft Anti-Malware

2010-07-30 19:13 . 2010-08-11 03:27 -------- d-----w- c:\documents and settings\Steve\Application Data\Bitrix Security

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-27 11:05 . 2008-11-02 21:29 -------- d-----w- c:\program files\Logitech

2010-08-26 22:07 . 2010-06-30 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-08-26 22:02 . 2010-02-23 22:22 -------- d-----w- c:\program files\VS Revo Group

2010-08-26 19:04 . 2009-03-28 01:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-26 19:04 . 2008-11-02 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-26 17:59 . 2008-11-02 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-08-24 16:30 . 2008-05-29 16:49 5610 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys

2010-08-20 02:02 . 2010-04-28 01:03 -------- d-----w- c:\program files\Citrix

2010-08-20 02:01 . 2008-11-02 21:29 -------- d-----w- c:\program files\Lavasoft

2010-08-20 02:01 . 2009-05-20 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-08-13 19:43 . 2008-12-03 09:42 -------- d-----w- c:\documents and settings\Steve\Application Data\Booc

2010-07-19 14:02 . 2008-11-23 04:37 -------- d-----w- c:\documents and settings\Steve\Application Data\Noow

2010-07-01 13:22 . 2010-07-01 13:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-01 12:12 . 2010-07-01 12:12 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes

2010-07-01 12:12 . 2010-07-01 12:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-07-01 00:44 . 2010-07-01 00:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-01 00:44 . 2010-07-01 00:44 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-01 00:44 . 2010-07-01 00:44 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-01 00:44 . 2010-07-01 00:44 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-06-30 12:31 . 2001-08-18 18:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-23 13:44 . 2001-08-18 18:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2001-08-18 18:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2001-08-18 18:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 18:38 . 2008-12-15 14:49 36 -c-ha-w- c:\windows\system32\f9t.dat

2010-06-14 14:31 . 2005-01-13 03:26 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

2010-06-14 07:41 . 2005-02-24 02:44 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-08 23:01 . 2010-06-06 22:09 120 ----a-w- c:\windows\Wxuzedakok.dat

2010-06-08 19:36 . 2010-06-06 22:09 0 ----a-w- c:\windows\Ediyimevoc.bin

2010-06-08 00:16 . 2003-10-30 19:12 106712 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-06 01:47 . 2010-06-06 01:47 12 ----a-w- c:\documents and settings\Steve\Application Data\gklupx.dat

.

((((((((((((((((((((((((((((( SnapShot@2010-08-23_16.19.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-27 09:56 . 2010-08-27 09:56 16384 c:\windows\Temp\Perflib_Perfdata_758.dat

+ 2010-08-27 09:56 . 2010-08-27 09:56 16384 c:\windows\Temp\Perflib_Perfdata_1e0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe" [2007-09-05 57344]

"nwiz"="nwiz.exe" [2003-05-02 323584]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-05-02 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-01 00:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]

backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]

backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 -c--a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-06-15 03:59 136176 ----atw- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lwinst Run Profiler]

1998-09-25 10:08 114688 -c--a-w- c:\progra~1\Logitech\WINGMA~1\LWInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Maker Pilot virtual printer agent]

2010-02-19 10:16 94208 -c--a-w- c:\program files\PDF Maker Pilot\Printer\pmpagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 15:50 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2003-03-08 03:00 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCIEClnOnce]

2004-08-06 21:19 292864 -c--a-w- c:\program files\blcorp\WCCSC\WCOC\WCNSCln.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Lavasoft Ad-Aware Service"=2 (0x2)

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [6/10/2010 8:00 PM 149376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/30/2010 7:44 PM 216400]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/30/2010 7:44 PM 243024]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [8/26/2010 10:51 AM 1935656]

R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [10/27/2002 7:58 PM 6144]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/26/2010 1:13 PM 304464]

R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB18 [?]

R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [8/26/2010 10:51 AM 71008]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/26/2010 1:13 PM 20952]

S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\AVG\AVG9\avgemc.exe" --> c:\program files\AVG\AVG9\avgemc.exe [?]

S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:49 PM 135664]

S3 MTIUSB;MTIUSB;c:\windows\system32\drivers\mtiusb.sys [5/14/2009 9:58 AM 11264]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/26/2010 5:02 PM 27064]

S3 wdm_au8810;Aureal Vortex 8810 Audio Driver (WDM);c:\windows\system32\drivers\adm8810.sys [10/27/2002 7:31 PM 584448]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD24

*Deregistered* - klmd24

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-08-27 c:\windows\Tasks\Bartels Home Service LLC 1105804779.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-26 c:\windows\Tasks\Bartels Home Service LLC 1105804931.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-27 c:\windows\Tasks\Bartels Home Service LLC 1105808699.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-27 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-28 15:57]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:49]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:49]

2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-839522115-725345543-1004Core.job

- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 03:59]

2010-08-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-839522115-725345543-1004UA.job

- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 03:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://partnerpage.google.com/harnessnature.com

uInternet Settings,ProxyOverride = <local>

IE: Append Link Target to Existing PDF

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

Trusted Zone: frame.crazywinnings.com

Trusted Zone: frame.crazywinnings.com

DPF: Microsoft XML Parser for Java

FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\uo97cxdn.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://partnerpage.google.com/harnessnature.com

FF - prefs.js: keyword.URL - hxxp://www.google.org/cgi-bin/nbbw.cgi?Gw=

FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-27 12:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2928)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-08-27 12:26:46

ComboFix-quarantined-files.txt 2010-08-27 17:26

ComboFix2.txt 2010-08-27 10:34

ComboFix3.txt 2010-08-24 16:42

ComboFix4.txt 2010-08-23 16:22

ComboFix5.txt 2010-08-27 17:13

Pre-Run: 292,961,087,488 bytes free

Post-Run: 292,939,083,776 bytes free

- - End Of File - - 7E5ED913B91D9020B7E0D49FFC0F60DE

Link to post
Share on other sites

Hi,

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes

    :Services

    :Reg

    :Files
    ipconfig /flushdns /c
    c:\windows\Wxuzedakok.dat
    c:\windows\Ediyimevoc.bin
    c:\documents and settings\Steve\Application Data\gklupx.dat

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Hello Gammo,

Here is what happened:

I ran OTM as instructed.

I tried to update mbam, but I received the same error message as usual.

I ran eset...after about 2 hours of scanning it was 60% complete and I had to leave for a day, so I left it running.

When I returned, there was only my desktop, with no scan results (although 11 threats had been found when I left, half of which were trojan variants)

It looked to me like my computer had restarted?

I ran eset again, and it found no infections and took less than 2 hours to run.

I still cannot update mbam, and Firefox is still being redirected.

Thanks!

eset log:

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=d060d65a280b4048848af523d6641af0

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-08-27 09:10:36

# local_time=2010-08-27 04:10:36 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777191 100 0 16333599 16333599 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=78920

# found=11

# cleaned=11

# scan_time=6997

C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Steve\Application Data\Business Logic\UWC\Backup\J40336.6676578704.WCU multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Steve\Application Data\Business Logic\UWC\Backup\J40403.6133984375.WCU a variant of Win32/Kryptik.FZC trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Steve\Local Settings\Application Data\cdfdklvcb\rfxuqclshdw.exe.vir a variant of Win32/Kryptik.GJF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\Steve\Local Settings\Application Data\jptekljbm\rghprsdshdw.exe.vir a variant of Win32/Kryptik.GJF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C250076D-91ED-426D-B7AF-A1E2A3E452A0}\RP10\A0001896.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C250076D-91ED-426D-B7AF-A1E2A3E452A0}\RP10\A0001897.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C250076D-91ED-426D-B7AF-A1E2A3E452A0}\RP16\A0002404.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C250076D-91ED-426D-B7AF-A1E2A3E452A0}\RP16\A0002405.exe probably a variant of Win32/Agent.HZHBURL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{C250076D-91ED-426D-B7AF-A1E2A3E452A0}\RP3\A0000293.dll probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=d060d65a280b4048848af523d6641af0

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-08-30 02:44:40

# local_time=2010-08-29 09:44:40 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777191 100 0 16526538 16526538 0 0

# compatibility_mode=8192 67108863 100 0 106727 106727 0 0

# scanned=79017

# found=0

# cleaned=0

# scan_time=6904

Link to post
Share on other sites

Hi,

Open notepad by going to Start > Run and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following:

@echo off

>Router_Log_Gammo.txt (

ipconfig /all

nslookup data-cdn.mbamupdates.com

ping data-cdn.mbamupdates.com

tracert data-cdn.mbamupdates.com

route print

)

start Router_Log_Gammo.txt

del %0

In Notepad click on the "File" menu > Save As...

Under "File name" type Router_Gammo.bat

Change "Save as type" to All Files

Save it to your Desktop

Double click on Router_Gammo.bat. It will open a notepad windows. Please post the contents of this file in your next reply.

Link to post
Share on other sites

Here are the results:

Windows IP Configuration

Host Name . . . . . . . . . . . . : FRONTOFFICE

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : Belkin

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : Belkin

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet NIC

Physical Address. . . . . . . . . : 20-E0-4D-0B-B9-0D

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.2.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.2.1

DHCP Server . . . . . . . . . . . : 192.168.2.1

DNS Servers . . . . . . . . . . . : 192.168.2.1

Lease Obtained. . . . . . . . . . : Friday, August 27, 2010 2:05:09 PM

Lease Expires . . . . . . . . . . : Monday, January 18, 2038 10:14:07 PM

Server: UnKnown

Address: 192.168.2.1

Ping request could not find host data-cdn.mbamupdates.com. Please check the name and try again.

Unable to resolve target system name data-cdn.mbamupdates.com.

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...20 e0 4d 0b b9 0d ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport

===========================================================================

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.3 20

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.2.0 255.255.255.0 192.168.2.3 192.168.2.3 20

192.168.2.3 255.255.255.255 127.0.0.1 127.0.0.1 20

192.168.2.255 255.255.255.255 192.168.2.3 192.168.2.3 20

224.0.0.0 240.0.0.0 192.168.2.3 192.168.2.3 20

255.255.255.255 255.255.255.255 192.168.2.3 192.168.2.3 1

Default Gateway: 192.168.2.1

===========================================================================

Persistent Routes:

None

Link to post
Share on other sites

Hi,

Download mbam-rules.exe. Double-click on it to install the database updates manually. Just follow the on-screen instructions.

After that, start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

First delete your copy of ComboFix.exe from the Desktop.

Then download the latest version of ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Check the box that says Scan All Users.
  • Under the Custom Scan box paste this in
    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    ipconfig /all /c
    nslookup google.com /c
    nslookup yahoo.com /c
    ping google.com /c
    ping yahoo.com /c
    route print /c
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time

Link to post
Share on other sites

Hi,

Please do not attach your logs as it is harder for me to read them that way. Post them instead:

ComboFix 10-08-29.04 - Steve 08/30/2010 15:16:07.6.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1284 [GMT -5:00]

Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))

.

2010-08-27 19:11 . 2010-08-27 19:11 -------- d-----w- c:\program files\ESET

2010-08-27 19:02 . 2010-08-27 19:02 -------- d-----w- C:\_OTM

2010-08-26 22:02 . 2010-08-26 22:02 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\VS Revo Group

2010-08-26 22:02 . 2009-12-30 17:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys

2010-08-26 19:06 . 2010-08-26 22:07 -------- d-----w- c:\documents and settings\Steve\Application Data\AVG9

2010-08-26 18:13 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-08-26 18:13 . 2010-08-26 20:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-26 18:13 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-26 15:51 . 2010-08-26 21:57 -------- d-----w- c:\program files\Emsisoft Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-30 19:44 . 2008-05-29 16:49 5610 -c--a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys

2010-08-27 19:05 . 2008-11-02 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-08-27 11:05 . 2008-11-02 21:29 -------- d-----w- c:\program files\Logitech

2010-08-26 22:07 . 2010-06-30 23:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-08-26 22:02 . 2010-02-23 22:22 -------- d-----w- c:\program files\VS Revo Group

2010-08-26 19:04 . 2009-03-28 01:37 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-08-26 19:04 . 2008-11-02 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-08-20 02:02 . 2010-04-28 01:03 -------- d-----w- c:\program files\Citrix

2010-08-20 02:01 . 2008-11-02 21:29 -------- d-----w- c:\program files\Lavasoft

2010-08-20 02:01 . 2009-05-20 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-08-13 19:43 . 2008-12-03 09:42 -------- d-----w- c:\documents and settings\Steve\Application Data\Booc

2010-08-11 03:27 . 2010-07-30 19:13 -------- d-----w- c:\documents and settings\Steve\Application Data\Bitrix Security

2010-07-19 14:02 . 2008-11-23 04:37 -------- d-----w- c:\documents and settings\Steve\Application Data\Noow

2010-07-01 13:22 . 2010-07-01 13:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-07-01 00:44 . 2010-07-01 00:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

2010-07-01 00:44 . 2010-07-01 00:44 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-07-01 00:44 . 2010-07-01 00:44 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-07-01 00:44 . 2010-07-01 00:44 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-06-30 12:31 . 2001-08-18 18:00 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-23 13:44 . 2001-08-18 18:00 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2001-08-18 18:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2001-08-18 18:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-15 18:38 . 2008-12-15 14:49 36 -c-ha-w- c:\windows\system32\f9t.dat

2010-06-14 14:31 . 2005-01-13 03:26 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

2010-06-14 07:41 . 2005-02-24 02:44 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-08 00:16 . 2003-10-30 19:12 106712 -c--a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

((((((((((((((((((((((((((((( SnapShot@2010-08-23_16.19.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-08-27 19:05 . 2010-08-27 19:05 16384 c:\windows\Temp\Perflib_Perfdata_88.dat

+ 2010-08-27 19:05 . 2010-08-27 19:05 16384 c:\windows\Temp\Perflib_Perfdata_5c0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSysVol"="c:\program files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe" [2007-09-05 57344]

"nwiz"="nwiz.exe" [2003-05-02 323584]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-05-02 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-01 00:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]

backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]

backup=c:\windows\pss\NkvMon.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]

backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steve^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 -c--a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-06-15 03:59 136176 ----atw- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lwinst Run Profiler]

1998-09-25 10:08 114688 -c--a-w- c:\progra~1\Logitech\WINGMA~1\LWInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Maker Pilot virtual printer agent]

2010-02-19 10:16 94208 -c--a-w- c:\program files\PDF Maker Pilot\Printer\pmpagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2008-05-27 15:50 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2003-03-08 03:00 26112 -c--a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCIEClnOnce]

2004-08-06 21:19 292864 -c--a-w- c:\program files\blcorp\WCCSC\WCOC\WCNSCln.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Lavasoft Ad-Aware Service"=2 (0x2)

"avg8wd"=2 (0x2)

"avg8emc"=2 (0x2)

"AOL ACS"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R0 tffsport;M-Systems DiskOnChip 2000;c:\windows\system32\drivers\tffsport.sys [6/10/2010 8:00 PM 149376]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/30/2010 7:44 PM 216400]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/30/2010 7:44 PM 243024]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [8/26/2010 10:51 AM 1935656]

R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [10/27/2002 7:58 PM 6144]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/26/2010 1:13 PM 304464]

R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~2\QBDBMgrN.exe -hvQuickBooksDB18 [?]

R3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [8/26/2010 10:51 AM 71008]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/26/2010 1:13 PM 20952]

S0 szkg5;szkg;c:\windows\system32\DRIVERS\szkg.sys --> c:\windows\system32\DRIVERS\szkg.sys [?]

S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\AVG\AVG9\avgemc.exe" --> c:\program files\AVG\AVG9\avgemc.exe [?]

S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 1:49 PM 135664]

S3 MTIUSB;MTIUSB;c:\windows\system32\drivers\mtiusb.sys [5/14/2009 9:58 AM 11264]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/26/2010 5:02 PM 27064]

S3 wdm_au8810;Aureal Vortex 8810 Audio Driver (WDM);c:\windows\system32\drivers\adm8810.sys [10/27/2002 7:31 PM 584448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\Bartels Home Service LLC 1105804779.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-28 c:\windows\Tasks\Bartels Home Service LLC 1105804931.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-30 c:\windows\Tasks\Bartels Home Service LLC 1105808699.job

- c:\program files\Intuit\QuickBooks Pro\AutoBackupEXE.exe [2008-10-22 23:44]

2010-08-30 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-28 15:57]

2010-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:49]

2010-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:49]

2010-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-839522115-725345543-1004Core.job

- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 03:59]

2010-08-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-839522115-725345543-1004UA.job

- c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 03:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://partnerpage.google.com/harnessnature.com

uInternet Settings,ProxyOverride = <local>

IE: Append Link Target to Existing PDF

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

Trusted Zone: frame.crazywinnings.com

Trusted Zone: frame.crazywinnings.com

DPF: Microsoft XML Parser for Java

FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\uo97cxdn.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://partnerpage.google.com/harnessnature.com

FF - prefs.js: keyword.URL - hxxp://www.google.org/cgi-bin/nbbw.cgi?Gw=

FF - plugin: c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-30 15:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2836)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-08-30 15:28:32

ComboFix-quarantined-files.txt 2010-08-30 20:28

ComboFix2.txt 2010-08-27 17:26

ComboFix3.txt 2010-08-27 10:34

ComboFix4.txt 2010-08-24 16:42

ComboFix5.txt 2010-08-30 20:14

Pre-Run: 293,020,524,544 bytes free

Post-Run: 293,015,793,664 bytes free

- - End Of File - - E6C3B3D603C4790F4B2310E52D1B50AF

Link to post
Share on other sites

OTL logfile created on: 8/30/2010 3:32:42 PM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Steve\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free

3.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free

Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 298.09 Gb Total Space | 272.92 Gb Free Space | 91.56% Space Free | Partition Type: NTFS

Drive D: | 686.90 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

Drive F: | 37.28 Gb Total Space | 28.54 Gb Free Space | 76.56% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: FRONTOFFICE

Current User Name: Steve

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/30 15:31:31 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe

PRC - [2010/07/28 15:49:04 | 001,935,656 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\Emsisoft Anti-Malware\a2service.exe

PRC - [2010/07/27 06:31:37 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe

PRC - [2010/07/27 06:31:36 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/03/04 23:38:00 | 000,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe

PRC - [2009/09/16 18:22:08 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

PRC - [2008/04/13 19:12:36 | 000,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\snmp.exe

PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/09/05 14:06:56 | 000,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\RocketFish\RF5.1\Surround Mixer\CTSysVol.exe

PRC - [2006/09/13 10:32:12 | 000,128,536 | ---- | M] (iAnywhere Solutions, Inc.) -- C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe

PRC - [2002/11/08 05:50:00 | 000,019,968 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\LOGI_MWX.EXE

PRC - [2001/08/07 18:06:54 | 000,024,633 | ---- | M] (Microsoft

Link to post
Share on other sites

OTL Extras logfile created on: 8/30/2010 3:32:42 PM - Run 1

OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Steve\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free

3.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free

Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 298.09 Gb Total Space | 272.92 Gb Free Space | 91.56% Space Free | Partition Type: NTFS

Drive D: | 686.90 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

E: Drive not present or media not loaded

Drive F: | 37.28 Gb Total Space | 28.54 Gb Free Space | 76.56% Space Free | Partition Type: NTFS

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: FRONTOFFICE

Current User Name: Steve

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 90 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-117609710-839522115-725345543-1004\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- Reg Error: Key error.

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"FirstRunDisabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)

"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information -- (America Online, Inc.)

"C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional

"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2

"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status

"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime

"{102CBC47-7FDE-4E6C-8A3A-67B79833FAC8}" = BPDSoftware_Ini

"{11B2F891-91C8-47ce-945A-A91003EA27FB}" = BPDSoftware

"{18AB082B-6584-4F74-8ABC-D5935CF46E4C}" = 8500A909_eDocs

"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth

"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java 6 Update 16

"{2A329FB6-389D-4396-A974-29656D6864AE}" = MarketResearch

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{432A850B-3558-4BFF-B1F9-30626835B523}" = BPD_DSWizards

"{47ECCB1F-2811-49C0-B6A7-26778639ABA0}" = 32 Bit HP CIO Components Installer

"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport

"{514522FF-6D40-46ED-9A49-BC6BBF1AA02C}_is1" = PDF Maker Pilot 2.1

"{57F60D52-630B-43C5-BD20-176F5CD4EED6}" = bpd_scan

"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service

"{5E8A1B08-0FBD-4543-9646-F2C2D0D05750}" = Macromedia Flash Player 8

"{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1" = Revo Uninstaller Pro 2.4.1

"{698AC01B-DF0C-4BCE-940C-EB29AD23A560}" = Stamps.com

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{797EE0CA-8165-405C-B5CE-F11EC20F1BB0}" = Microsoft VC9 runtime libraries

"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP

"{7EFF018A-928F-4A27-9BCB-4734AF116C66}" = SolarPathfinder Assistant 3.0

"{80EE18E6-F16C-11D4-8BE8-006097C9A3ED}" = ISScript

"{837B34E3-7C30-493C-8F6A-2B0F04E2912C}" = Microsoft Visual C++ 2005 Redistributable

"{87A9A9A9-FAB7-4224-9328-0FA2058C0FD5}" = Network

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8ECB8220-F424-4BEB-9596-97033C533702}" = QuickBooks Premier Edition 2008

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0019-0000-0000-0000000FF1CE}" = Microsoft Office Publisher 2007

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{901B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002

"{913D0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Standard for Students and Teachers

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9ACC9F63-CF54-46D7-9140-D40E57564EDA}_is1" = COMODO Registry Cleaner 1.0.17.23

"{9CCCFD9C-248F-47FE-9496-1680E3E5C163}" = Scan

"{9D1B99B7-DAD8-440d-B4FB-1915332FBCC2}" = HPProductAssistant

"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor

"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3

"{B495547C-01F8-4836-A2E6-749B5F3EA691}" = 8500A909_Help

"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization

"{C29C1940-CB85-4F3B-906C-33FEE0E67103}" = DocMgr

"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word

"{CAD11AD0-1B89-4DE0-B050-F4B0488B2A60}" = Stamps.com Address Book Support for Intuit QuickBooks 2004-2007

"{CD8C5C7F-7C58-4F85-8977-A6C08C087912}" = MPM

"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D5DEF057-D3BC-499f-99EE-884ED429B6D1}" = 8500A909g

"{DA8BF070-1358-4a30-A68F-21E0E9421AEF}" = ProductContext

"{DAD4DE93-9438-4823-AE5E-93A1BE846FE0}" = Stamps.com Application Support for Microsoft Word 2000, 2002, 2003

"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack

"{DCB91C79-B78B-44B1-A7FE-28DECA6E9245}" = Dell TrueMobile 2300 Wireless Broadband Router Control Utility

"{EEEB604C-C1A7-4f8c-B03F-56F9C1C9C45F}" = Fax

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"{F648FD09-7CEA-4257-BC68-A8389189FD51}" = GPBaseService2

"{F769B78E-FF0E-4db5-95E2-9F4C8D6352FE}" = DeviceDiscovery

"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"ArcSoft Software Suite" = ArcSoft Software Suite

"Emsisoft Anti-Malware_is1" = Emsisoft Anti-Malware 5.0

"ESET Online Scanner" = ESET Online Scanner v3

"Google Updater" = Google Updater

"hp instant support" = hp instant support

"MadgeTech 2.00.74" = MadgeTech 2.00.74

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MTIUSB&10C4&8102" = USB Datalogger Interface Driver Set

"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers

"PUBLISHER" = Microsoft Office Publisher 2007

"RealPlayer 6.0" = RealPlayer Basic

"Stamps.com" = Stamps.com

"Stamps.com support for Intuit QuickBooks 2004-2007" = Stamps.com support for Intuit QuickBooks 2004-2007

"Stamps.com support for Microsoft Word 2000-2007" = Stamps.com support for Microsoft Word 2000-2007

"ViewpointMediaPlayer" = Viewpoint Media Player

"WET7Cable" = Windows Easy Transfer for Windows 7

"WinCleaner OneClick Cleanup!_is1" = WinCleaner OneClick Cleanup Version 9

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Works2002Setup" = Microsoft Works 2002 Setup Launcher

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-117609710-839522115-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 8/30/2010 12:50:24 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 12:50:24 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 12:50:24 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 12:50:48 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 12:53:55 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 12:53:55 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 12:53:55 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 1:29:17 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 1:29:17 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

Error - 8/30/2010 1:29:17 PM | Computer Name = FRONTOFFICE | Source = QuickBooks | ID = 4

Description =

[ OSession Events ]

Error - 6/22/2010 1:36:41 PM | Computer Name = FRONTOFFICE | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 8, Application Name: Microsoft Office Publisher, Application Version:

12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 71

seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]

Error - 8/27/2010 3:06:00 PM | Computer Name = FRONTOFFICE | Source = Service Control Manager | ID = 7023

Description = The HID Input Service service terminated with the following error:

%%126

Error - 8/27/2010 3:06:00 PM | Computer Name = FRONTOFFICE | Source = Service Control Manager | ID = 7001

Description = The AVG Free E-mail Scanner service depends on the AVG Free WatchDog

service which failed to start because of the following error: %%2

Error - 8/27/2010 3:06:00 PM | Computer Name = FRONTOFFICE | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

szkg5

Error - 8/27/2010 3:25:18 PM | Computer Name = FRONTOFFICE | Source = BROWSER | ID = 8032

Description = The browser service has failed to retrieve the backup list too many

times on transport \Device\NetBT_Tcpip_{2D858A57-1BF5-4BAD-A4B6-DC254638CB80}. The

backup browser is stopping.

Error - 8/28/2010 4:00:37 AM | Computer Name = FRONTOFFICE | Source = Windows Update Agent | ID = 20

Description = Installation Failure: Windows failed to install the following update

with error 0x80070643: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0

SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909).

Error - 8/28/2010 4:00:37 AM | Computer Name = FRONTOFFICE | Source = Windows Update Agent | ID = 20

Description = Installation Failure: Windows failed to install the following update

with error 0x80070643: Microsoft .NET Framework 3.5 SP1 Update for Windows Server

2003 and Windows XP x86 (KB982168).

Error - 8/28/2010 4:00:37 AM | Computer Name = FRONTOFFICE | Source = Windows Update Agent | ID = 20

Description = Installation Failure: Windows failed to install the following update

with error 0x80070643: Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on

Windows Server 2003 and Windows XP x86 (KB983583).

Error - 8/28/2010 4:00:37 AM | Computer Name = FRONTOFFICE | Source = Windows Update Agent | ID = 20

Description = Installation Failure: Windows failed to install the following update

with error 0x80070643: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0

SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524).

Error - 8/28/2010 4:00:49 AM | Computer Name = FRONTOFFICE | Source = Windows Update Agent | ID = 20

Description = Installation Failure: Windows failed to install the following update

with error 0x80070643: Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework

3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86.

Error - 8/28/2010 4:01:09 AM | Computer Name = FRONTOFFICE | Source = Windows Update Agent | ID = 20

Description = Installation Failure: Windows failed to install the following update

with error 0x80070643: Microsoft .NET Framework 1.1 SP1 Security Update for Windows

2000 and Windows XP (KB979906).

< End of report >

Link to post
Share on other sites

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
    C:\Documents and Settings\All Users\Application Data\{1CE720E2-BCB3-4C23-8FE0-78EF97511424} /s /md5
    C:\Documents and Settings\All Users\Application Data\{F17D835B-5C93-4BF4-845F-DF955DFDD632} /s /md5
    C:\documents and settings\Steve\Application Data\Booc /s /md5
    c:\documents and settings\Steve\Application Data\Noow /s /md5


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Runscanner to your desktop and run it.

  • When the first page comes up select Beginner Mode
  • On the next page click Scan computer at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
  • Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop.

Please attach the .run file in your next post.

To attach a file, do the following:

  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on attach_add.png to insert the attachment into your post

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

First delete your copy of TDSSKiller.exe.

  • Download the latest version of TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

I did as instructed.

I cannot attach the .run file from runscanner, it says that I am not permitted to upload this type of file.

The system Look log:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 14:21 on 31/08/2010 by Steve (Administrator - Elevation successful)

========== dir ==========

C:\Documents and Settings\All Users\Application Data\{1CE720E2-BCB3-4C23-8FE0-78EF97511424} - Parameters: "/s /md5"

---Files---

instance.dat --a--c 92 bytes [14:50 15/12/2008] [00:22 17/12/2008] 067755E069C375C9789182ACA5F0CCE7

mia.dll --a--c 321108 bytes [14:50 15/12/2008] [16:13 14/07/2008] F7F9B26411EA63A4AD8CDC75351F4F21

setup.bmp -ra--c 432056 bytes [14:50 15/12/2008] [00:48 19/06/2008] 3DEE7FDA182B0C236494F2D802FFA0AB

stamps.dat --a--c 2152 bytes [14:50 15/12/2008] [00:22 17/12/2008] 88573F2A8A39E90F41407ED5A34DC290

stamps.exe --a--c 5104691 bytes [14:50 15/12/2008] [16:13 14/07/2008] CE78F3FD3952B264BF666D247298A969

stamps.msi --a--c 429056 bytes [14:50 15/12/2008] [16:13 14/07/2008] 7199C8C9DC31348D11A458BEFBADA18C

stamps.par --a--c 28320 bytes [14:50 15/12/2008] [00:22 17/12/2008] CC776E87C8323797AEECC82016E3D0DF

stamps.res --a--c 5267274 bytes [14:50 15/12/2008] [16:13 14/07/2008] 9CC202292EB4B12E0238A30E0A024851

No folders found.

C:\Documents and Settings\All Users\Application Data\{F17D835B-5C93-4BF4-845F-DF955DFDD632} - Parameters: "/s /md5"

---Files---

instance.dat --a--c 132 bytes [21:17 23/03/2009] [21:17 23/03/2009] 5A5C15BB13D85870F5E51A766F096413

mia.dll --a--c 321108 bytes [21:17 23/03/2009] [23:23 07/11/2007] F7F9B26411EA63A4AD8CDC75351F4F21

QBABPstmpsa.dat --a--c 259 bytes [21:17 23/03/2009] [21:17 23/03/2009] 25E1227D4739BE935FCE6A1BB6B9E42C

QBABPstmpsa.exe --a--c 2517021 bytes [21:17 23/03/2009] [23:23 07/11/2007] 198872DD90BB2EDDAC1668FF548DA159

QBABPstmpsa.msi --a--c 1048064 bytes [21:17 23/03/2009] [23:23 07/11/2007] 9AA16AB48046420BB0A7979DD20784D4

QBABPstmpsa.par --a--c 375 bytes [21:17 23/03/2009] [21:17 23/03/2009] 2A97623B1B93CA2C39FCBBC572D9B14D

QBABPstmpsa.res --a--c 3571746 bytes [21:17 23/03/2009] [23:23 07/11/2007] 95FC152403DA4D89B67FB984194D78E9

No folders found.

C:\documents and settings\Steve\Application Data\Booc - Parameters: "/s /md5"

---Files---

ryaqd.piy --a--- 589991 bytes [14:19 16/07/2010] [04:32 20/07/2010] 3341D54A7066E1B9D9E035FC808F0E89

No folders found.

c:\documents and settings\Steve\Application Data\Noow - Parameters: "/s /md5"

---Files---

None found.

No folders found.

-=End Of File=-

TDSS Killer log:

2010/08/31 14:37:46.0273 TDSS rootkit removing tool 2.4.1.4 Aug 31 2010 16:55:25

2010/08/31 14:37:46.0273 ================================================================================

2010/08/31 14:37:46.0273 SystemInfo:

2010/08/31 14:37:46.0273

2010/08/31 14:37:46.0273 OS Version: 5.1.2600 ServicePack: 3.0

2010/08/31 14:37:46.0273 Product type: Workstation

2010/08/31 14:37:46.0273 ComputerName: FRONTOFFICE

2010/08/31 14:37:46.0273 UserName: Steve

2010/08/31 14:37:46.0273 Windows directory: C:\WINDOWS

2010/08/31 14:37:46.0273 System windows directory: C:\WINDOWS

2010/08/31 14:37:46.0273 Processor architecture: Intel x86

2010/08/31 14:37:46.0273 Number of processors: 1

2010/08/31 14:37:46.0273 Page size: 0x1000

2010/08/31 14:37:46.0273 Boot type: Normal boot

2010/08/31 14:37:46.0273 ================================================================================

2010/08/31 14:37:46.0523 Initialize success

2010/08/31 14:37:52.0163 ================================================================================

2010/08/31 14:37:52.0163 Scan started

2010/08/31 14:37:52.0163 Mode: Manual;

2010/08/31 14:37:52.0163 ================================================================================

2010/08/31 14:37:52.0601 a2acc (130638992f393300a81e68c56456c533) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys

2010/08/31 14:37:52.0835 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/08/31 14:37:52.0898 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/08/31 14:37:52.0960 admjoy (a23675760dec131b9f799b6fb038a1f0) C:\WINDOWS\system32\DRIVERS\admjoy.sys

2010/08/31 14:37:53.0085 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/08/31 14:37:53.0163 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/08/31 14:37:53.0210 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/08/31 14:37:53.0476 AN983 (5dc7357b101aef8f5cc292bb8539f5d6) C:\WINDOWS\system32\DRIVERS\AN983.sys

2010/08/31 14:37:53.0679 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

2010/08/31 14:37:53.0788 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/08/31 14:37:53.0851 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/08/31 14:37:53.0960 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/08/31 14:37:54.0023 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/08/31 14:37:54.0195 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys

2010/08/31 14:37:54.0241 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys

2010/08/31 14:37:54.0382 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys

2010/08/31 14:37:54.0460 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/08/31 14:37:54.0632 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/08/31 14:37:54.0757 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/08/31 14:37:54.0820 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/08/31 14:37:54.0882 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys

2010/08/31 14:37:54.0945 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/08/31 14:37:55.0148 cmpci (e5842ccf0953d3d46d5e26427b67e901) C:\WINDOWS\system32\drivers\cmaudio.sys

2010/08/31 14:37:55.0413 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys

2010/08/31 14:37:55.0570 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/08/31 14:37:55.0648 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/08/31 14:37:55.0726 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/08/31 14:37:55.0773 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/08/31 14:37:55.0851 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/08/31 14:37:55.0960 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/08/31 14:37:56.0054 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/08/31 14:37:56.0148 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/08/31 14:37:56.0195 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/08/31 14:37:56.0241 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/08/31 14:37:56.0304 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/08/31 14:37:56.0382 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/08/31 14:37:56.0429 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/08/31 14:37:56.0491 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/08/31 14:37:56.0538 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/08/31 14:37:56.0632 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys

2010/08/31 14:37:56.0726 hidgame (923ee4eef2582909a056904ca8026015) C:\WINDOWS\system32\DRIVERS\hidgame.sys

2010/08/31 14:37:56.0773 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/08/31 14:37:56.0945 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/08/31 14:37:56.0991 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/08/31 14:37:57.0054 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/08/31 14:37:57.0132 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/08/31 14:37:57.0320 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/08/31 14:37:57.0413 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/08/31 14:37:57.0538 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/08/31 14:37:57.0616 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/08/31 14:37:57.0679 IOPort (f7c534def663b4e847e44f20927f5ed2) C:\WINDOWS\System32\IOPORT.SYS

2010/08/31 14:37:57.0741 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/08/31 14:37:57.0788 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/08/31 14:37:57.0851 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/08/31 14:37:57.0898 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/08/31 14:37:57.0976 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/08/31 14:37:58.0038 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/08/31 14:37:58.0101 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/08/31 14:37:58.0163 itchfltr (936123d83e80c1cb3ea042d7fb98da25) C:\WINDOWS\system32\DRIVERS\itchfltr.sys

2010/08/31 14:37:58.0226 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/08/31 14:37:58.0288 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/08/31 14:37:58.0351 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/08/31 14:37:58.0429 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/08/31 14:37:58.0460 l8042pr2 (733ececf4371ac99410ee0f00bfd51e7) C:\WINDOWS\system32\DRIVERS\L8042Pr2.sys

2010/08/31 14:37:58.0601 LHidFlt2 (5bc552b8a4bb668ac169a24d7ff5b9b8) C:\WINDOWS\system32\DRIVERS\LHidFlt2.sys

2010/08/31 14:37:58.0648 LHidUsb (387cb1e73b17656f406fc13dc17eda6a) C:\WINDOWS\system32\drivers\LHidUsb.Sys

2010/08/31 14:37:58.0741 LMouFlt2 (128f0b4cd156872d440ae77202923a32) C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys

2010/08/31 14:37:58.0804 LwUsbHid (066ed0baa4faeb1475b9f06b8c319fc6) C:\WINDOWS\system32\DRIVERS\LwUsbHid.sys

2010/08/31 14:37:58.0851 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys

2010/08/31 14:37:58.0945 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys

2010/08/31 14:37:58.0991 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/08/31 14:37:59.0070 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/08/31 14:37:59.0132 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/08/31 14:37:59.0179 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/08/31 14:37:59.0241 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/08/31 14:37:59.0335 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/08/31 14:37:59.0413 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/08/31 14:37:59.0491 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/08/31 14:37:59.0554 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/08/31 14:37:59.0616 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/08/31 14:37:59.0679 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/08/31 14:37:59.0726 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/08/31 14:37:59.0788 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys

2010/08/31 14:37:59.0866 MTIUSB (739b948c5c6ea11414e8bbb899c6c768) C:\WINDOWS\system32\drivers\mtiusb.sys

2010/08/31 14:37:59.0929 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/08/31 14:37:59.0991 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/08/31 14:38:00.0054 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/08/31 14:38:00.0116 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/08/31 14:38:00.0163 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/08/31 14:38:00.0210 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/08/31 14:38:00.0273 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/08/31 14:38:00.0335 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/08/31 14:38:00.0445 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/08/31 14:38:00.0507 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/08/31 14:38:00.0585 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/08/31 14:38:00.0679 nv (5d701fca6f7db7a8a7d21f80a84d291a) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/08/31 14:38:00.0773 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/08/31 14:38:00.0835 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/08/31 14:38:00.0929 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys

2010/08/31 14:38:01.0038 P17 (91c21fac088f33a25ba351cc7c0999f2) C:\WINDOWS\system32\drivers\P17.sys

2010/08/31 14:38:01.0101 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/08/31 14:38:01.0163 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/08/31 14:38:01.0226 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/08/31 14:38:01.0335 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/08/31 14:38:01.0429 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/08/31 14:38:01.0491 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/08/31 14:38:01.0898 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/08/31 14:38:01.0945 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/08/31 14:38:02.0023 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/08/31 14:38:02.0085 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/08/31 14:38:02.0398 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/08/31 14:38:02.0460 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/08/31 14:38:02.0523 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/08/31 14:38:02.0554 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/08/31 14:38:02.0632 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/08/31 14:38:02.0695 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/08/31 14:38:02.0773 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/08/31 14:38:02.0835 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/08/31 14:38:02.0913 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys

2010/08/31 14:38:03.0007 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/08/31 14:38:03.0101 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/08/31 14:38:03.0163 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/08/31 14:38:03.0210 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/08/31 14:38:03.0304 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/08/31 14:38:03.0398 SI3112 (83409d0f9c886db038dcc4d377955c6a) C:\WINDOWS\system32\DRIVERS\SI3112.sys

2010/08/31 14:38:03.0570 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/08/31 14:38:03.0632 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/08/31 14:38:03.0726 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/08/31 14:38:03.0820 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys

2010/08/31 14:38:03.0882 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/08/31 14:38:03.0929 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/08/31 14:38:04.0179 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/08/31 14:38:04.0351 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/08/31 14:38:04.0382 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/08/31 14:38:04.0413 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/08/31 14:38:04.0491 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/08/31 14:38:04.0585 tffsport (d9d5e4ca72270e9f3eca97da0983ab87) C:\WINDOWS\system32\DRIVERS\tffsport.sys

2010/08/31 14:38:04.0741 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/08/31 14:38:04.0851 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/08/31 14:38:04.0945 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/08/31 14:38:05.0007 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/08/31 14:38:05.0054 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/08/31 14:38:05.0101 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/08/31 14:38:05.0148 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/08/31 14:38:05.0226 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/08/31 14:38:05.0288 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/08/31 14:38:05.0335 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/08/31 14:38:05.0382 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/08/31 14:38:05.0491 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/08/31 14:38:05.0585 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/08/31 14:38:05.0741 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/08/31 14:38:05.0820 wdm_au8810 (d90c1c67567cbdc7d55015a8c102c120) C:\WINDOWS\system32\drivers\adm8810.sys

2010/08/31 14:38:05.0960 WmBEnum (588c1df21321ec51eebff2c8909d1587) C:\WINDOWS\system32\drivers\WmBEnum.sys

2010/08/31 14:38:06.0023 WmFilter (3b45b7bfd513d3313e895d187849e3a3) C:\WINDOWS\system32\drivers\WmFilter.sys

2010/08/31 14:38:06.0132 WmUsbHid (f732983c86d44313dc26c6e171694e59) C:\WINDOWS\system32\drivers\WmUsbHid.sys

2010/08/31 14:38:06.0195 WmVirHid (fe7d6991fd5894f06aae95dc78e79948) C:\WINDOWS\system32\drivers\WmVirHid.sys

2010/08/31 14:38:06.0257 WmXlCore (dcbb4688ee775912444b9010cd3fe9b6) C:\WINDOWS\system32\drivers\WmXlCore.sys

2010/08/31 14:38:06.0304 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/08/31 14:38:06.0366 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/08/31 14:38:06.0413 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/08/31 14:38:06.0570 ================================================================================

2010/08/31 14:38:06.0570 Scan finished

2010/08/31 14:38:06.0570 ================================================================================

Link to post
Share on other sites

Hi,

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes

    :Services

    :Reg

    :Files
    ipconfig /flushdns /c
    C:\Documents and Settings\All Users\Application Data\{1CE720E2-BCB3-4C23-8FE0-78EF97511424}
    C:\Documents and Settings\All Users\Application Data\{F17D835B-5C93-4BF4-845F-DF955DFDD632}
    C:\documents and settings\Steve\Application Data\Booc
    c:\documents and settings\Steve\Application Data\Noow
    C:\Documents and Settings\Steve\Application Data\Bitrix Security

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [emptyflash]
    [createrestorepoint]
    [reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please use WinZip to Zip the .run file (link on how to do this), and then upload the .zip file to the forum.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Do you still experience any problems after doing the above (can't update MBAM, redirects)?

Link to post
Share on other sites

Hi Gammo,

Mbam will still not update.

I am still getting redirects, however, Malwarebytes is now blocking some (not all) of them.

After running OTM, and clicking on reboot, my computer froze at the "windows is shutting down" screen.

I pushed the reset button to continue the reboot.

below is the OTM log:

All processes killed

========== PROCESSES ==========

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Documents and Settings\Steve\Desktop\cmd.bat deleted successfully.

C:\Documents and Settings\Steve\Desktop\cmd.txt deleted successfully.

C:\Documents and Settings\All Users\Application Data\{1CE720E2-BCB3-4C23-8FE0-78EF97511424} folder moved successfully.

C:\Documents and Settings\All Users\Application Data\{F17D835B-5C93-4BF4-845F-DF955DFDD632} folder moved successfully.

C:\documents and settings\Steve\Application Data\Booc folder moved successfully.

c:\documents and settings\Steve\Application Data\Noow folder moved successfully.

C:\Documents and Settings\Steve\Application Data\Bitrix Security folder moved successfully.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 65716 bytes

->Temporary Internet Files folder emptied: 16786 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: QBDataServiceUser18

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Steve

->Temp folder emptied: 1434 bytes

->Temporary Internet Files folder emptied: 235195 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 31566043 bytes

->Google Chrome cache emptied: 6520371 bytes

->Flash cache emptied: 2225 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 37.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.15.0 log created on 08312010_194508

Files moved on Reboot...

Registry entries deleted on Reboot...

also, attached is the zipped runscanner run file.runscannerlogzipped.zip

Thanks!

Link to post
Share on other sites

Hi,

I can't read the RunScanner file, but lets try some other things first:

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Dr.Web CureIt to the desktop.

  • Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, chose the Complete Scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow drweb_green_arrow.jpg at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look and see if you can click the following icon next to the files found:
    drweb_check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    drweb_move.gif
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to allow files that were in use to be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.