Jump to content

Hacked and Sacked


nyjetsjon
 Share

Recommended Posts

Hello,

Yesterday I went on a computer game that my son and I play regularly and found out that my account had been hacked into and items I had worked for in game were gone. In addition to this, my task manager was disabled and the run option was missing from my start menu. I think I was infected with some type of keylogger program. I managed to get everything fixed: updated and ran virus protection, ran malwarebytes program, and fixed my registry to bring back run and task manager. The problem is that I am mortified that my computer was comprimised and I am not sure if I fixed everything. Here is my Hijackthis log:

O2 - BHO: Free Ride Games Toolbar - {f92a9fe4-2850-4198-b9d5-279880e49b16} - C:\Program Files\Free_Ride_Games\tbFre1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll

O3 - Toolbar: bkqxdons - {EC21D037-F4B2-477B-8D46-BA927BDD5EA9} - C:\WINDOWS\TEMP\ac8zt2\bkqxdons.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Babylon Toolbar - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.15.4\BabylonToolbarTlbr.dll

O3 - Toolbar: Free Ride Games Toolbar - {f92a9fe4-2850-4198-b9d5-279880e49b16} - C:\Program Files\Free_Ride_Games\tbFre1.dll

O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll

O3 - Toolbar: ooVoo Toolbar - {59c6f12b-f004-43e5-9997-08f2123119b6} - C:\Program Files\oovootoolbar\oovootoolbarX.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [bigFix] c:\program files\Bigfix\bigfix.exe /atstartup

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [babylonToolbar] "C:\Program Files\BabylonToolbar\BabylonToolbar\1.4.15.4\BabylonToolbarsrv.exe" /md I

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"

O4 - HKLM\..\Run: [VMonitorVMUVC] "C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC

O4 - HKCU\..\Run: [Power2GoExpress] NA

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [speeder] "C:\Program Files\Speed Gear\SpeedGear.exe" /Minimize

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"

O4 - HKCU\..\Run: [ooVoo.exe] C:\Program Files\ooVoo\oovoo.exe /minimized

O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US

O4 - HKCU\..\Run: [userlib.exe] C:\Documents and Settings\Owner\My Documents\My Music\More Samples\userlib.exe

O4 - HKCU\..\RunOnce: [shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; FBSMTWB; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\{918E14CC-4773-429C-9D3E-4443D5F8FADA}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe

O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Translate this web page with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm

O8 - Extra context menu item: Translate with Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Polly%20Pride%20Pet%20Detective/Images/stg_drm.ocx

O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://www.worldwinner.com/games/v63/bjattack/bja.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {87A638DE-396F-40FD-A2F8-01B56072F553} (Launcher Class) - http://download.gemfighter.com/launcher/gemx2.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinner.com/games/launcher/ie/v2.21.01.0/iewwload.cab

O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab

O16 - DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} (Wild Pockets Loader Plugin Control Class) - http://www.wildpockets.com/common/WildPocketsLoader-15079.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Polly%20Pride%20Pet%20Detective/Images/armhelper.ocx

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.gamehouse.com/realarcade-webgames/cinematycoon/cinematycoon.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate1caca1eecbf7862) (gupdate1caca1eecbf7862) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: McciServiceHost - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciServiceHost.exe

O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 13953 bytes

I would greatly appreciate if someone can take the time to look at this and give me some feedback on this log. I use this computer in my house for other important applications and I need it secure. Thank you in advance.

Link to post
Share on other sites

Hello nyjetsjon! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.
  • Post all of your log files, don't attach them.

Download DDS and save it to your desktop from here or .

Disable any script blocker, and then double click dds.scr to run the tool.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop. Post them back to your topic.

Link to post
Share on other sites

Here is the first log:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Owner at 16:38:25.23 on Wed 02/23/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1198 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Motive\McciServiceHost.exe

C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\ATT-SST\McciTrayApp.exe

C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =

uSearch Bar =

uStart Page = hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001

mDefault_Page_URL = hxxp://www.yahoo.com

mSearch Page = ${URL_SEARCHPAGE}

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>;*.local

mSearchAssistant =

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.15.4\bh\BabylonToolbar.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: ooVoo Toolbar: {59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL

BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll

BHO: Free Ride Games Toolbar: {f92a9fe4-2850-4198-b9d5-279880e49b16} - c:\program files\free_ride_games\tbFre1.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll

TB: bkqxdons: {ec21d037-f4b2-477b-8d46-ba927bdd5ea9} - c:\windows\temp\ac8zt2\bkqxdons.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.15.4\BabylonToolbarTlbr.dll

TB: Free Ride Games Toolbar: {f92a9fe4-2850-4198-b9d5-279880e49b16} - c:\program files\free_ride_games\tbFre1.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

TB: ooVoo Toolbar: {59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll

TB: {A057A204-BACC-4D26-B0F2-49F8CCAB3ED4} - No File

TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File

uRun: [Power2GoExpress] NA

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [speeder] "c:\program files\speed gear\SpeedGear.exe" /Minimize

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [userlib.exe] c:\documents and settings\owner\my documents\my music\more samples\userlib.exe

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; FBSMTWB; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [bigFix] c:\program files\bigfix\bigfix.exe /atstartup

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [babylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.15.4\BabylonToolbarsrv.exe" /md I

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"

mRun: [VMonitorVMUVC] "c:\program files\vimicro corporation\vmuvc\VMonitor.exe" VMUVC

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\owner\local settings\temp\{918e14cc-4773-429c-9d3e-4443d5f8fada}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe

uPolicies-system: DisableRegistryTools = 0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm

IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: $talisma_url$

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Polly%20Pride%20Pet%20Detective/Images/stg_drm.ocx

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab

DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -

DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {87A638DE-396F-40FD-A2F8-01B56072F553} - hxxp://download.gemfighter.com/launcher/gemx2.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.21.01.0/iewwload.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-15079.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Polly%20Pride%20Pet%20Detective/Images/armhelper.ocx

DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://www.gamehouse.com/realarcade-webgames/cinematycoon/cinematycoon.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.virustotal.com

Hosts: 127.0.0.1 www.bitdefender.com

Hosts: 127.0.0.1 www.eset.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\v3m9jwv0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=12234

FF - prefs.js: browser.search.selectedEngine - AOL Search

FF - prefs.js: browser.startup.homepage - hxxp://home.speedbit.com/?aff=205

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(general.useragent.extra.brc,

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

=============== File Associations ===============

regfile=regedit.exe "%1" %*

scrfile="%1" %*

=============== Created Last 30 ================

2011-02-21 19:16:53 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\AIM

2011-02-21 19:16:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AIM

2011-02-21 19:16:37 -------- d-----w- c:\program files\AIM

2011-02-21 19:16:36 -------- d-----w- c:\program files\common files\Software Update Utility

2011-02-16 22:53:30 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\LogMeIn Hamachi

2011-02-14 19:44:06 -------- d-----w- c:\docume~1\owner\applic~1\.minecraft

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-26 20:17:03 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2008-02-24 23:18:58 774144 ----a-w- c:\program files\RngInterstitial.dll

============= FINISH: 16:39:10.82 ===============

Link to post
Share on other sites

Here is the second:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 2/9/2008 1:38:46 AM

System Uptime: 2/23/2011 4:12:16 AM (12 hours ago)

Motherboard: Gateway | | MCP61SM2MA

Processor: AMD Sempron Processor LE-1200 | Socket AM2 | 2109/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 88.445 GiB free.

D: is FIXED (FAT32) - 5 GiB total, 2.579 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP995: 11/26/2010 12:36:59 AM - System Checkpoint

RP996: 11/27/2010 1:54:18 AM - System Checkpoint

RP997: 11/28/2010 2:12:12 AM - System Checkpoint

RP998: 11/29/2010 2:43:10 AM - System Checkpoint

RP999: 11/30/2010 3:27:07 AM - System Checkpoint

RP1000: 12/1/2010 4:27:08 AM - System Checkpoint

RP1001: 12/2/2010 5:26:43 AM - System Checkpoint

RP1002: 12/3/2010 6:21:33 AM - System Checkpoint

RP1003: 12/3/2010 10:42:55 PM - Installed Free Ride Games Player

RP1004: 12/4/2010 11:26:21 PM - System Checkpoint

RP1005: 12/5/2010 6:59:30 PM - Installed DirectX

RP1006: 12/6/2010 9:32:05 PM - System Checkpoint

RP1007: 12/7/2010 10:26:23 PM - System Checkpoint

RP1008: 12/8/2010 11:10:45 PM - System Checkpoint

RP1009: 12/9/2010 11:28:56 PM - System Checkpoint

RP1010: 12/11/2010 12:38:05 AM - System Checkpoint

RP1011: 12/12/2010 3:03:32 AM - System Checkpoint

RP1012: 12/13/2010 3:04:24 AM - System Checkpoint

RP1013: 12/14/2010 8:17:06 AM - System Checkpoint

RP1014: 12/15/2010 11:19:44 AM - System Checkpoint

RP1015: 12/16/2010 11:31:16 AM - System Checkpoint

RP1016: 12/17/2010 11:38:37 AM - System Checkpoint

RP1017: 12/17/2010 4:10:40 PM - Installed Ventrilo Client

RP1018: 12/18/2010 4:13:45 PM - System Checkpoint

RP1019: 12/19/2010 4:48:47 PM - System Checkpoint

RP1020: 12/20/2010 3:02:00 PM - Installed globaldk

RP1021: 12/20/2010 3:08:18 PM - Installed globaldk

RP1022: 12/21/2010 10:04:25 PM - System Checkpoint

RP1023: 12/23/2010 12:09:00 AM - System Checkpoint

RP1024: 12/23/2010 4:21:25 AM - Installed Java 6 Update 23

RP1025: 12/24/2010 4:41:38 AM - System Checkpoint

RP1026: 12/25/2010 5:25:36 AM - System Checkpoint

RP1027: 12/25/2010 8:56:51 AM - Installed Vimicro USB2.0 UVC PC Camera

RP1028: 12/25/2010 10:27:37 PM - Removed globaldk

RP1029: 12/25/2010 11:08:56 PM - Software Distribution Service 3.0

RP1030: 12/26/2010 3:02:06 AM - Software Distribution Service 3.0

RP1031: 12/26/2010 2:21:02 PM - Software Distribution Service 3.0

RP1032: 12/27/2010 3:00:30 AM - Software Distribution Service 3.0

RP1033: 12/28/2010 3:35:15 AM - System Checkpoint

RP1034: 12/29/2010 3:40:42 AM - System Checkpoint

RP1035: 12/30/2010 3:43:45 AM - System Checkpoint

RP1036: 12/31/2010 4:39:15 AM - System Checkpoint

RP1037: 1/1/2011 5:03:37 AM - System Checkpoint

RP1038: 1/2/2011 5:38:50 AM - System Checkpoint

RP1039: 1/2/2011 8:20:49 PM - Removed Ventrilo Client

RP1040: 1/2/2011 8:21:30 PM - Removed Skype

Link to post
Share on other sites

Step 1

Please, uninstall the following applications:

  1. MyBabylon toolbar
  2. Norton Security Scan

You can read, how to do this here:

Step 2

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Step 3

  • Launch Malwarebytes' Anti-Malware
  • Go to Update" tab and select Check for Updates.
  • Go to Scanner tab and select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

In your next reply, please post these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Here are the two posts you requested. Again, thank you for your time and effort.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5858

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/23/2011 6:20:20 PM

mbam-log-2011-02-23 (18-20-20).txt

Scan type: Quick scan

Objects scanned: 152852

Time elapsed: 12 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-12-12.02) - NTFSx86

Run by Owner at 18:21:37.92 on Wed 02/23/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1183 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Motive\McciServiceHost.exe

C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\ATT-SST\McciTrayApp.exe

C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR\WG111v3\WG111v3.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =

uSearch Bar =

uStart Page = hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001

mDefault_Page_URL = hxxp://www.yahoo.com

mSearch Page = ${URL_SEARCHPAGE}

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>;*.local

mSearchAssistant =

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: ooVoo Toolbar: {59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL

BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll

BHO: Free Ride Games Toolbar: {f92a9fe4-2850-4198-b9d5-279880e49b16} - c:\program files\free_ride_games\tbFre1.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll

TB: bkqxdons: {ec21d037-f4b2-477b-8d46-ba927bdd5ea9} - c:\windows\temp\ac8zt2\bkqxdons.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Free Ride Games Toolbar: {f92a9fe4-2850-4198-b9d5-279880e49b16} - c:\program files\free_ride_games\tbFre1.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

TB: ooVoo Toolbar: {59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll

TB: {A057A204-BACC-4D26-B0F2-49F8CCAB3ED4} - No File

TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File

uRun: [Power2GoExpress] NA

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [speeder] "c:\program files\speed gear\SpeedGear.exe" /Minimize

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"

uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized

uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US

uRun: [userlib.exe] c:\documents and settings\owner\my documents\my music\more samples\userlib.exe

uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100429 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; FBSMTWB; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE

mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"

mRun: [bigFix] c:\program files\bigfix\bigfix.exe /atstartup

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe

mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"

mRun: [VMonitorVMUVC] "c:\program files\vimicro corporation\vmuvc\VMonitor.exe" VMUVC

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\owner\local settings\temp\{918e14cc-4773-429c-9d3e-4443d5f8fada}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe

uPolicies-system: DisableRegistryTools = 0

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm

IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: $talisma_url$

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Polly%20Pride%20Pet%20Detective/Images/stg_drm.ocx

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - hxxp://www.worldwinner.com/games/v63/bjattack/bja.cab

DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -

DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {87A638DE-396F-40FD-A2F8-01B56072F553} - hxxp://download.gemfighter.com/launcher/gemx2.cab

DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.21.01.0/iewwload.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-15079.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Polly%20Pride%20Pet%20Detective/Images/armhelper.ocx

DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://www.gamehouse.com/realarcade-webgames/cinematycoon/cinematycoon.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.virustotal.com

Hosts: 127.0.0.1 www.bitdefender.com

Hosts: 127.0.0.1 www.eset.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\v3m9jwv0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=12234

FF - prefs.js: browser.search.selectedEngine - AOL Search

FF - prefs.js: browser.startup.homepage - hxxp://home.speedbit.com/?aff=205

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(general.useragent.extra.brc,

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20110221.001\IDSXpx86.sys [2011-2-22 341944]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]

R2 McciServiceHost;McciServiceHost;c:\program files\common files\motive\McciServiceHost.exe [2010-12-23 315392]

R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-14 102448]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110223.002\NAVENG.SYS [2011-2-23 86008]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20110223.002\NAVEX15.SYS [2011-2-23 1360760]

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]

R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2010-12-25 254720]

R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2010-12-25 398720]

S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]

S2 gupdate1caca1eecbf7862;Google Update Service (gupdate1caca1eecbf7862);c:\program files\google\update\GoogleUpdate.exe [2010-3-22 133104]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2006-6-30 69692]

S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]

S3 XDva158;XDva158;\??\c:\windows\system32\xdva158.sys --> c:\windows\system32\XDva158.sys [?]

S3 XDva164;XDva164;\??\c:\windows\system32\xdva164.sys --> c:\windows\system32\XDva164.sys [?]

S3 XDva165;XDva165;\??\c:\windows\system32\xdva165.sys --> c:\windows\system32\XDva165.sys [?]

S3 XDva167;XDva167;c:\windows\system32\XDva167.sys [2008-6-12 45696]

S3 XDva177;XDva177;\??\c:\windows\system32\xdva177.sys --> c:\windows\system32\XDva177.sys [?]

S3 XDva186;XDva186;c:\windows\system32\XDva186.sys [2008-7-9 46080]

S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]

S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]

S3 XDva201;XDva201;\??\c:\windows\system32\xdva201.sys --> c:\windows\system32\XDva201.sys [?]

S3 XDva212;XDva212;c:\windows\system32\XDva212.sys [2008-10-28 48384]

S3 XDva224;XDva224;\??\c:\windows\system32\xdva224.sys --> c:\windows\system32\XDva224.sys [?]

S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]

=============== File Associations ===============

regfile=regedit.exe "%1" %*

scrfile="%1" %*

=============== Created Last 30 ================

2011-02-21 19:16:53 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\AIM

2011-02-21 19:16:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\AIM

2011-02-21 19:16:37 -------- d-----w- c:\program files\AIM

2011-02-21 19:16:36 -------- d-----w- c:\program files\common files\Software Update Utility

2011-02-16 22:53:30 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\LogMeIn Hamachi

2011-02-14 19:44:06 -------- d-----w- c:\docume~1\owner\applic~1\.minecraft

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-26 20:17:03 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2008-02-24 23:18:58 774144 ----a-w- c:\program files\RngInterstitial.dll

============= FINISH: 18:22:42.75 ===============

Link to post
Share on other sites

Sorry I miss something!

Please uninstall Conduit Engine and then:

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    ----------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Wow this is a huge list. Here it is:

ComboFix 11-02-23.08 - Owner 02/24/2011 11:09:55.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1294 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\CFLog

c:\documents and settings\All Users\Application Data\Toolbar4

c:\documents and settings\Owner\Application Data\Adobe\Player.exe.bak

c:\windows\10035hze9t30214.bin

c:\windows\10699virzs255.ocx

c:\windows\10z905irusb3.exe

c:\windows\11327sp95bzt3c4.bin

c:\windows\11598spy7z4.ocx

c:\windows\12526spambzt2ee9.ocx

c:\windows\12958woz96bb.exe

c:\windows\131z9not-a-virus52e.bin

c:\windows\13459sp937z.dll

c:\windows\13979not5a-viruz6d.bin

c:\windows\13z275py2a29.dll

c:\windows\13z45hacktool39.cpl

c:\windows\13z5t59eat16242.cpl

c:\windows\13z96ha5ktoo938.dll

c:\windows\141z4hack9ool5a5.cpl

c:\windows\14256h5ckzo9l146.dll

c:\windows\14729s5ambo91bez.bin

c:\windows\14824s955ez.cpl

c:\windows\14b0spyw9rz2265.ocx

c:\windows\14cedown9o5der316z.bin

c:\windows\153bdown9oaderz21.dll

c:\windows\153zvir9545.ocx

c:\windows\15529tr5j9cz.ocx

c:\windows\15551vzrus903.dll

c:\windows\1558z9roj20b5.exe

c:\windows\15770z9y5f4.dll

c:\windows\1580zha9ktool5a5.bin

c:\windows\15908zacktool1c5.bin

c:\windows\1595wormzb9.ocx

c:\windows\15988t5o9490z.dll

c:\windows\15czvir209.dll

c:\windows\15estealz96.ocx

c:\windows\16035p9z13.ocx

c:\windows\166995pambzt78.exe

c:\windows\16f9backdzo52357.ocx

c:\windows\1770ha9ktoo55z5.ocx

c:\windows\17836nz5-a-vir9s371.ocx

c:\windows\17855z9rm662.dll

c:\windows\17897zpambot1155.dll

c:\windows\17905pyzare1554.cpl

c:\windows\1791thz9f5822.dll

c:\windows\17939zot-a5virus2cb.ocx

c:\windows\17sp9z5re1539.ocx

c:\windows\17z95ddware2753.ocx

c:\windows\18039parse3z55.bin

c:\windows\18423szambo9553.cpl

c:\windows\18493spambotz545.exe

c:\windows\1896worm675z.bin

c:\windows\190ddowzlo9der7015.ocx

c:\windows\19170not-a-v5ruszf.dll

c:\windows\19274hazk5ool79.bin

c:\windows\193bthi9f4z5.cpl

c:\windows\19445vi5us5afz.ocx

c:\windows\1947t5re9t8z09.exe

c:\windows\19529ackdoor1z49.ocx

c:\windows\196195zoj4ca.ocx

c:\windows\1993vi9us3e5z.exe

c:\windows\19z14viru51c9.dll

c:\windows\1a8dst9al15z0.bin

c:\windows\1a98sp9wa5z2533.exe

c:\windows\1af1zownl5ader17919.exe

c:\windows\1b59addwaze3520.dll

c:\windows\1d1b5z9ef1165.exe

c:\windows\1d7ebackd5orz995.cpl

c:\windows\1e0fthz5at19066.exe

c:\windows\1e439zreat52007.cpl

c:\windows\1z016worm5459.ocx

c:\windows\1z739h5ef1789.ocx

c:\windows\1z838ha59tool2d2.exe

c:\windows\203189pamb5t574z.dll

c:\windows\2043spambzt559.bin

c:\windows\20855w9zm3b1.exe

c:\windows\208z4spy2925.dll

c:\windows\2097adzware20579.bin

c:\windows\20f6z9r4195.dll

c:\windows\21225not-a9virus5z.bin

c:\windows\21321hack9oz5240.ocx

c:\windows\21441w5rm9ze.dll

c:\windows\2169zpy175.dll

c:\windows\222fbazk5oor999.dll

c:\windows\222zspyware9995.dll

c:\windows\22z80ha5ktool2199.dll

c:\windows\23ecs5ywa9ez776.exe

c:\windows\2419thi9fz785.ocx

c:\windows\24550vi9us7zd.cpl

c:\windows\25046z95m54c.ocx

c:\windows\250609orm1z7.bin

c:\windows\2508695rus4z0.cpl

c:\windows\25349spyz5f9.exe

c:\windows\25533zackto9l1b2.dll

c:\windows\25618spam9ot1zc.ocx

c:\windows\2585zhacktoo5490.ocx

c:\windows\25945wzrm39c.bin

c:\windows\25956s9y58z.bin

c:\windows\2598z9py265.bin

c:\windows\26396wozm355.bin

c:\windows\27141t9z5380.ocx

c:\windows\27372zr9561c.cpl

c:\windows\2761vi5us2z9.dll

c:\windows\2776zwor95a5.bin

c:\windows\2812z95y30a.cpl

c:\windows\28897haz5tool65d.cpl

c:\windows\288e9pa5se29z7.exe

c:\windows\2892add5are7z6.exe

c:\windows\28950spy19ez.dll

c:\windows\2902ste5l5z59.ocx

c:\windows\29349wor572z.cpl

c:\windows\29537viruz593.exe

c:\windows\29592tzoj575.ocx

c:\windows\29689s5y1z.cpl

c:\windows\29756s5y449z.cpl

c:\windows\29b7spy9zre855.cpl

c:\windows\29ddszar5e1984.cpl

c:\windows\2b19tzrea515470.cpl

c:\windows\2ea1spar9e2995z.bin

c:\windows\2z914virus505.bin

c:\windows\2zf9th5ef1915.dll

c:\windows\302fzt5al9136.bin

c:\windows\305159py3d0z.cpl

c:\windows\3063spz9bot5f8.exe

c:\windows\30658h9ckzool2045.cpl

c:\windows\30z59worm2b5.dll

c:\windows\32087virzs395.cpl

c:\windows\32339szamb59381.cpl

c:\windows\3265v9rzs55c.ocx

c:\windows\32cthzef2539.bin

c:\windows\345aaddw9rz1759.ocx

c:\windows\34f0stealz957.dll

c:\windows\350zthie9987.cpl

c:\windows\35919spazbot6dc.ocx

c:\windows\3597spa59ot55z.ocx

c:\windows\3698do5nloade9238z.bin

c:\windows\369ethie5z815.bin

c:\windows\36adad5wa9e3145z.exe

c:\windows\375dvi92547z.dll

c:\windows\3859szarse1969.bin

c:\windows\3925t9reat291z1.cpl

c:\windows\3931vizus55e.ocx

c:\windows\39415hreat27z25.dll

c:\windows\39533z5ambotd2.cpl

c:\windows\3975orm32z.dll

c:\windows\3995spyz5re2053.dll

c:\windows\39f05ddwarez09.ocx

c:\windows\3az6spywa9e2258.dll

c:\windows\3c25sp9rsez025.exe

c:\windows\3e48sza9se553.cpl

c:\windows\3fz1steal5298.bin

c:\windows\3z20dow95oader3088.dll

c:\windows\400zb5ckdoo93053.dll

c:\windows\4059zdd5are3909.exe

c:\windows\4070tzrea5131199.cpl

c:\windows\41fbdownlo9dez28365.exe

c:\windows\4259downlozder1153.ocx

c:\windows\44f4back5o9r797z.cpl

c:\windows\455459zmbot37b.cpl

c:\windows\45cz9h5eat31995.ocx

c:\windows\4695addw9ze2456.exe

c:\windows\46d5ad59are386z.bin

c:\windows\47z6spyware57469.exe

c:\windows\4945thief1z125.dll

c:\windows\495zaddware2551.ocx

c:\windows\49a4thief15z6.exe

c:\windows\49c6z592889.exe

c:\windows\4b2azownl95der2324.cpl

c:\windows\4c39s5arsz2305.cpl

c:\windows\4cz4spyware54279.ocx

c:\windows\4e9c5hizf691.ocx

c:\windows\4z29not-a-viru5439.cpl

c:\windows\4z31downl5ader2489.exe

c:\windows\4z59t5oj20.ocx

c:\windows\4z955orm1f7.exe

c:\windows\4z99sp5rse2781.dll

c:\windows\5069spzware115.dll

c:\windows\50753vzru9710.bin

c:\windows\511z9w9rm496.exe

c:\windows\5139backdoor9z98.ocx

c:\windows\515z9parse2405.exe

c:\windows\51ccz5eal9199.cpl

c:\windows\51ed9hzef550.cpl

c:\windows\51z2virus7c89.cpl

c:\windows\5250not-a-zir5s9e.cpl

c:\windows\5258ad9wa5e19z8.cpl

c:\windows\5266z9oj60d.dll

c:\windows\52a9t9reat6z67.ocx

c:\windows\52cbs9arsz2523.cpl

c:\windows\52z2steal13549.bin

c:\windows\5335steal249z.dll

c:\windows\5389thre593000z.dll

c:\windows\5389tzreat20598.dll

c:\windows\53adownl9zder3193.ocx

c:\windows\53s5zmbo9241.bin

c:\windows\540bdowzloa9er56.cpl

c:\windows\5449threat156z9.bin

c:\windows\5495zworm491.ocx

c:\windows\5531spzrs93067.exe

c:\windows\55485rzj49f.ocx

c:\windows\5559spywarz1517.dll

c:\windows\5583s9zal1337.exe

c:\windows\55ads9ywarez667.exe

c:\windows\56169ddware159z.ocx

c:\windows\56372wozm9ad.ocx

c:\windows\5650threat16596z.dll

c:\windows\569ztroj334.exe

c:\windows\56z39ackdoor3255.bin

c:\windows\5728zor95f35.ocx

c:\windows\572ztroj169.bin

c:\windows\573899irus375z.cpl

c:\windows\57509hacktool6zc.cpl

c:\windows\57531vir9s587z.ocx

c:\windows\57z49not-a9virus169.dll

c:\windows\58c9thief1945z.ocx

c:\windows\59458not9a-virus43z.bin

c:\windows\59519ir214z.cpl

c:\windows\5958addwzre488.exe

c:\windows\5979spywaze2347.exe

c:\windows\5983not-a9virus15dz.ocx

c:\windows\5995thzeat57635.bin

c:\windows\599zthief1573.bin

c:\windows\59bedoznloader11645.exe

c:\windows\59ddspa5se1719z.cpl

c:\windows\5a24bzck9oor7025.cpl

c:\windows\5a3zth9eat999.exe

c:\windows\5c18v5r929z.cpl

c:\windows\5c90zhief554.exe

c:\windows\5d06vi93z3.cpl

c:\windows\5df0a9dware3z13.dll

c:\windows\5e0bspzrse9735.bin

c:\windows\5f95threat15z52.cpl

c:\windows\5z044vir9s71d.bin

c:\windows\5z1bspy59re1228.bin

c:\windows\6003dow9loadzr2564.bin

c:\windows\6068stea9z58.ocx

c:\windows\608cthie5z1939.bin

c:\windows\6095vi5uz25d.cpl

c:\windows\614ddownlo95zr1706.cpl

c:\windows\623bz9arse1145.cpl

c:\windows\651395t-z-virus795.exe

c:\windows\6550hzckto9l6e5.exe

c:\windows\6582haz9tool5c6.cpl

c:\windows\65975ot-a-vizus7df.cpl

c:\windows\659zdownloader848.dll

c:\windows\6639spzwa5e2299.bin

c:\windows\675zaddware9655.dll

c:\windows\685dtzreat9876.cpl

c:\windows\689bzckd9o53122.ocx

c:\windows\6975sparse25z6.bin

c:\windows\6a4eb9czdoo560.dll

c:\windows\6az7st9al5705.dll

c:\windows\6b75zackd9or529.exe

c:\windows\6b769ownloader852z.ocx

c:\windows\6c95s9zal465.exe

c:\windows\6d16vi5z393.bin

c:\windows\6d54steal29z29.exe

c:\windows\6f27dowzloade51496.cpl

c:\windows\6z819ot-a-vi5us48b.cpl

c:\windows\708bazdw59e1310.bin

c:\windows\70f4t5zeat13309.exe

c:\windows\710hac9tzol65c.cpl

c:\windows\71c8threzt297599.ocx

c:\windows\74859pywarz67.dll

c:\windows\7557thzef9562.dll

c:\windows\75599zy5are919.ocx

c:\windows\756zsteal903.dll

c:\windows\7579thre5t1432z.exe

c:\windows\75a0spars52z839.bin

c:\windows\75aadzwa5e6549.bin

c:\windows\75z7spy9f7.bin

c:\windows\77d15hreat3964z.bin

c:\windows\781zbackdoo53954.cpl

c:\windows\79abspywaze905.exe

c:\windows\79fcs5azse1316.exe

c:\windows\7a67vz59713.bin

c:\windows\7a89thrzat29465.exe

c:\windows\7a9e9h5zf1417.ocx

c:\windows\7d66t59zf2615.exe

c:\windows\7d7zv9r2558.exe

c:\windows\7dd5zdd9are2507.bin

c:\windows\7e5fsteaz2957.bin

c:\windows\7za9vir1552.ocx

c:\windows\7zd8th5ef2902.exe

c:\windows\8175tzoj6659.dll

c:\windows\81ca95wzre411.exe

c:\windows\8728not-a-vi59s17z.cpl

c:\windows\8814not5a-vi9usz5.ocx

c:\windows\88205acztool95.bin

c:\windows\8891s5ambo95f2z.bin

c:\windows\91156zroj586.dll

c:\windows\917z6worm1c5.ocx

c:\windows\91852spzmb5t744.dll

c:\windows\91z13worm1645.cpl

c:\windows\9208worm265z.dll

c:\windows\9328sparsez359.dll

c:\windows\9422h9zkt5ol48b.dll

c:\windows\94625spambotzd8.ocx

c:\windows\94e0stzal5296.exe

c:\windows\955azdware2527.dll

c:\windows\956zste5l2445.dll

c:\windows\95e4addware1265z.ocx

c:\windows\95z3no9-a-virus510.cpl

c:\windows\9682sparze2539.ocx

c:\windows\968tzo59a.exe

c:\windows\9790spa5boz73c.bin

c:\windows\97920spy3z5.bin

c:\windows\97abackzoo9557.ocx

c:\windows\990a5parsz291.dll

c:\windows\992thr5at909z.cpl

c:\windows\9933szea52455.exe

c:\windows\9964z9oj753.ocx

c:\windows\99829h5ckzool9d.dll

c:\windows\99910troj2z45.ocx

c:\windows\9b5dvirz66.ocx

c:\windows\9b85tzief27465.bin

c:\windows\9cc0spyzare2685.ocx

c:\windows\9download9r2541z.exe

c:\windows\9eebthrezt28655.ocx

c:\windows\9fc5stzal1963.exe

c:\windows\9z275hreat21175.ocx

c:\windows\ba8spa5se23z99.ocx

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.2.inf

c:\windows\fbzt95ef2171.cpl

c:\windows\ff5baz9door2941.exe

c:\windows\system32\100125pambot9dcz.exe

c:\windows\system32\102539pa5botzd.dll

c:\windows\system32\11250not-a-vi9uz537.ocx

c:\windows\system32\11745zp5295.exe

c:\windows\system32\11956sp51zf9.dll

c:\windows\system32\1208zh5c9tool130.cpl

c:\windows\system32\12b7spzwa9e5059.bin

c:\windows\system32\12z29ackdoor5740.dll

c:\windows\system32\12z4thr5at92349.exe

c:\windows\system32\13095tzo524.ocx

c:\windows\system32\13659not-5-zi9us38c.exe

c:\windows\system32\13796ha95tooz123.ocx

c:\windows\system32\14357z95j540.exe

c:\windows\system32\14591spyz52.bin

c:\windows\system32\148255r9jd1z.exe

c:\windows\system32\1493no5-a-viruszcd.dll

c:\windows\system32\1535zworm296.ocx

c:\windows\system32\15364t5oj1z9.exe

c:\windows\system32\15381v9rus2z25.ocx

c:\windows\system32\15501vzru94ff.dll

c:\windows\system32\15535woz91c4.ocx

c:\windows\system32\15571viruz291.exe

c:\windows\system32\1559zwor9385.ocx

c:\windows\system32\1578ztroj395.bin

c:\windows\system32\15809hief455z.ocx

c:\windows\system32\15904vi5zs765.dll

c:\windows\system32\15916worm9zf.bin

c:\windows\system32\1596addzare1581.dll

c:\windows\system32\1597szam5ot304.cpl

c:\windows\system32\15z5hacktool697.bin

c:\windows\system32\16287z5rm359.cpl

c:\windows\system32\16539oz5b7.bin

c:\windows\system32\167309acktozl2955.cpl

c:\windows\system32\17152hackto9lz25.exe

c:\windows\system32\17352sp93z7.bin

c:\windows\system32\17451zroj9b5.bin

c:\windows\system32\17z99w5r97d6.bin

c:\windows\system32\18c8threat1559z.dll

c:\windows\system32\19398spamzo95c8.exe

c:\windows\system32\19421szy21f5.exe

c:\windows\system32\19449tr5zbb.cpl

c:\windows\system32\195009acktooz7c1.bin

c:\windows\system32\19521zroj2ee.exe

c:\windows\system32\19556spambzt2549.dll

c:\windows\system32\19589tzoj8b.dll

c:\windows\system32\196fviz5907.exe

c:\windows\system32\19840troj250z.dll

c:\windows\system32\19848spam5zt39a.bin

c:\windows\system32\19958sp51e0z.dll

c:\windows\system32\1998zddw5r93230.dll

c:\windows\system32\19996hackzo5l159.cpl

c:\windows\system32\199fszeal2735.bin

c:\windows\system32\19d3s95rsez897.cpl

c:\windows\system32\1a3dspy5are30z89.exe

c:\windows\system32\1aazsteal16589.cpl

c:\windows\system32\1ae4zackdo5r7119.cpl

c:\windows\system32\1b26tz9eat5151.dll

c:\windows\system32\1bc9szyware27445.ocx

c:\windows\system32\1f08backdzo920225.cpl

c:\windows\system32\1f925tezl1158.cpl

c:\windows\system32\1fz4stea916885.bin

c:\windows\system32\1z390t95j703.dll

c:\windows\system32\1z4375roj918.exe

c:\windows\system32\1z590sp9mbot6fe.ocx

c:\windows\system32\1z842spa9b5t1c7.dll

c:\windows\system32\1za2b5ckdoor9357.bin

c:\windows\system32\1zb3spa5se1197.bin

c:\windows\system32\201375rojz9f.exe

c:\windows\system32\205459acktzol94.cpl

c:\windows\system32\206fzddware2945.ocx

c:\windows\system32\2091vir59z34.exe

c:\windows\system32\209z7v9rus7ab5.bin

c:\windows\system32\2146z9roj5be.dll

c:\windows\system32\21586t9oj58az.ocx

c:\windows\system32\21590zirus356.bin

c:\windows\system32\21d8d5wnloaz9r1482.exe

c:\windows\system32\2232n5t-a-vzrus309.ocx

c:\windows\system32\227329pamb5z283.ocx

c:\windows\system32\2286vizus6589.ocx

c:\windows\system32\23095zpam5ot9c5.dll

c:\windows\system32\23185h9ckzoole95.bin

c:\windows\system32\23580tro945z.ocx

c:\windows\system32\2384v9z5794.bin

c:\windows\system32\239z5troj5ac.dll

c:\windows\system32\23a9ad5wzre142.dll

c:\windows\system32\23a9vir1z059.dll

c:\windows\system32\24235zi9us1da.dll

c:\windows\system32\24298trzj459.exe

c:\windows\system32\2437395y3e8z.bin

c:\windows\system32\2493559y5e2z.cpl

c:\windows\system32\24e5thizf1958.dll

c:\windows\system32\24f6addw5re32z9.ocx

c:\windows\system32\25005s9ambotz3b.bin

c:\windows\system32\25009wor9za15.ocx

c:\windows\system32\2519sparze1738.dll

c:\windows\system32\25513vzrus53c9.cpl

c:\windows\system32\25681tz9578f.exe

c:\windows\system32\2599addwarz2991.dll

c:\windows\system32\25e0zpywa9e258.dll

c:\windows\system32\25z69troj7ee.cpl

c:\windows\system32\26cth95z1553.dll

c:\windows\system32\27379vzru56d69.ocx

c:\windows\system32\27557wozm930.exe

c:\windows\system32\27564spambzt49e.bin

c:\windows\system32\2778z5py1d9.cpl

c:\windows\system32\278795ro92zb.ocx

c:\windows\system32\27978not-a-vi95szb.dll

c:\windows\system32\2797zvirus559.ocx

c:\windows\system32\28284trojz959.ocx

c:\windows\system32\28377not-a-v5rus519z.cpl

c:\windows\system32\28591t5ojz98.dll

c:\windows\system32\28593ziru517.ocx

c:\windows\system32\2865z9r1293.cpl

c:\windows\system32\28919zackto9l355.cpl

c:\windows\system32\28a0szea5934.dll

c:\windows\system32\290e5ackzoor3169.cpl

c:\windows\system32\29450noz-a-v5rus472.dll

c:\windows\system32\294729r5jz37.exe

c:\windows\system32\29852hac59ool4ez.exe

c:\windows\system32\29ebspazse28195.dll

c:\windows\system32\2bf3zddwar92560.bin

c:\windows\system32\2c69back9oorz584.ocx

c:\windows\system32\2d31th59az30811.bin

c:\windows\system32\2dc79ir512z.cpl

c:\windows\system32\2e2cspz5se90.ocx

c:\windows\system32\2f84addwaze22359.cpl

c:\windows\system32\2feb9hie56z.exe

c:\windows\system32\2zc35ownloader9993.exe

c:\windows\system32\30259spy4fz5.exe

c:\windows\system32\30d29py5are35z.exe

c:\windows\system32\30z71h5ckt9ol3b4.cpl

c:\windows\system32\31397vizuse35.ocx

c:\windows\system32\31454s9am5otzb2.exe

c:\windows\system32\31958worz247.exe

c:\windows\system32\32064spam9oz66b5.cpl

c:\windows\system32\3218t9oz425.ocx

c:\windows\system32\32459troz739.dll

c:\windows\system32\3253threaz55259.bin

c:\windows\system32\325429zrus528.exe

c:\windows\system32\3261viruz29a5.dll

c:\windows\system32\326939orz358.ocx

c:\windows\system32\326z4virus55f9.exe

c:\windows\system32\32c9dzwn5o9der1025.dll

c:\windows\system32\339aza5kdoor1959.cpl

c:\windows\system32\3411szyware29159.ocx

c:\windows\system32\3502hacktoo935z.cpl

c:\windows\system32\35179hacktoozd3.ocx

c:\windows\system32\351c9parze3220.cpl

c:\windows\system32\3526tz9ef8735.bin

c:\windows\system32\353z1virus5d9.ocx

c:\windows\system32\3559spamzot5e0.cpl

c:\windows\system32\35besparse19z9.ocx

c:\windows\system32\35dfs9yzare2191.exe

c:\windows\system32\35e2spz9are2287.ocx

c:\windows\system32\3609d5wzloader3084.dll

c:\windows\system32\3695zddware1092.cpl

c:\windows\system32\3705tr9j3zf.dll

c:\windows\system32\3790zacktoo516d.cpl

c:\windows\system32\391zspy5are2866.cpl

c:\windows\system32\39a4zownloa5er695.bin

c:\windows\system32\39bespywzre750.cpl

c:\windows\system32\39z9vir4335.exe

c:\windows\system32\3c1bzi95912.dll

c:\windows\system32\3cd5ba59dooz1454.bin

c:\windows\system32\3d42d5wnloader90z.exe

c:\windows\system32\3f5695wnlzader1433.dll

c:\windows\system32\3f59s5azse957.bin

c:\windows\system32\3z13t5reat15209.bin

c:\windows\system32\3z29downloa9er12475.exe

c:\windows\system32\3z657hack9ool3b9.bin

c:\windows\system32\3z9addware153.ocx

c:\windows\system32\402zaddwa5e9386.cpl

c:\windows\system32\407c5zckdo9r449.cpl

c:\windows\system32\4104stealz9795.ocx

c:\windows\system32\42f65ackzoo91289.cpl

c:\windows\system32\42zackto5l379.cpl

c:\windows\system32\4319z5arse485.cpl

c:\windows\system32\4531stezl18989.bin

c:\windows\system32\455zdownloade91792.bin

c:\windows\system32\458athizf4759.cpl

c:\windows\system32\46e5zow5loade9197.ocx

c:\windows\system32\472dzddwa5e2599.cpl

c:\windows\system32\4786zhreat162395.exe

c:\windows\system32\479bzp9rs53014.cpl

c:\windows\system32\47bsp9rse5516z.dll

c:\windows\system32\4925threat964z55.dll

c:\windows\system32\4951v5r2z.dll

c:\windows\system32\4959spyware548z.cpl

c:\windows\system32\4b51t9r5at1304z.cpl

c:\windows\system32\4c90backdzo52212.cpl

c:\windows\system32\4cbzownlo9der3157.bin

c:\windows\system32\4d79backdoor1z54.bin

c:\windows\system32\4d89ownloaderz545.bin

c:\windows\system32\4e1s9zrse5179.exe

c:\windows\system32\4f8evi5z59.bin

c:\windows\system32\4MKJDOu.dll

c:\windows\system32\4z15ad59are2498.bin

c:\windows\system32\50z59ddware1827.ocx

c:\windows\system32\510badd9zr53266.ocx

c:\windows\system32\5185thiez30589.dll

c:\windows\system32\524dspywar923z2.bin

c:\windows\system32\528459zm643.bin

c:\windows\system32\52a9spzrs517019.ocx

c:\windows\system32\52df9hreaz12551.cpl

c:\windows\system32\535faddware5194z.cpl

c:\windows\system32\5409ba5kzoor1703.dll

c:\windows\system32\545dszeal24399.dll

c:\windows\system32\5524tzi9f2674.bin

c:\windows\system32\5537st9az1551.cpl

c:\windows\system32\5559szyw9re600.bin

c:\windows\system32\55985tro959dz.dll

c:\windows\system32\55eddzwnloader5649.ocx

c:\windows\system32\5658zpyware18119.bin

c:\windows\system32\56697hack9zol3f7.dll

c:\windows\system32\5719thief293z.bin

c:\windows\system32\574zspy259.cpl

c:\windows\system32\577zspy49b.ocx

c:\windows\system32\578atzreat59595.exe

c:\windows\system32\58d1st5al9z24.dll

c:\windows\system32\590aadd9are1z53.exe

c:\windows\system32\59183virusz95.ocx

c:\windows\system32\59c5addware2026z.bin

c:\windows\system32\59f8zhre9t243465.dll

c:\windows\system32\5ab4backdoo9288z.bin

c:\windows\system32\5abathiez739.exe

c:\windows\system32\5b15vi9z246.bin

c:\windows\system32\5b35spywarz9610.dll

c:\windows\system32\5b98sp95ze3019.ocx

c:\windows\system32\5b9cvirz25.bin

c:\windows\system32\5bzas9eal5159.dll

c:\windows\system32\5bzathi9f1594.exe

c:\windows\system32\5c61zd9ware1056.exe

c:\windows\system32\5cdds9ealz1145.ocx

c:\windows\system32\5ce05a9kdooz727.dll

c:\windows\system32\5cz6vir5294.ocx

c:\windows\system32\5czv5r494.dll

c:\windows\system32\5d0zaddwar52193.cpl

c:\windows\system32\5e25szarse22829.ocx

c:\windows\system32\5fcst9z51119.bin

c:\windows\system32\5fd7zackdoor91875.dll

c:\windows\system32\5z390hacktool51c.ocx

c:\windows\system32\5z45tr59380.bin

c:\windows\system32\5z575tr9j1c7.bin

c:\windows\system32\5z76down5oad9r2153.cpl

c:\windows\system32\5z77thre5t8049.bin

c:\windows\system32\5z99spambot9f.exe

c:\windows\system32\5z9d5teal2090.exe

c:\windows\system32\5zb0downloade91898.exe

c:\windows\system32\5zc39i5960.ocx

c:\windows\system32\6059threat2z996.cpl

c:\windows\system32\619bspa5se97z.cpl

c:\windows\system32\61fbvir53z09.ocx

c:\windows\system32\61z9thief3504.ocx

c:\windows\system32\6239threat2327z5.bin

c:\windows\system32\62dfthreatz8059.cpl

c:\windows\system32\634fstza9195.exe

c:\windows\system32\6373sz9mbo5238.ocx

c:\windows\system32\6398t5o92daz.ocx

c:\windows\system32\63HwyGQ.dll

c:\windows\system32\64fcba9kdzor569.exe

c:\windows\system32\651wzrm295.exe

c:\windows\system32\653z9py95.bin

c:\windows\system32\6551vzr2669.cpl

c:\windows\system32\657edo9nloadzr1526.exe

c:\windows\system32\65f3s9eal3z5.exe

c:\windows\system32\66185ddware5z49.dll

c:\windows\system32\66cthie59z36.exe

c:\windows\system32\67159pz37b5.exe

c:\windows\system32\675zspa9se2578.cpl

c:\windows\system32\6981vir9s250z.ocx

c:\windows\system32\6988d5wnlozder290.ocx

c:\windows\system32\6a2fzpa5se490.bin

c:\windows\system32\6a6zspy9are13205.ocx

c:\windows\system32\6b35downlza9er727.dll

c:\windows\system32\6b82zteal9935.bin

c:\windows\system32\6c41addwa9e1z335.ocx

c:\windows\system32\6ce5dzwnloader915.dll

c:\windows\system32\6d9as5zware542.dll

c:\windows\system32\6e52spar9e9z35.bin

c:\windows\system32\6e5edownloadez9285.exe

c:\windows\system32\6ef59teal17z7.cpl

c:\windows\system32\6efspa95ez008.cpl

c:\windows\system32\6f95stealz98.bin

c:\windows\system32\6z05t9ief3256.bin

c:\windows\system32\6z90t9ief5.dll

c:\windows\system32\7077do9nzoader550.bin

c:\windows\system32\70ad95ywaze2302.exe

c:\windows\system32\70z15orm589.exe

c:\windows\system32\7184back5o9rz648.cpl

c:\windows\system32\751cv5r9592z.dll

c:\windows\system32\7539ownloader60z5.bin

c:\windows\system32\759zsparse548.ocx

c:\windows\system32\75b6downloaderz995.exe

c:\windows\system32\767ds5yware2699z.cpl

c:\windows\system32\76z95i91651.bin

c:\windows\system32\77905rzj193.bin

c:\windows\system32\78c5spywar9295z.bin

c:\windows\system32\7902zackdo5r2451.bin

c:\windows\system32\7959v9z2578.dll

c:\windows\system32\79d7spar5z140.ocx

c:\windows\system32\7az4spar95394.exe

c:\windows\system32\7baazddware27995.cpl

c:\windows\system32\7DXkdc9.dll

c:\windows\system32\7e22zpars5972.cpl

c:\windows\system32\7fc89hizf2925.cpl

c:\windows\system32\7zbdth9eat30056.ocx

c:\windows\system32\7ze9spywar913695.ocx

c:\windows\system32\8129h5cktooz59.exe

c:\windows\system32\8392sp5mbot55az.bin

c:\windows\system32\854zparse2593.bin

c:\windows\system32\8575vi9u5z9d.bin

c:\windows\system32\8752zirus3915.dll

c:\windows\system32\90886not-5-viruz2c5.ocx

c:\windows\system32\90fd5wnloazer3179.exe

c:\windows\system32\90zsparse1925.cpl

c:\windows\system32\9145ztroj6ea.exe

c:\windows\system32\92154troz292.dll

c:\windows\system32\923addware14z5.dll

c:\windows\system32\9253ztroj5a75.exe

c:\windows\system32\92bt5rzat17578.ocx

c:\windows\system32\9365zhacktool70d.ocx

c:\windows\system32\95579orm33z.dll

c:\windows\system32\9605add5zre3015.exe

c:\windows\system32\9629z5ot-a-virus666.bin

c:\windows\system32\966dthrea518586z.cpl

c:\windows\system32\96dzstea51583.dll

c:\windows\system32\9715hack9zo554d.dll

c:\windows\system32\9765zorm4ea.dll

c:\windows\system32\9816spamb5969dz.exe

c:\windows\system32\98244hzcktoo56b4.ocx

c:\windows\system32\98435spy6f0z.exe

c:\windows\system32\98955tzoj83.ocx

c:\windows\system32\99022sp55z1.bin

c:\windows\system32\991c5ackdoor323z.bin

c:\windows\system32\991v5r9z551.ocx

c:\windows\system32\99527not-a-vi5uz5ce.ocx

c:\windows\system32\99z8v5rus12.dll

c:\windows\system32\9a9tzief2535.bin

c:\windows\system32\9c7zv5r1678.ocx

c:\windows\system32\9c8zspyware2535.dll

c:\windows\system32\9cbthi5f9537z.bin

c:\windows\system32\9f6vir1325z.cpl

c:\windows\system32\9z0steal1750.cpl

c:\windows\system32\9z15spa5botf99.dll

c:\windows\system32\a4SJ4BSNd.dll

c:\windows\system32\b94st5a922z9.exe

c:\windows\system32\BIGi92CsvT.dll

c:\windows\system32\BMSB7S6obkcik.dll

c:\windows\system32\bR76GofDWMpZ.dll

c:\windows\system32\bsQmrkE.dll

c:\windows\system32\c229ddw5re90z.dll

c:\windows\system32\c39tzre9511616.exe

c:\windows\system32\c65vi5497z.dll

c:\windows\system32\C9yPcH1GMpvL.dll

c:\windows\system32\cjh3r3c9.dll

c:\windows\system32\czddownloa95r596.dll

c:\windows\system32\d8H9mjMStxW.dll

c:\windows\system32\DKq1RFA.dll

c:\windows\system32\dVbxt7UxZ3.dll

c:\windows\system32\f8z5ownload9r2154.bin

c:\windows\system32\gIO3mIXIW.dll

c:\windows\system32\gu4d5w4EZix.dll

c:\windows\system32\hdPSubr.dll

c:\windows\system32\iqD7LTDM.dll

c:\windows\system32\k8V15BkZQ.dll

c:\windows\system32\kD2JqXlC6rMa.dll

c:\windows\system32\kQcVxr9DbEku.dll

c:\windows\system32\L3q9ddVtAG.dll

c:\windows\system32\LpJLQbw9.dll

c:\windows\system32\MfLcYvP.dll

c:\windows\system32\N4uHDdfjnLB.dll

c:\windows\system32\NOiYucpLWIEv.dll

c:\windows\system32\oKxGBtuBK.dll

c:\windows\system32\PSI6lOF.dll

c:\windows\system32\qcZHRxPIaOm.dll

c:\windows\system32\qRVTmVmx.dll

c:\windows\system32\rIkG6Bwik.dll

c:\windows\system32\RZBV9pCh9pIaH.dll

c:\windows\system32\SjSKoN4aS.dll

c:\windows\system32\t4fTcyvIG.dll

c:\windows\system32\Thumbs.db

c:\windows\system32\U4T369HDDgH7.dll

c:\windows\system32\VdIhGpHHM3NSn.dll

c:\windows\system32\winio.vxd

c:\windows\system32\wLxylyotFdq2j.dll

c:\windows\system32\XHBpxLeg8H.dll

c:\windows\system32\XMiqJiDe.dll

c:\windows\system32\z0559hackt5ol510.cpl

c:\windows\system32\z05ddo9nloader3203.cpl

c:\windows\system32\z19dbackdo5r1810.cpl

c:\windows\system32\z1e45hi9f1129.exe

c:\windows\system32\z2077worm6539.ocx

c:\windows\system32\z2225irus953.dll

c:\windows\system32\z25fsp9w5re1672.exe

c:\windows\system32\z396v5r2223.dll

c:\windows\system32\z3bf9ir615.cpl

c:\windows\system32\z4be5p9rse1632.cpl

c:\windows\system32\z539vi9u57f3.dll

c:\windows\system32\z765pywa9e944.exe

c:\windows\system32\z7895hreat12593.dll

c:\windows\system32\z7985wo5m29c.cpl

c:\windows\system32\z7b6thre5t14059.ocx

c:\windows\system32\z8533hackt9o5551.exe

c:\windows\system32\z9049hac5to9l7b1.exe

c:\windows\system32\z9481wo95cb.cpl

c:\windows\system32\z961st5al272.exe

c:\windows\system32\z998spambot79c5.bin

c:\windows\system32\za42vi95380.bin

c:\windows\system32\za6fs9eal5101.cpl

c:\windows\system32\zb1adownloa5er945.cpl

c:\windows\system32\zb289hr5at9875.exe

c:\windows\system32\zba59ir1851.bin

c:\windows\system32\zbf8stea95008.ocx

c:\windows\system32\zd59threat51506.bin

c:\windows\system32\zd9sparse18955.dll

c:\windows\system32\zdb6ad9war5771.bin

c:\windows\system32\ze0bspywa95239.cpl

c:\windows\system32\zed1th5eat20956.bin

c:\windows\system32\zf98addwar51966.cpl

c:\windows\z0590troj631.dll

c:\windows\z125tro97f25.ocx

c:\windows\z17159py3fd.cpl

c:\windows\z1963no59a-virus646.cpl

c:\windows\z2472not-a-virus59f.exe

c:\windows\z292spy955.bin

c:\windows\z2fcth9ef2245.dll

c:\windows\z38ath9ea574.dll

c:\windows\z395addware543.exe

c:\windows\z593spy49.exe

c:\windows\z5c4bac9door2581.cpl

c:\windows\z5eddow9loader3210.exe

c:\windows\z6025hackt9o52c0.exe

c:\windows\z6159worm56e.bin

c:\windows\z65b9teal479.ocx

c:\windows\z65backdoor1592.bin

c:\windows\z66eth9ef1528.exe

c:\windows\z8889hi5f2263.dll

c:\windows\z8a5ir1938.bin

c:\windows\z920troj635.dll

c:\windows\z92369roj568.exe

c:\windows\z9567tro529.cpl

c:\windows\z9855not-a-viru521c.ocx

c:\windows\z9dfst5al2748.dll

c:\windows\zb48threa529023.ocx

c:\windows\zca1spyw9re550.exe

c:\windows\zf2ste5l3908.exe

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MYWEBSEARCHSERVICE

((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))

.

2011-02-21 19:16 . 2011-02-21 19:26 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore

2011-02-21 19:16 . 2011-02-21 19:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AIM

2011-02-21 19:16 . 2011-02-21 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2011-02-21 19:16 . 2011-02-21 19:16 -------- d-----w- c:\program files\AIM

2011-02-21 19:16 . 2011-02-21 19:16 -------- d-----w- c:\program files\Common Files\Software Update Utility

2011-02-16 22:53 . 2011-02-22 19:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\LogMeIn Hamachi

2011-02-16 22:51 . 2011-02-22 19:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi

2011-02-14 19:44 . 2011-02-14 20:16 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft

2011-02-12 16:26 . 2011-02-12 16:26 -------- d-----w- c:\program files\Common Files\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2006-05-07 00:24 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2006-05-07 00:24 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2006-05-07 00:24 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2006-05-07 00:24 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2006-05-07 00:24 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2006-05-07 00:24 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:09 . 2008-09-07 05:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2008-09-07 05:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-20 17:26 . 2006-05-07 00:24 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2006-05-07 00:24 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15 . 2006-05-07 00:24 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2006-05-07 00:24 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38 . 2006-05-07 00:24 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-04 05:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-26 20:17 . 2010-11-26 20:17 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2008-02-24 23:18 . 2008-02-24 23:19 774144 ----a-w- c:\program files\RngInterstitial.dll

2007-08-25 04:52 . 2008-02-24 23:51 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2007-09-16 06:35 . 2008-02-24 23:51 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-09-16 06:35 . 2008-02-24 23:51 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-09-16 06:35 . 2008-02-24 23:51 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-09-16 06:35 . 2008-02-24 23:51 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-09-16 06:35 . 2008-02-24 23:51 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59c6f12b-f004-43e5-9997-08f2123119b6}]

2010-12-26 03:34 81920 ----a-w- c:\program files\oovootoolbar\oovootoolbarX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f92a9fe4-2850-4198-b9d5-279880e49b16}]

2011-01-23 06:24 3911776 ----a-w- c:\program files\Free_Ride_Games\tbFre1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{f92a9fe4-2850-4198-b9d5-279880e49b16}"= "c:\program files\Free_Ride_Games\tbFre1.dll" [2011-01-23 3911776]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

"{59c6f12b-f004-43e5-9997-08f2123119b6}"= "c:\program files\oovootoolbar\oovootoolbarX.dll" [2010-12-26 81920]

[HKEY_CLASSES_ROOT\clsid\{f92a9fe4-2850-4198-b9d5-279880e49b16}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CLASSES_ROOT\clsid\{59c6f12b-f004-43e5-9997-08f2123119b6}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{F92A9FE4-2850-4198-B9D5-279880E49B16}"= "c:\program files\Free_Ride_Games\tbFre1.dll" [2011-01-23 3911776]

[HKEY_CLASSES_ROOT\clsid\{f92a9fe4-2850-4198-b9d5-279880e49b16}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2010-10-31 19071672]

"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]

"userlib.exe"="c:\documents and settings\Owner\My Documents\My Music\More Samples\userlib.exe" [2011-02-22 129536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 16844800]

"SkyTel"="SkyTel.EXE" [2007-08-03 1826816]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-23 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-17 202256]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]

"VMonitorVMUVC"="c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-08-29 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Owner\Local Settings\Temp\{918E14CC-4773-429C-9D3E-4443D5F8FADA}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1211939892\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"57383:TCP"= 57383:TCP:Pando Media Booster

"57383:UDP"= 57383:UDP:Pando Media Booster

"57511:TCP"= 57511:TCP:Pando Media Booster

"57511:UDP"= 57511:UDP:Pando Media Booster

"58371:TCP"= 58371:TCP:Pando Media Booster

"58371:UDP"= 58371:UDP:Pando Media Booster

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 3:12 AM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 3:12 AM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 3:12 AM 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20110223.001\IDSXpx86.sys [2/23/2011 7:41 PM 341944]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]

R2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [12/23/2010 3:46 PM 315392]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 3:12 AM 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/14/2010 1:44 AM 102448]

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]

R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [12/25/2010 8:57 AM 254720]

R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [12/25/2010 8:57 AM 398720]

S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]

S2 gupdate1caca1eecbf7862;Google Update Service (gupdate1caca1eecbf7862);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2010 7:22 PM 133104]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/30/2006 11:44 PM 69692]

S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]

S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]

S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys --> c:\windows\system32\XDva164.sys [?]

S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]

S3 XDva167;XDva167;c:\windows\system32\XDva167.sys [6/12/2008 5:18 PM 45696]

S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]

S3 XDva186;XDva186;c:\windows\system32\XDva186.sys [7/9/2008 4:50 PM 46080]

S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]

S3 XDva201;XDva201;\??\c:\windows\system32\XDva201.sys --> c:\windows\system32\XDva201.sys [?]

S3 XDva212;XDva212;c:\windows\system32\XDva212.sys [10/28/2008 3:05 PM 48384]

S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]

S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 00:22]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 00:22]

2011-02-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3811888157-1862227573-1778935636-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2011-02-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3811888157-1862227573-1778935636-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm

IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm

Trusted Zone: $talisma_url$

DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

DPF: {87A638DE-396F-40FD-A2F8-01B56072F553} - hxxp://download.gemfighter.com/launcher/gemx2.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-15079.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\v3m9jwv0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=12234

FF - prefs.js: browser.search.selectedEngine - AOL Search

FF - prefs.js: browser.startup.homepage - hxxp://home.speedbit.com/?aff=205

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(general.useragent.extra.brc,

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-B0F2-49F8CCAB3ED4} - (no file)

HKCU-Run-Speeder - c:\program files\Speed Gear\SpeedGear.exe

HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

HKLM-Run-BigFix - c:\program files\Bigfix\bigfix.exe

MSConfigStartUp-Antivirus - c:\program files\SAV\sav.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-24 11:21

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(420)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\RTHDCPL.EXE

.

**************************************************************************

.

Completion time: 2011-02-24 11:31:00 - machine was rebooted

ComboFix-quarantined-files.txt 2011-02-24 16:30

Pre-Run: 94,789,681,152 bytes free

Post-Run: 94,855,467,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9A25E4BA1BCCA54EB5C2990652500768

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=76175

Collect::[8]
c:\documents and settings\Owner\My Documents\My Music\More Samples\userlib.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"userlib.exe"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

Here the the results. It also gave me a second report titled CF-Submit. htm, which it could not send to the internet because the internet wasn't available at that moment. I attached that file to this post.

ComboFix 11-02-23.08 - Owner 02/24/2011 11:54:17.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1919.1356 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Norton 360 *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

FW: Norton 360 *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

file zipped: c:\documents and settings\Owner\My Documents\My Music\More Samples\userlib.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\My Documents\My Music\More Samples\userlib.exe

.

((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))

.

2011-02-24 16:30 . 2011-02-24 16:30 -------- d-----w- c:\windows\LastGood

2011-02-21 19:16 . 2011-02-21 19:26 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore

2011-02-21 19:16 . 2011-02-21 19:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AIM

2011-02-21 19:16 . 2011-02-21 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM

2011-02-21 19:16 . 2011-02-21 19:16 -------- d-----w- c:\program files\AIM

2011-02-21 19:16 . 2011-02-21 19:16 -------- d-----w- c:\program files\Common Files\Software Update Utility

2011-02-16 22:53 . 2011-02-22 19:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\LogMeIn Hamachi

2011-02-16 22:51 . 2011-02-22 19:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\LogMeIn Hamachi

2011-02-14 19:44 . 2011-02-14 20:16 -------- d-----w- c:\documents and settings\Owner\Application Data\.minecraft

2011-02-12 16:26 . 2011-02-12 16:26 -------- d-----w- c:\program files\Common Files\Skype

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-01-21 14:44 . 2006-05-07 00:24 439296 ----a-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2006-05-07 00:24 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-12-31 13:10 . 2006-05-07 00:24 1854976 ----a-w- c:\windows\system32\win32k.sys

2010-12-22 12:34 . 2006-05-07 00:24 301568 ----a-w- c:\windows\system32\kerberos.dll

2010-12-20 23:59 . 2006-05-07 00:24 916480 ----a-w- c:\windows\system32\wininet.dll

2010-12-20 23:59 . 2006-05-07 00:24 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-12-20 23:59 . 2006-05-07 00:24 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-12-20 23:09 . 2008-09-07 05:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-20 23:08 . 2008-09-07 05:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-20 17:26 . 2006-05-07 00:24 730112 ----a-w- c:\windows\system32\lsasrv.dll

2010-12-20 12:55 . 2006-05-07 00:24 385024 ----a-w- c:\windows\system32\html.iec

2010-12-09 15:15 . 2006-05-07 00:24 718336 ----a-w- c:\windows\system32\ntdll.dll

2010-12-09 14:30 . 2006-05-07 00:24 33280 ----a-w- c:\windows\system32\csrsrv.dll

2010-12-09 13:38 . 2006-05-07 00:24 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-12-09 13:07 . 2004-08-04 05:59 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-11-26 20:17 . 2010-11-26 20:17 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

2008-02-24 23:18 . 2008-02-24 23:19 774144 ----a-w- c:\program files\RngInterstitial.dll

2007-08-25 04:52 . 2008-02-24 23:51 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

2007-09-16 06:35 . 2008-02-24 23:51 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2007-09-16 06:35 . 2008-02-24 23:51 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2007-09-16 06:35 . 2008-02-24 23:51 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2007-09-16 06:35 . 2008-02-24 23:51 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2007-09-16 06:35 . 2008-02-24 23:51 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59c6f12b-f004-43e5-9997-08f2123119b6}]

2010-12-26 03:34 81920 ----a-w- c:\program files\oovootoolbar\oovootoolbarX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f92a9fe4-2850-4198-b9d5-279880e49b16}]

2011-01-23 06:24 3911776 ----a-w- c:\program files\Free_Ride_Games\tbFre1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{f92a9fe4-2850-4198-b9d5-279880e49b16}"= "c:\program files\Free_Ride_Games\tbFre1.dll" [2011-01-23 3911776]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-10-18 3908192]

"{59c6f12b-f004-43e5-9997-08f2123119b6}"= "c:\program files\oovootoolbar\oovootoolbarX.dll" [2010-12-26 81920]

[HKEY_CLASSES_ROOT\clsid\{f92a9fe4-2850-4198-b9d5-279880e49b16}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CLASSES_ROOT\clsid\{59c6f12b-f004-43e5-9997-08f2123119b6}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{F92A9FE4-2850-4198-B9D5-279880E49B16}"= "c:\program files\Free_Ride_Games\tbFre1.dll" [2011-01-23 3911776]

[HKEY_CLASSES_ROOT\clsid\{f92a9fe4-2850-4198-b9d5-279880e49b16}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Power2GoExpress"="NA" [X]

"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2010-10-31 19071672]

"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"nwiz"="nwiz.exe" [2006-10-31 1622016]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]

"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 16844800]

"SkyTel"="SkyTel.EXE" [2007-08-03 1826816]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-11-29 58928]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-07-23 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-10-17 202256]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]

"VMonitorVMUVC"="c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-08-29 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Owner\Local Settings\Temp\{918E14CC-4773-429C-9D3E-4443D5F8FADA}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1211939892\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"57383:TCP"= 57383:TCP:Pando Media Booster

"57383:UDP"= 57383:UDP:Pando Media Booster

"57511:TCP"= 57511:TCP:Pando Media Booster

"57511:UDP"= 57511:UDP:Pando Media Booster

"58371:TCP"= 58371:TCP:Pando Media Booster

"58371:UDP"= 58371:UDP:Pando Media Booster

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [2/2/2010 3:12 AM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [2/2/2010 3:12 AM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [2/2/2010 3:12 AM 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20110223.001\IDSXpx86.sys [2/23/2011 7:41 PM 341944]

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]

R2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [12/23/2010 3:46 PM 315392]

R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2/2/2010 3:12 AM 117640]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/14/2010 1:44 AM 102448]

R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]

R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [12/25/2010 8:57 AM 254720]

R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [12/25/2010 8:57 AM 398720]

S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]

S2 gupdate1caca1eecbf7862;Google Update Service (gupdate1caca1eecbf7862);c:\program files\Google\Update\GoogleUpdate.exe [3/22/2010 7:22 PM 133104]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/30/2006 11:44 PM 69692]

S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]

S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys --> c:\windows\system32\XDva158.sys [?]

S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys --> c:\windows\system32\XDva164.sys [?]

S3 XDva165;XDva165;\??\c:\windows\system32\XDva165.sys --> c:\windows\system32\XDva165.sys [?]

S3 XDva167;XDva167;c:\windows\system32\XDva167.sys [6/12/2008 5:18 PM 45696]

S3 XDva177;XDva177;\??\c:\windows\system32\XDva177.sys --> c:\windows\system32\XDva177.sys [?]

S3 XDva186;XDva186;c:\windows\system32\XDva186.sys [7/9/2008 4:50 PM 46080]

S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]

S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]

S3 XDva201;XDva201;\??\c:\windows\system32\XDva201.sys --> c:\windows\system32\XDva201.sys [?]

S3 XDva212;XDva212;c:\windows\system32\XDva212.sys [10/28/2008 3:05 PM 48384]

S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]

S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 00:22]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 00:22]

2011-02-24 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3811888157-1862227573-1778935636-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2011-02-24 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3811888157-1862227573-1778935636-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm

IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm

Trusted Zone: $talisma_url$

DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

DPF: {87A638DE-396F-40FD-A2F8-01B56072F553} - hxxp://download.gemfighter.com/launcher/gemx2.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-15079.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\v3m9jwv0.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=12234

FF - prefs.js: browser.search.selectedEngine - AOL Search

FF - prefs.js: browser.startup.homepage - hxxp://home.speedbit.com/?aff=205

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(general.useragent.extra.brc,

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-02-24 12:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2011-02-24 12:06:43

ComboFix-quarantined-files.txt 2011-02-24 17:06

ComboFix2.txt 2011-02-24 16:31

Pre-Run: 94,867,206,144 bytes free

Post-Run: 94,846,513,152 bytes free

- - End Of File - - F98F66F15BA8F61F96715938F74C4527

CF-Submit.htm

Link to post
Share on other sites

  1. Please visit this website: Submit Malware Sample
  2. Against the inscription: "Link to topic where this file was requested:", insert links pointing to this topic.
  3. Against the inscription: "Browse to the file you want to submit:", click on the Choose... button.
  4. Navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
  5. Against the inscription: "Leave any comments, further information about this file, or contact information:" should be written as follows:
    Sent at the request of Borislav.
  6. Once you're ready, click the Send File button.

Link to post
Share on other sites

Nice job! :)

Last steps:

Step 1

Go to Start => Run... and copy & paste next command in the field:

ComboFix /uninstall

Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

Note: Make sure there's a space between ComboFix and [/uninstall

Step 2

Please uninstall HiJackThis.

Step 3

Please manually delete DDS.

Step 4

Keep your software up-to-date:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

Some malware preventions:

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.