Jump to content

Recommended Posts

I have three machines networked, two are identical, the third is an old HP I use as a DMZ box basically. Several months ago my older machine was infected with something, I disconnected the network cable to let it rot (don't use it at all anymore) and fought with my other two computers for two days before finally reimaging both machines from images created with Macrim Reflect. Recently my wife noticed the unplugged cable and replaced it, and the head ache begins anew. I should have made more recent images, but haven't and I have data I'd rather not lose in reimaging at this point in time. I'm experiencing slow boot times, problems with slow internet, problems with streaming TV from sites like CW that used to play fine take 10 minutes to buffer a few seconds worth of stream, then pauses for several minutes for another two seconds, etc. Also, the live contact list on the left side of Gmail won't load anymore. Several web sites seem ok, but the sever impact on web speed is driving me nuts. I couldn't even follow the instructions on the "I'm infected, so what do I do now?" post, as the downloads of defogger, and dds just stopped, I was forced to put them on disc from my other computer to copy them to my main machine, even tho that computer is showing symptoms of infection as well. Additionally, AVG, Lavasoft, and Windows defender found no infections...

So then, on to the logs:

MBAM:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6554

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

5/11/2011 8:07:53 AM

mbam-log-2011-05-11 (08-07-53).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 276854

Time elapsed: 21 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DEFOGGER:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 11:33 on 11/05/2011 (rglassmyer)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

SPTD -> Disabled (Service running -> reboot required)

-=E.O.F=-

DDS:

.

DDS (Ver_11-03-05.01) - NTFS_AMD64

Run by rglassmyer at 11:44:58.91 on Wed 05/11/2011

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.2578

[GMT -4:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-

70D4-CE6B-3ECB-E759A6A40116}

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-

F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-

F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-

DA132C1ACF46}

SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-

047B-DC2BDD234BAB}

.

============== Running Processes ===============

.

C:\PROGRA~2\AVG\AVG10\avgchsva.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files (x86)\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD

Reservation Manager.exe

C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe

C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe

C:\Program Files (x86)\NetRatingsNetSight\NetSight\NielsenOnline.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\NetRatingsNetSight\NetSight\NielsenOnline.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files (x86)\NetRatingsNetSight\NetSight\NielsenUpdate.exe

C:\Program Files\Macrium\Reflect\ReflectService.exe

C:\Program Files (x86)\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin

\AVGIDSAgent.exe

C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin

\avgidsmonitor.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files (x86)\NetRatingsNetSight\NetSight

\meter2\NielsenOnline64.exe

C:\Program Files (x86)\AVG\AVG10\avgnsa.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Windows Live\Toolbar\wltuser.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10p_ActiveX.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\PROGRA~2\AVG\AVG10\avgrsa.exe

C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\rglassmyer\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.metacrawler.com/

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-

5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

mWinlogon: Userinit=userinit.exe

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} -

C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX

\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:

\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program

Files (x86)\Microsoft\Search Enhancement Pack\Search Helper

\SearchHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-

5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared

\Windows Live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} -

C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - C:

\Program Files (x86)\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-

dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:

\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:

\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - C:

\Program Files (x86)\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

uRun: [Google Update] "C:\Users\rglassmyer\AppData\Local\Google\Update

\GoogleUpdate.exe" /c

mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe

-r

mRun: [NielsenOnline] C:\Program Files (x86)\NetRatingsNetSight

\NetSight\NielsenOnline.exe

mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE

\Core-Static\CLIStart.exe" MSRun

mRun: [NAV CfgWiz] C:\PROGRA~2\NORTON~1\NORTON~1\Cfgwiz.exe /R

mRun: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared

\ccApp.exe

mRun: [ccRegVfy] C:\Program Files (x86)\Common Files\Symantec Shared

\ccRegVfy.exe

mRun: [bootWarn] C:\Program Files (x86)\Norton SystemWorks\Norton

AntiVirus\BootWarn.exe /a

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - C:

\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-

E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer

\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-

96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

Trusted Zone: gmail.com\www

Trusted Zone: google.com

Trusted Zone: google.com\www

DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program

%20Files%20(x86)/Marooned%202%20-%20Secrets%20of%20the

%20Akoni/Images/stg_drm.ocx

DPF: {444785F1-DE89-4295-863A-D46C3A781394} -

hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program

%20Files%20(x86)/Marooned%202%20-%20Secrets%20of%20the

%20Akoni/Images/armhelper.ocx

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:

\Program Files (x86)\AVG\AVG10\avgpp.dll

BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:

\Program Files (x86)\AVG\AVG10\avgssiea.dll

BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File

BHO-X64: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-

0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family

Safety\fssbho.dll

BHO-X64: Windows Live Family Safety Browser Helper - No File

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB-X64: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\RGLASS~1\AppData\Roaming\Mozilla\Firefox

\Profiles\n92ex47y.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.metacrawler.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight

\3.0.40624.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster

\npPandoWebPlugin.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery

\NPWLPG.dll

FF - plugin: C:\Users\rglassmyer\AppData\Local\Google\Update

\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: C:\Users\rglassmyer\AppData\LocalLow\Unity\WebPlayer

\loader\npUnity3D32.dll

FF - plugin: C:\Users\rglassmyer\AppData\Roaming\Mozilla\plugins

\npgoogletalk.dll

FF - plugin: C:\Users\rglassmyer\AppData\Roaming\Mozilla\plugins

\npgtpo3dautoplugin.dll

FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;C:\Windows\System32\drivers\AVGIDSEH.sys [2011-2-

22 26704]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers

\avgrkx64.sys [2011-3-16 37456]

R0 Lbd;Lbd;C:\Windows\System32\drivers\Lbd.sys [2010-12-27 69152]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers

\avgldx64.sys [2011-1-7 304720]

R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows

\System32\drivers\avgmfx64.sys [2011-3-1 41552]

R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys

[2011-4-5 377936]

R1 nnfwdk;Nielsen WFP Driver;C:\Program Files (x86)\NetRatingsNetSight

\NetSight\meter2\nnfwdk64.sys [2011-3-2 25648]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows

\System32\atiesrxx.exe [2011-3-9 203776]

R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies

\ATI.ACE\Fuel\Fuel.Service.exe [2011-3-9 365568]

R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI

Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe

[2010-6-17 194496]

R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity

Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]

R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe

[2011-2-8 269520]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files

(x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-12-3 2146496]

R2 navapsvc;Norton AntiVirus Auto Protect Service;C:\Program Files

(x86)\Norton SystemWorks\Norton AntiVirus\NAVAPSVC.EXE [2011-5-11

116336]

R2 NielsenUpdate;Nielsen Update;C:\Program Files

(x86)\NetRatingsNetSight\NetSight\NielsenUpdate.exe [2011-1-26 303936]

R2 ReflectService;Macrium Reflect Image Mounting Service;C:\Program

Files\Macrium\Reflect\ReflectService.exe [2010-6-21 301024]

R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys

[2011-4-12 46136]

R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atikmdag.sys [2011-3-9

9258496]

R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2011-3-9

300544]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:

\Windows\System32\drivers\AtihdW76.sys [2010-11-17 115216]

R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers

\AVGIDSDriver.sys [2011-4-14 118864]

R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers

\AVGIDSFilter.sys [2011-2-10 29264]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files

(x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2010-12-3 17152]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers

\Rt64win7.sys [2009-6-10 187392]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:

\Windows\System32\drivers\viahduaa.sys [2010-6-16 1235968]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program

Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2010-10-22 517448]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2009-11-25

61280]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files

(x86)\Windows Live\Family Safety\fsssvc.exe [2009-8-6 704864]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows

\System32\Wat\WatAdminSvc.exe [2010-6-30 1255736]

S4 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol

Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2009-12-23 370688]

.

=============== Created Last 30 ================

.

2011-05-11 15:02:06 367104 ----a-w- C:\Windows

\System32\wcncsvc.dll

2011-05-11 15:02:06 276992 ----a-w- C:\Windows

\SysWow64\wcncsvc.dll

2011-05-11 15:01:00 243712 ----a-w- C:\Windows

\System32\drivers\ks.sys

2011-05-11 14:56:53 223448 ----a-w- C:\Windows

\System32\drivers\fvevol.sys

2011-05-11 14:56:52 861184 ----a-w- C:\Windows

\System32\oleaut32.dll

2011-05-11 14:56:52 571904 ----a-w- C:\Windows

\SysWow64\oleaut32.dll

2011-05-11 14:56:52 27008 ----a-w- C:\Windows

\System32\drivers\Diskdump.sys

2011-05-11 14:55:55 98816 ----a-w- C:\Windows

\System32\drivers\usbccgp.sys

2011-05-11 14:55:55 7936 ----a-w- C:\Windows

\System32\drivers\usbd.sys

2011-05-11 14:55:55 52224 ----a-w- C:\Windows

\System32\drivers\usbehci.sys

2011-05-11 14:55:55 343040 ----a-w- C:\Windows

\System32\drivers\usbhub.sys

2011-05-11 14:55:55 324608 ----a-w- C:\Windows

\System32\drivers\usbport.sys

2011-05-11 14:55:55 30720 ----a-w- C:\Windows

\System32\drivers\usbuhci.sys

2011-05-11 14:55:55 25600 ----a-w- C:\Windows

\System32\drivers\usbohci.sys

2011-05-11 11:45:36 -------- d-----w- C:\Users

\RGLASS~1\AppData\Roaming\Malwarebytes

2011-05-11 11:45:26 38224 ----a-w- C:\Windows

\SysWow64\drivers\mbamswissarmy.sys

2011-05-11 11:45:26 -------- d-----w- C:

\PROGRA~3\Malwarebytes

2011-05-11 11:45:23 24152 ----a-w- C:\Windows

\System32\drivers\mbam.sys

2011-05-11 11:45:23 -------- d-----w- C:\Program

Files (x86)\Malwarebytes' Anti-Malware

2011-05-11 09:48:45 34992 ----a-w- C:\Windows

\SysWow64\drivers\SAVRTPEL.SYS

2011-05-11 09:48:45 235184 ----a-w- C:\Windows

\SysWow64\drivers\SAVRT.SYS

2011-05-11 09:39:44 83672 ----a-w- C:\Windows

\SysWow64\S32EVNT1.DLL

2011-05-11 09:39:44 73224 ----a-w- C:\Windows

\SysWow64\drivers\SYMEVENT.SYS

2011-05-11 09:39:44 123619 ----a-w- C:\Windows

\SysWow64\SYMEVNT.386

2011-05-11 09:35:41 -------- d-----w- C:\Program

Files (x86)\Norton SystemWorks

2011-05-11 09:35:33 -------- d-----w- C:\Users

\RGLASS~1\AppData\Roaming\Symantec

2011-05-11 09:35:23 -------- d-----w- C:

\PROGRA~3\Symantec

2011-05-11 09:35:20 -------- d-----w- C:\Program

Files (x86)\Symantec

2011-05-11 09:35:05 94208 ----a-w- C:\Windows

\SysWow64\MSSTKPRP.DLL

2011-05-11 09:35:05 89600 ----a-w- C:\Windows

\SysWow64\MSCAL.OCX

2011-05-11 09:35:05 609584 ----a-w- C:\Windows

\SysWow64\COMCTL32.OCX

2011-05-11 09:35:05 565760 ----a-w- C:\Windows

\SysWow64\Msvcp50.dll

2011-05-11 09:35:04 -------- d-----w- C:\Program

Files (x86)\Common Files\Symantec Shared

2011-05-10 22:12:24 8802128 ----a-w- C:\PROGRA~3\Microsoft

\Windows Defender\Definition Updates\{2AFE24B5-DB23-44B5-99EB-

777080893FEE}\mpengine.dll

2011-05-10 22:07:43 5509504 ----a-w- C:\Windows

\System32\ntoskrnl.exe

2011-05-10 22:07:42 3957632 ----a-w- C:\Windows

\SysWow64\ntkrnlpa.exe

2011-05-10 22:07:42 3901824 ----a-w- C:\Windows

\SysWow64\ntoskrnl.exe

2011-05-03 11:28:35 -------- d-----w- C:\Program

Files (x86)\Atmosphir

2011-04-19 15:59:50 -------- d-----w- C:\Users

\RGLASS~1\AppData\Local\Google

2011-04-19 15:59:23 -------- d-----w- C:\Users

\RGLASS~1\AppData\Local\Deployment

2011-04-19 15:59:23 -------- d-----w- C:\Users

\RGLASS~1\AppData\Local\Apps

2011-04-16 16:48:59 -------- d-----w- C:\Users

\RGLASS~1\AppData\Local\jZip

2011-04-16 16:48:33 -------- d-----w- C:\Program

Files (x86)\jZip

2011-04-15 01:28:24 118864 ----a-w- C:\Windows

\System32\drivers\AVGIDSDriver.sys

2011-04-13 03:43:54 90624 ----a-w- C:\Windows

\System32\drivers\bowser.sys

2011-04-13 03:43:54 286720 ----a-w- C:\Windows

\System32\drivers\mrxsmb10.sys

2011-04-13 03:43:54 157696 ----a-w- C:\Windows

\System32\drivers\mrxsmb.sys

2011-04-13 03:43:54 126464 ----a-w- C:\Windows

\System32\drivers\mrxsmb20.sys

2011-04-12 17:06:42 -------- d-----w- C:\Users

\RGLASS~1\AppData\Local\AMD

2011-04-12 17:06:32 -------- d-----w- C:\Program

Files (x86)\AMD APP

2011-04-12 17:06:20 -------- d-----w- C:\PROGRA~3\AMD

2011-04-12 17:06:10 46136 ----a-w- C:\Windows

\System32\drivers\amdiox64.sys

2011-04-12 17:06:07 -------- d-----w- C:\Program

Files (x86)\ATI Technologies

.

==================== Find3M ====================

.

2011-04-05 04:59:54 377936 ----a-w- C:\Windows

\System32\drivers\avgtdia.sys

2011-03-21 23:56:26 61952 ----a-w- C:\Windows

\System32\OVDecode64.dll

2011-03-21 23:56:22 59904 ----a-w- C:\Windows

\SysWow64\OVDecode.dll

2011-03-21 23:56:10 53760 ----a-w- C:\Windows

\System32\OpenCL.dll

2011-03-21 23:56:06 51712 ----a-w- C:\Windows

\SysWow64\OpenCL.dll

2011-03-21 23:55:58 16115712 ----a-w- C:\Windows

\System32\amdocl64.dll

2011-03-21 23:55:46 12385792 ----a-w- C:\Windows

\SysWow64\amdocl.dll

2011-03-16 20:03:18 37456 ----a-w- C:\Windows

\System32\drivers\avgrkx64.sys

2011-03-11 06:19:26 1395712 ----a-w- C:\Windows

\System32\mfc42.dll

2011-03-11 06:19:26 1359872 ----a-w- C:\Windows

\System32\mfc42u.dll

2011-03-11 05:40:24 1164288 ----a-w- C:\Windows

\SysWow64\mfc42u.dll

2011-03-11 05:40:24 1137664 ----a-w- C:\Windows

\SysWow64\mfc42.dll

2011-03-09 09:22:42 9258496 ----a-w- C:\Windows

\System32\drivers\atikmdag.sys

2011-03-09 05:41:52 22518272 ----a-w- C:\Windows

\System32\atio6axx.dll

2011-03-09 05:19:22 17397248 ----a-w- C:\Windows

\SysWow64\atioglxx.dll

2011-03-09 04:57:04 143360 ----a-w- C:\Windows

\System32\atiapfxx.exe

2011-03-09 04:56:54 679424 ----a-w- C:\Windows

\SysWow64\aticfx32.dll

2011-03-09 04:55:52 795136 ----a-w- C:\Windows

\System32\aticfx64.dll

2011-03-09 04:53:44 462848 ----a-w- C:\Windows

\System32\ATIDEMGX.dll

2011-03-09 04:53:34 480256 ----a-w- C:\Windows

\System32\atieclxx.exe

2011-03-09 04:53:04 203776 ----a-w- C:\Windows

\System32\atiesrxx.exe

2011-03-09 04:52:04 120320 ----a-w- C:\Windows

\System32\atitmm64.dll

2011-03-09 04:51:48 423424 ----a-w- C:\Windows

\System32\atipdl64.dll

2011-03-09 04:51:42 356352 ----a-w- C:\Windows

\SysWow64\atipdlxx.dll

2011-03-09 04:51:34 278528 ----a-w- C:\Windows

\SysWow64\Oemdspif.dll

2011-03-09 04:51:28 16384 ----a-w- C:\Windows

\System32\atimuixx.dll

2011-03-09 04:51:26 59392 ----a-w- C:\Windows

\System32\atiedu64.dll

2011-03-09 04:51:22 43520 ----a-w- C:\Windows

\SysWow64\ati2edxx.dll

2011-03-09 04:48:46 4277760 ----a-w- C:\Windows

\SysWow64\atidxx32.dll

2011-03-09 04:40:22 5044224 ----a-w- C:\Windows

\System32\atidxx64.dll

2011-03-09 04:34:36 51200 ----a-w- C:\Windows

\System32\aticalrt64.dll

2011-03-09 04:34:34 46080 ----a-w- C:\Windows

\SysWow64\aticalrt.dll

2011-03-09 04:34:24 44544 ----a-w- C:\Windows

\System32\aticalcl64.dll

2011-03-09 04:34:22 44032 ----a-w- C:\Windows

\SysWow64\aticalcl.dll

2011-03-09 04:34:12 7025152 ----a-w- C:\Windows

\System32\aticaldd64.dll

2011-03-09 04:32:32 5618688 ----a-w- C:\Windows

\SysWow64\aticaldd.dll

2011-03-09 04:30:30 4294656 ----a-w- C:\Windows

\SysWow64\atiumdag.dll

2011-03-09 04:24:48 5438976 ----a-w- C:\Windows

\System32\atiumd64.dll

2011-03-09 04:18:16 360448 ----a-w- C:\Windows

\System32\atiadlxx.dll

2011-03-09 04:18:10 258048 ----a-w- C:\Windows

\SysWow64\atiadlxy.dll

2011-03-09 04:18:00 14848 ----a-w- C:\Windows

\System32\atig6pxx.dll

2011-03-09 04:17:56 12800 ----a-w- C:\Windows

\SysWow64\atiglpxx.dll

2011-03-09 04:17:56 12800 ----a-w- C:\Windows

\System32\atiglpxx.dll

2011-03-09 04:17:54 39936 ----a-w- C:\Windows

\System32\atig6txx.dll

2011-03-09 04:17:48 32768 ----a-w- C:\Windows

\SysWow64\atigktxx.dll

2011-03-09 04:17:42 300544 ----a-w- C:\Windows

\System32\drivers\atikmpag.sys

2011-03-09 04:17:04 39936 ----a-w- C:\Windows

\System32\atiuxp64.dll

2011-03-09 04:17:00 31232 ----a-w- C:\Windows

\SysWow64\atiuxpag.dll

2011-03-09 04:16:54 38400 ----a-w- C:\Windows

\System32\atiu9p64.dll

2011-03-09 04:16:48 28672 ----a-w- C:\Windows

\SysWow64\atiu9pag.dll

2011-03-09 04:16:14 53248 ----a-w- C:\Windows

\System32\drivers\ati2erec.dll

2011-03-09 04:11:06 58880 ----a-w- C:\Windows

\System32\coinst.dll

2011-03-09 03:42:40 1208320 ----a-w- C:\Windows

\System32\atiumd6v.dll

2011-03-09 03:42:06 1912832 ----a-w- C:\Windows

\SysWow64\atiumdmv.dll

2011-03-09 03:41:52 3239936 ----a-w- C:\Windows

\System32\atiumd6a.dll

2011-03-09 03:34:12 3471872 ----a-w- C:\Windows

\SysWow64\atiumdva.dll

2011-03-09 03:18:58 53760 ----a-w- C:\Windows

\System32\atimpc64.dll

2011-03-09 03:18:58 53760 ----a-w- C:\Windows

\System32\amdpcom64.dll

2011-03-09 03:18:52 52736 ----a-w- C:\Windows

\SysWow64\atimpc32.dll

2011-03-09 03:18:52 52736 ----a-w- C:\Windows

\SysWow64\amdpcom32.dll

2011-03-08 06:14:30 976896 ----a-w- C:\Windows

\System32\inetcomm.dll

2011-03-08 05:38:13 740864 ----a-w- C:\Windows

\SysWow64\inetcomm.dll

2011-03-03 06:17:10 182272 ----a-w- C:\Windows

\System32\dnsrslvr.dll

2011-03-03 06:14:38 30208 ----a-w- C:\Windows

\System32\dnscacheugc.exe

2011-03-03 05:27:30 28672 ----a-w- C:\Windows

\SysWow64\dnscacheugc.exe

2011-03-03 03:58:32 3133440 ----a-w- C:\Windows

\System32\win32k.sys

2011-03-01 18:25:18 41552 ----a-w- C:\Windows

\System32\drivers\avgmfx64.sys

2011-02-24 06:29:15 1197056 ----a-w- C:\Windows

\System32\wininet.dll

2011-02-24 06:24:57 57856 ----a-w- C:\Windows

\System32\licmgr10.dll

2011-02-24 05:32:44 981504 ----a-w- C:\Windows

\SysWow64\wininet.dll

2011-02-24 05:30:16 44544 ----a-w- C:\Windows

\SysWow64\licmgr10.dll

2011-02-24 05:05:13 482816 ----a-w- C:\Windows

\System32\html.iec

2011-02-24 04:24:04 1638912 ----a-w- C:\Windows

\System32\mshtml.tlb

2011-02-24 04:23:48 386048 ----a-w- C:\Windows

\SysWow64\html.iec

2011-02-24 03:50:26 1638912 ----a-w- C:\Windows

\SysWow64\mshtml.tlb

2011-02-23 05:16:28 461312 ----a-w- C:\Windows

\System32\drivers\srv.sys

2011-02-23 05:16:01 401920 ----a-w- C:\Windows

\System32\drivers\srv2.sys

2011-02-23 05:15:50 161792 ----a-w- C:\Windows

\System32\drivers\srvnet.sys

2011-02-22 12:12:46 26704 ----a-w- C:\Windows

\System32\drivers\AVGIDSEH.sys

2011-02-19 06:36:13 46080 ----a-w- C:\Windows

\System32\atmlib.dll

2011-02-19 05:32:08 34304 ----a-w- C:\Windows

\SysWow64\atmlib.dll

2011-02-19 04:13:39 367104 ----a-w- C:\Windows

\System32\atmfd.dll

2011-02-19 03:37:02 294912 ----a-w- C:\Windows

\SysWow64\atmfd.dll

2011-02-18 06:37:05 612352 ----a-w- C:\Windows

\System32\vbscript.dll

2011-02-18 05:36:26 428032 ----a-w- C:\Windows

\SysWow64\vbscript.dll

2011-02-12 06:14:41 267776 ----a-w- C:\Windows

\System32\FXSCOVER.exe

.

============= FINISH: 11:45:24.03 ===============

Thanks in advance for the help!!!

Attach.zip

Link to post
Share on other sites

Hello, and :welcome:

Before starting, a few questions. Does this problem only affect one computer (the one you ran the logs on) or all three networked computers?

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

I believe the infection came from the HP machine that was off the network for quite a while, like I said, my other two machines are identical boxes, mine and my son's. Perhaps I should have mentioned the HP(previously DMZed machine) only has a power cord and network cable attached to it, I use VNC to browse into it from my machine to share downloaded files and run antivirus on them before I copy them to my computer on the network. Since my wife reconnected the computer, both other machines are affected just as they were before, but mine more severely perhaps because of using VNC to browse into it. I can't download files directly to my computer since the HP was reconnected, I've been downloading on my son's machine and burning files to disk. Since running combo fix after uninstalling avg and lavasoft adaware, I can't get an internet connection through firefox or ieexplorer, so I burned the log to disk to post from the other machine. I intended to clean off the HP DMZ machine long ago by connecting it directly through my cable modem, I just never got around to it...

Here's the requested log for my main machine, I'm hoping to apply the fix to both my computer and my son's individually once a fix exists. If I haven't mentioned already, I really appreciate the help.

COMBOFIX

ComboFix 11-05-11.01 - rglassmyer 05/11/2011 16:57:17.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.2925 [GMT -4:00]

Running from: c:\users\rglassmyer\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\rglassmyer\AppData\Local\common_functions.dll

c:\users\rglassmyer\AppData\Local\ie_runner_app.exe

c:\users\rglassmyer\AppData\Roaming\.#

.

.

((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))

.

.

2011-05-11 20:59 . 2011-05-11 20:59 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-05-11 15:02 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll

2011-05-11 15:02 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll

2011-05-11 15:01 . 2010-03-04 04:32 243712 ----a-w- c:\windows\system32\drivers\ks.sys

2011-05-11 14:56 . 2009-09-26 06:20 223448 ----a-w- c:\windows\system32\drivers\fvevol.sys

2011-05-11 14:56 . 2010-07-13 05:37 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2011-05-11 14:56 . 2010-04-07 07:37 861184 ----a-w- c:\windows\system32\oleaut32.dll

2011-05-11 14:56 . 2010-04-07 07:10 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-05-11 14:55 . 2011-03-25 03:23 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys

2011-05-11 14:55 . 2011-03-25 03:23 98816 ----a-w- c:\windows\system32\drivers\usbccgp.sys

2011-05-11 14:55 . 2011-03-25 03:23 324608 ----a-w- c:\windows\system32\drivers\usbport.sys

2011-05-11 14:55 . 2011-03-25 03:22 52224 ----a-w- c:\windows\system32\drivers\usbehci.sys

2011-05-11 14:55 . 2011-03-25 03:22 25600 ----a-w- c:\windows\system32\drivers\usbohci.sys

2011-05-11 14:55 . 2011-03-25 03:22 30720 ----a-w- c:\windows\system32\drivers\usbuhci.sys

2011-05-11 14:55 . 2011-03-25 03:22 7936 ----a-w- c:\windows\system32\drivers\usbd.sys

2011-05-11 11:45 . 2011-05-11 11:45 -------- d-----w- c:\users\rglassmyer\AppData\Roaming\Malwarebytes

2011-05-11 11:45 . 2011-05-11 11:45 -------- d-----w- c:\programdata\Malwarebytes

2011-05-11 11:45 . 2010-12-20 22:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-05-11 11:45 . 2011-05-11 11:45 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-05-11 11:45 . 2010-12-20 22:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-11 09:48 . 2002-07-26 02:28 34992 ----a-w- c:\windows\SysWow64\drivers\SAVRTPEL.SYS

2011-05-11 09:48 . 2002-07-26 02:28 235184 ----a-w- c:\windows\SysWow64\drivers\SAVRT.SYS

2011-05-11 09:39 . 2002-08-15 23:59 83672 ----a-w- c:\windows\SysWow64\S32EVNT1.DLL

2011-05-11 09:39 . 2002-08-15 23:59 73224 ----a-w- c:\windows\SysWow64\drivers\SYMEVENT.SYS

2011-05-11 09:39 . 2002-08-15 23:59 123619 ----a-w- c:\windows\SysWow64\SYMEVNT.386

2011-05-11 09:35 . 2011-05-11 09:35 -------- d-----w- c:\program files (x86)\Norton SystemWorks

2011-05-11 09:35 . 2011-05-11 09:35 -------- d-----w- c:\users\rglassmyer\AppData\Roaming\Symantec

2011-05-11 09:35 . 2011-05-11 09:39 -------- d-----w- c:\programdata\Symantec

2011-05-11 09:35 . 2011-05-11 09:39 -------- d-----w- c:\program files (x86)\Symantec

2011-05-11 09:35 . 1998-06-26 04:00 89600 ----a-w- c:\windows\SysWow64\MSCAL.OCX

2011-05-11 09:35 . 1998-06-24 04:00 609584 ----a-w- c:\windows\SysWow64\COMCTL32.OCX

2011-05-11 09:35 . 1998-06-18 04:00 94208 ----a-w- c:\windows\SysWow64\MSSTKPRP.DLL

2011-05-11 09:35 . 1997-01-23 01:26 565760 ----a-w- c:\windows\SysWow64\Msvcp50.dll

2011-05-11 09:35 . 2011-05-11 20:50 -------- d-----w- c:\program files (x86)\Common Files\Symantec Shared

2011-05-10 22:12 . 2011-04-18 13:15 8802128 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2AFE24B5-DB23-44B5-99EB-777080893FEE}\mpengine.dll

2011-05-10 22:07 . 2011-04-09 06:45 5509504 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-05-10 22:07 . 2011-04-09 06:13 3957632 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe

2011-05-10 22:07 . 2011-04-09 06:13 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe

2011-05-03 11:28 . 2011-05-03 11:28 -------- d-----w- c:\program files (x86)\Atmosphir

2011-04-19 22:15 . 2011-04-19 22:15 -------- d-----w- c:\users\rglassmyer\AppData\Local\Mozilla

2011-04-19 15:59 . 2011-04-19 15:59 -------- d-----w- c:\users\rglassmyer\AppData\Local\Google

2011-04-19 15:59 . 2011-04-19 15:59 -------- d-----w- c:\users\rglassmyer\AppData\Local\Deployment

2011-04-19 15:59 . 2011-04-19 15:59 -------- d-----w- c:\users\rglassmyer\AppData\Local\Apps

2011-04-16 16:48 . 2011-04-16 16:49 -------- d-----w- c:\users\rglassmyer\AppData\Local\jZip

2011-04-16 16:48 . 2011-04-16 16:48 -------- d-----w- c:\program files (x86)\jZip

2011-04-13 03:43 . 2011-02-23 05:15 157696 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-13 03:43 . 2011-02-23 05:15 286720 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-04-13 03:43 . 2011-02-23 05:15 126464 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys

2011-04-13 03:43 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys

2011-04-12 17:06 . 2011-04-12 17:06 -------- d-----w- c:\users\rglassmyer\AppData\Local\AMD

2011-04-12 17:06 . 2011-04-12 17:06 -------- d-----w- c:\programdata\ATI

2011-04-12 17:06 . 2011-04-12 17:06 -------- d-----w- c:\program files (x86)\AMD APP

2011-04-12 17:06 . 2011-04-12 17:06 -------- d-----w- c:\programdata\AMD

2011-04-12 17:06 . 2010-02-18 13:18 46136 ----a-w- c:\windows\system32\drivers\amdiox64.sys

2011-04-12 17:06 . 2011-04-12 17:06 -------- d-----w- c:\program files (x86)\ATI Technologies

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-21 23:56 . 2011-03-21 23:56 61952 ----a-w- c:\windows\system32\OVDecode64.dll

2011-03-21 23:56 . 2011-03-21 23:56 59904 ----a-w- c:\windows\SysWow64\OVDecode.dll

2011-03-21 23:56 . 2011-03-21 23:56 53760 ----a-w- c:\windows\system32\OpenCL.dll

2011-03-21 23:56 . 2011-03-21 23:56 51712 ----a-w- c:\windows\SysWow64\OpenCL.dll

2011-03-21 23:55 . 2011-03-21 23:55 16115712 ----a-w- c:\windows\system32\amdocl64.dll

2011-03-21 23:55 . 2011-03-21 23:55 12385792 ----a-w- c:\windows\SysWow64\amdocl.dll

2011-03-09 09:22 . 2011-03-09 09:22 9258496 ----a-w- c:\windows\system32\drivers\atikmdag.sys

2011-03-09 05:41 . 2011-03-09 05:41 22518272 ----a-w- c:\windows\system32\atio6axx.dll

2011-03-09 05:19 . 2011-03-09 05:19 17397248 ----a-w- c:\windows\SysWow64\atioglxx.dll

2011-03-09 04:57 . 2011-03-09 04:57 143360 ----a-w- c:\windows\system32\atiapfxx.exe

2011-03-09 04:56 . 2011-03-09 04:56 679424 ----a-w- c:\windows\SysWow64\aticfx32.dll

2011-03-09 04:55 . 2011-03-09 04:55 795136 ----a-w- c:\windows\system32\aticfx64.dll

2011-03-09 04:53 . 2011-03-09 04:53 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll

2011-03-09 04:53 . 2011-03-09 04:53 480256 ----a-w- c:\windows\system32\atieclxx.exe

2011-03-09 04:53 . 2011-03-09 04:53 203776 ----a-w- c:\windows\system32\atiesrxx.exe

2011-03-09 04:52 . 2011-03-09 04:52 120320 ----a-w- c:\windows\system32\atitmm64.dll

2011-03-09 04:51 . 2011-03-09 04:51 423424 ----a-w- c:\windows\system32\atipdl64.dll

2011-03-09 04:51 . 2011-03-09 04:51 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll

2011-03-09 04:51 . 2011-03-09 04:51 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll

2011-03-09 04:51 . 2011-03-09 04:51 16384 ----a-w- c:\windows\system32\atimuixx.dll

2011-03-09 04:51 . 2011-03-09 04:51 59392 ----a-w- c:\windows\system32\atiedu64.dll

2011-03-09 04:51 . 2011-03-09 04:51 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll

2011-03-09 04:48 . 2011-03-09 04:48 4277760 ----a-w- c:\windows\SysWow64\atidxx32.dll

2011-03-09 04:40 . 2011-03-09 04:40 5044224 ----a-w- c:\windows\system32\atidxx64.dll

2011-03-09 04:34 . 2011-03-09 04:34 51200 ----a-w- c:\windows\system32\aticalrt64.dll

2011-03-09 04:34 . 2011-03-09 04:34 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll

2011-03-09 04:34 . 2011-03-09 04:34 44544 ----a-w- c:\windows\system32\aticalcl64.dll

2011-03-09 04:34 . 2011-03-09 04:34 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll

2011-03-09 04:34 . 2011-03-09 04:34 7025152 ----a-w- c:\windows\system32\aticaldd64.dll

2011-03-09 04:32 . 2011-03-09 04:32 5618688 ----a-w- c:\windows\SysWow64\aticaldd.dll

2011-03-09 04:30 . 2011-03-09 04:30 4294656 ----a-w- c:\windows\SysWow64\atiumdag.dll

2011-03-09 04:24 . 2011-03-09 04:24 5438976 ----a-w- c:\windows\system32\atiumd64.dll

2011-03-09 04:18 . 2011-03-09 04:18 360448 ----a-w- c:\windows\system32\atiadlxx.dll

2011-03-09 04:18 . 2011-03-09 04:18 258048 ----a-w- c:\windows\SysWow64\atiadlxy.dll

2011-03-09 04:18 . 2011-03-09 04:18 14848 ----a-w- c:\windows\system32\atig6pxx.dll

2011-03-09 04:17 . 2011-03-09 04:17 12800 ----a-w- c:\windows\SysWow64\atiglpxx.dll

2011-03-09 04:17 . 2011-03-09 04:17 12800 ----a-w- c:\windows\system32\atiglpxx.dll

2011-03-09 04:17 . 2011-03-09 04:17 39936 ----a-w- c:\windows\system32\atig6txx.dll

2011-03-09 04:17 . 2011-03-09 04:17 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll

2011-03-09 04:17 . 2011-03-09 04:17 300544 ----a-w- c:\windows\system32\drivers\atikmpag.sys

2011-03-09 04:17 . 2010-04-07 01:22 39936 ----a-w- c:\windows\system32\atiuxp64.dll

2011-03-09 04:17 . 2011-03-09 04:17 31232 ----a-w- c:\windows\SysWow64\atiuxpag.dll

2011-03-09 04:16 . 2011-03-09 04:16 38400 ----a-w- c:\windows\system32\atiu9p64.dll

2011-03-09 04:16 . 2011-03-09 04:16 28672 ----a-w- c:\windows\SysWow64\atiu9pag.dll

2011-03-09 04:16 . 2011-03-09 04:16 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

2011-03-09 04:11 . 2010-04-07 01:46 58880 ----a-w- c:\windows\system32\coinst.dll

2011-03-09 03:42 . 2011-03-09 03:42 1208320 ----a-w- c:\windows\system32\atiumd6v.dll

2011-03-09 03:42 . 2011-03-09 03:42 1912832 ----a-w- c:\windows\SysWow64\atiumdmv.dll

2011-03-09 03:41 . 2011-03-09 03:41 3239936 ----a-w- c:\windows\system32\atiumd6a.dll

2011-03-09 03:34 . 2011-03-09 03:34 3471872 ----a-w- c:\windows\SysWow64\atiumdva.dll

2011-03-09 03:18 . 2011-03-09 03:18 53760 ----a-w- c:\windows\system32\atimpc64.dll

2011-03-09 03:18 . 2011-03-09 03:18 53760 ----a-w- c:\windows\system32\amdpcom64.dll

2011-03-09 03:18 . 2011-03-09 03:18 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll

2011-03-09 03:18 . 2011-03-09 03:18 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll

2011-02-21 19:55 . 2011-02-21 19:55 940544 ----a-w- c:\users\rglassmyer\AppData\Local\log4cxx.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-08-28 2252800]

"NielsenOnline"="c:\program files (x86)\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2009-10-30 47456]

"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-03-09 336384]

"NAV CfgWiz"="c:\progra~2\NORTON~1\NORTON~1\Cfgwiz.exe" [2002-11-15 476792]

"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]

"ccRegVfy"="c:\program files (x86)\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]

"BootWarn"="c:\program files (x86)\Norton SystemWorks\Norton AntiVirus\BootWarn.exe" [2002-11-15 104056]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R3 AODDriver4.0;AODDriver4.0;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]

S1 nnfwdk;Nielsen WFP Driver;c:\program files (x86)\NetRatingsNetSight\NetSight\meter2\nnfwdk64.sys [2010-10-04 25648]

S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]

S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-03-09 365568]

S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]

S2 NielsenUpdate;Nielsen Update;c:\program files (x86)\NetRatingsNetSight\NetSight\NielsenUpdate.exe [2010-09-28 303936]

S2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2010-06-21 301024]

S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]

S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]

S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]

S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]

.

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3299581202-3743003449-849791176-1001Core.job

- c:\users\rglassmyer\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-19 15:59]

.

2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3299581202-3743003449-849791176-1001UA.job

- c:\users\rglassmyer\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-19 15:59]

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.metacrawler.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

Trusted Zone: gmail.com\www

Trusted Zone: google.com

Trusted Zone: google.com\www

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab

FF - ProfilePath - c:\users\rglassmyer\AppData\Roaming\Mozilla\Firefox\Profiles\n92ex47y.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.metacrawler.com/

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - c:\program files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\NetRatingsNetSight]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components]

@Denied: (Full) (Everyone)

@Denied: (Full) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

@="Microsoft Windows Media Player"

"Version"="12,0,7600,16667"

"IsInstalled"=dword:00000000

"ComponentID"="WMPACCESS"

"LocalizedName"=expand:"@%SystemRoot%\\system32\\wmploc.dll,-128"

"StubPath"=expand:"%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"

"DontAsk"=dword:00000002

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]

@="Internet Explorer"

"Version"="8,0,7600,17136"

"IsInstalled"=dword:00000001

"ComponentID"="IEACCESS"

"LocalizedName"="@c:\\Windows\\SysWOW64\\ie4uinit.exe,-21"

"StubPath"="c:\\Windows\\SysWOW64\\ie4uinit.exe -UserIconConfig"

"Dontask"=dword:00000002

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

@="Browser Customizations"

"IsInstalled"=dword:00000001

"Version"="8,0,7100,0"

"ComponentiD"="BRANDING.CAB"

"LocalizedName"="@c:\\Windows\\SysWOW64\\iedkcs32.dll,-3052"

"StubPath"="\"c:\\Windows\\SysWOW64\\rundll32.exe\" \"c:\\Windows\\SysWOW64\\iedkcs32.dll\",BrandIEActiveSetup SIGNUP"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

@="Microsoft Windows Media Player 12.0"

"IsInstalled"=dword:00000001

"Version"="12,0,7600,16667"

"DontAsk"=dword:00000002

"Locale"="EN"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]

@="Themes Setup"

"LocalizedName"=expand:"@%SystemRoot%\\system32\\themeui.dll,-2682"

"ComponentID"="Theme Component"

"IsInstalled"=dword:00000001

"Locale"="EN"

"StubPath"=expand:"%SystemRoot%\\system32\\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\\system32\\themeui.dll"

"Version"="1,1,1,9"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}]

@="Offline Browsing Pack"

"IsInstalled"=dword:00000001

"Version"="8,0,7600,16385"

"ComponentID"="MobilePk"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{411EDCF7-755D-414E-A74B-3DCD6583F589}]

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="1,1,4322"

"ComponentID"="S867460"

@="Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

"IsInstalled"=dword:00000001

"Dontask"=dword:00000002

"Locale"="*"

"ComponentID"="MailNews"

"CloneUser"=dword:00000001

"StubPath"=expand:"\"%ProgramFiles(x86)%\\Windows Mail\\WinMail.exe\" OCInstallUserConfigOE"

"Version"="6,1,7600,16385"

@="Microsoft Windows"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}]

@="DirectDrawEx"

"ComponentID"="DirectDrawEx"

"IsInstalled"=dword:00000001

"Locale"="*"

"Version"="4,71,1113,0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}]

@="Internet Explorer Help"

"IsInstalled"=dword:00000001

"Version"="8,0,7600,16385"

"ComponentID"="HelpCont"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}]

@="Microsoft Windows Script 5.6"

"ComponentID"="MSVBScript"

"IsInstalled"=dword:00000001

"Locale"="EN"

"Version"="5,6,0,8833"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}]

@="Internet Explorer Setup Tools"

"IsInstalled"=dword:00000001

"Version"="8,0,7600,16385"

"ComponentID"="GenSetup"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}]

"KeyFileName"=expand:"%SystemRoot%\\system32\\msieftp.dll"

@="Browsing Enhancements"

"IsInstalled"=dword:00000001

"Version"="8,0,7600,16385"

"ComponentID"="ExtraPack"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

@="Microsoft Windows Media Player"

"IsInstalled"=dword:00000001

"Version"="12,0,7600,16667"

"ComponentID"="Microsoft Windows Media Player"

"LocalizedName"=expand:"@%SystemRoot%\\system32\\wmploc.dll,-128"

"StubPath"=expand:"%SystemRoot%\\system32\\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI"

"DontAsk"=dword:00000002

"Locale"="EN"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}]

@="MSN Site Access"

"IsInstalled"=dword:00000001

"Version"="4,9,9,2"

"ComponentID"="MSN_Auth"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

@="Address Book 7"

"Version"="6,1,7600,16684"

"IsInstalled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}]

@=".NET Framework"

"Locale"=""

"ComponentID"=".NETFramework"

"Version"="2,0,50727,0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]

@="Windows Desktop Update"

"LocalizedName"=expand:"@%SystemRoot%\\system32\\shell32.dll,-32969"

"ComponentID"="IE4_SHELLID"

"IsInstalled"=dword:00000001

"Locale"="en"

"StubPath"=expand:"regsvr32.exe /s /n /i:U shell32.dll"

"Version"="6,1,7600,16644"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]

@="Web Platform Customizations"

"IsInstalled"=dword:00000001

"Version"="8,0,7600,17136"

"ComponentID"="BASEIE40_W2K"

"LocalizedName"="@c:\\Windows\\SysWOW64\\ie4uinit.exe,-2000"

"StubPath"="c:\\Windows\\SysWOW64\\ie4uinit.exe -BaseSettings"

"Locale"="en"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]

"IsInstalled"=dword:00000001

"ComponentID"="DOTNETFRAMEWORKS"

"StubPath"="c:\\Windows\\SysWOW64\\Rundll32.exe c:\\Windows\\SysWOW64\\mscories.dll,Install"

"DontAsk"=dword:00000002

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}]

@="Dynamic HTML Data Binding"

"IsInstalled"=dword:00000001

"Version"="8,0,7600,16385"

"ComponentID"="Tridata"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}]

@="Internet Explorer Core Fonts"

"IsInstalled"=dword:00000001

"Version"="8,0,7600,17136"

"ComponentID"="Fontcore"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}]

"Locale"=""

"Version"="1,0,4322,1"

"ComponentID"=".NETFramework"

@=".NET Framework"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}]

@="HTML Help"

"IsInstalled"=dword:00000001

"Version"="6,1,7600,16385"

"ComponentID"="HTMLHelp"

"Locale"="*"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}]

@="Active Directory Service Interface"

"ComponentID"="ADSI"

"IsInstalled"=dword:00000001

"Locale"="EN"

"Version"="5,0,00,0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2011-05-11 17:01:33

ComboFix-quarantined-files.txt 2011-05-11 21:01

.

Pre-Run: 407,181,111,296 bytes free

Post-Run: 410,323,873,792 bytes free

.

- - End Of File - - 4BC6E1D599A4955CE34A9C9A07FB21C9

Link to post
Share on other sites

First of all, best would be to isolate al three computers. You can start separate topics for the other two, and send me the link if you wish. We work only on one computer/topic, to avoid confusion.

Please reset also your router (you can typically do this by pressing the reset button for approx. 10 seconds with the router powered off).

If the internet still doesn't work on this computer afterwards, try to reboot in Safe mode with Networking and see if the internet works there.

Link to post
Share on other sites

The connection appeared to work after the machine was off all night. I had reset the router twice shortly after the problems began, however I reset it again this morning, and the cable modem, and the internet speed seems to have returned. Issues on problem websites are resolved now. Please advise if you wish anything else posted.

Link to post
Share on other sites

Hi again, I'm glad to hear that. :)

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

The browsers work again, I can view web pages fine, and quickly again. If I click on a download link however, the download window opens and seems to process just fine, but the file is not where I saved it to, I've tried many times to download the defogger.exe, dds, combofix, etc to my desktop, to my downloads folder, C:, etc. It appears to work, but the files never turn up where I direct them to be saved to. I've been copying to disk from my other computer so far, but thought I'd make sure since we're trying to limit this to one machine. My other computer seems to be fine since the router and modem reboot.

Link to post
Share on other sites

seemingly so for both, in firefox I can save the file to the download "shell", but open is greyed out when I right click it, and double clicking to start the install doesn't work, so it seems as though downloaded files are inaccessible in that browser as well, even files from before the infection...

Link to post
Share on other sites

Please run the following script and see if you can download successfully afterwards.

I see also you have different Antivirus programs installed. I see components of Norton Antivirus, Ad Aware antivirus and AVG. Please keep one of these and uninstall the other two.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:


RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

The norton install was broken, I disabled most of it in msconfig previously. I ran removal tools from symantec and I think I've gotten rid of all of it now. Lavasoft and AVG are uninstalled again, I'll only replace AVG 2011 free when we're completely finished. I'm now able to download and save files again. The resulting log was too large to post, I attached it instead.

combofix2.txt

Link to post
Share on other sites

yep yep!

MBAM

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6562

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

5/12/2011 3:15:26 PM

mbam-log-2011-05-12 (15-15-26).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 268674

Time elapsed: 18 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

That looks good! :) Any problem left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
  2. Click the esetonlinebtn.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetsmartinstaller_enu.png
      icon on your desktop.

    3. Check "YES, I accept the Terms of Use."
    4. Click the Start button.
    5. Accept any security warnings from your browser.
    6. Under scan settings, check "Scan Archives" and "Remove found threats"
    7. Click Advanced settings and select the following:
      • Scan potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, click List Threats

[*]Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Click the Back button.

[*]Click the Finish button.

Link to post
Share on other sites

Everything seems back to normal on the sysem. Thanks a ton for the help so far!

your results:

C:\Users\rglassmyer\Desktop\Snook's stuff\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined

C:\Users\rglassmyer\Desktop\Snook's stuff\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined

Link to post
Share on other sites

I'm glad to hear that! :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and GMER (this is a random named file)

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.