Jump to content

Recommended Posts

Hello,

I've had a problem about a week and a half ago with a backdoor that compromised my system and allowed someone to send pop-up messages to me and redirect my browser. The AVG scan (shown in the attach.zip) showed that the explorer.exe file was hit with a trojan. Task Manager showed a second explorer.exe process and a notepad.exe process were opened at startup. I did a bit of poking around and deleted the file I thought was responsible. The AVG scans showed no trojans, the extra processes were no longer present. I thought it was fine until an hour later I discovered that the person behind the backdoor was altering my status updates on Google Talk and Yahoo! IM. I've kept the PC offline since, bringing it online only to update Malware Bytes.

I've run the MWB scan, dds and the GREP scan and attached the logs. After running dds, AVG seems to pick up an 'unknown trojan' in mbr.sys, mbr.dat (both in the E:\TEMP directory where Windows stores things) and a registry key related to mbr which were quarantined. After that the GREP scan seems to end up with my PC having a 'delayed write failed' error whenever it finishes so I can't get the log for it. I'm not sure if that's related or not, though.

Here are my most recent MWB and dds logs. The MWB log with the trojan has been attached in attach.zip. Has the backdoor been removed or do I need to do more to be rid of it?

Thanks in advance.

-----MBAM-LOG-2011-05-30 (20-03-37).TXT-----

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----- END LOG -----

----- DDS.TXT -----

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Run by James Dean at 12:10:02 on 2011-05-30

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1060 [GMT 1:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: COMODO Firewall *Enabled*

FW: AVG Firewall *Enabled*

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\lxcfcoms.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

E:\Program Files\COMODO\COMODO Internet Security\cfp.exe

C:\Program Files\COMODO\COMODO GeekBuddy\CLPS.exe

C:\Program Files\COMODO\COMODO GeekBuddy\Cpa_VA.exe

E:\Program Files\TrojanHunter 5.3\THGuard.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

E:\program files\steam\steam.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Skype\Phone\Skype.exe

E:\Program Files\Xfire\Xfire.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Documents and Settings\James Dean\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [steam] "e:\program files\steam\steam.exe" -silent

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [igndlm.exe] e:\program files\download manager\DLM.exe /windowsstart /startifwork

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [iMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [GrooveMonitor] "e:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [MFARestart] "c:\documents and settings\all users\application data\mfadata\pack\avgrunasx.exe" /usereg

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,RunDLLEntry

mRun: [COMODO] c:\program files\comodo\comodo geekbuddy\CLPSLA.exe

mRun: [CPA] c:\program files\comodo\comodo geekbuddy\VALA.exe

mRun: [COMODO Internet Security] "e:\program files\comodo\comodo internet security\cfp.exe" -h

mRun: [THGuard] "e:\program files\trojanhunter 5.3\THGuard.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

StartupFolder: c:\docume~1\jamesd~1\startm~1\programs\startup\xfire.lnk - e:\program files\xfire\Xfire.exe

IE: Copy to Semagic - e:\program files\semagic\copy.htm

IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Semagic - e:\program files\semagic\link.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220906988796

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\windows\system32\guard32.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\james dean\application data\mozilla\firefox\profiles\245vuu5x.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc08e10&v=6.010.006.004&i=26&tp=ab&iy=b&ychte=uk&lng=en-GB&q=

FF - component: c:\documents and settings\james dean\application data\mozilla\firefox\profiles\245vuu5x.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll

FF - component: c:\documents and settings\james dean\application data\mozilla\firefox\profiles\245vuu5x.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll

FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\james dean\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\james dean\application data\mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chem3d\npChem3DPlugin.dll

FF - plugin: c:\program files\cambridgesoft\chemoffice2010\chemdraw\NPCDN32.DLL

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: e:\program files\download manager\npfpdlm.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-5-2 242472]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-5-2 29400]

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-9-8 86552]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2011-3-26 160560]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2011-3-26 44784]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo geekbuddy\CLPSLS.exe [2011-5-13 154424]

R2 cmdAgent;COMODO Internet Security Helper Service;e:\program files\comodo\comodo internet security\cmdagent.exe [2011-5-9 1779792]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-8-21 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-8-21 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-8-21 566296]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-2-17 111152]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-2-17 122032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-20 136176]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 947528]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-8-21 99352]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-8-21 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-8-21 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-8-21 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-8-21 566296]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-9-21 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-20 136176]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-9-8 24876]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-05-29 19:36:38 -------- dc----w- c:\documents and settings\james dean\application data\Malwarebytes

2011-05-29 19:36:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 19:36:09 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-29 19:36:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-20 19:46:35 593920 ------w- c:\windows\system32\ati2sgag.exe

2011-05-20 19:44:11 155648 ----a-w- c:\windows\system32\ati2evxx.dll

2011-05-20 19:44:10 602112 ----a-w- c:\windows\system32\ati2evxx.exe

2011-05-20 19:11:04 -------- dc----w- c:\program files\ATI

2011-05-20 19:10:41 -------- dc----w- c:\program files\ATI Technologies

2011-05-19 19:09:00 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2011-05-19 19:09:00 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2011-05-19 19:07:59 19551 -c--a-w- c:\windows\system32\dllcache\watv02nt.sys

2011-05-19 19:06:59 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys

2011-05-19 19:05:59 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys

2011-05-19 19:04:59 45312 -c--a-w- c:\windows\system32\dllcache\ql12160.sys

2011-05-19 19:03:59 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys

2011-05-19 19:02:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2011-05-19 19:01:59 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys

2011-05-19 19:00:59 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys

2011-05-19 18:59:59 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys

2011-05-19 18:58:59 24649 -c--a-w- c:\windows\system32\dllcache\dfe650d.sys

2011-05-19 18:57:58 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys

2011-05-19 18:56:59 96640 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys

2011-05-19 18:55:55 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys

2011-05-19 14:34:03 -------- dc----w- c:\documents and settings\james dean\application data\TrojanHunter

2011-05-19 14:31:43 -------- dc----w- c:\documents and settings\all users\application data\TrojanHunter

2011-05-19 11:30:29 -------- dc-h--w- C:\VritualRoot

2011-05-19 11:15:05 -------- dc----w- c:\documents and settings\all users\application data\Comodo

2011-05-19 11:14:55 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-05-19 11:14:55 -------- dc----w- c:\program files\COMODO

2011-05-19 11:14:54 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-05-18 02:38:52 -------- dcsh--r- c:\documents and settings\james dean\application data\GoogleToolbar

2011-05-17 18:14:12 -------- dc----w- c:\documents and settings\james dean\local settings\application data\Zachtronics Industries

2011-05-12 23:33:39 -------- dc----w- c:\documents and settings\james dean\local settings\application data\splash damage

2011-05-12 14:15:41 -------- dc----w- c:\documents and settings\all users\application data\Skype Extras

2011-05-07 07:28:38 781272 -c--a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-05-07 07:28:37 89048 -c--a-w- c:\program files\mozilla firefox\libEGL.dll

2011-05-07 07:28:37 465880 -c--a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-05-07 07:28:37 1874904 -c--a-w- c:\program files\mozilla firefox\mozjs.dll

2011-05-07 07:28:37 15832 -c--a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-05-07 07:28:36 1974616 -c--a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-05-07 07:28:36 1892184 -c--a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-05-07 07:28:36 142296 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-05-02 19:36:54 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2011-05-02 19:36:52 242472 ----a-w- c:\windows\system32\drivers\cmdGuard.sys

2011-05-02 19:36:52 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys

2011-05-02 19:36:04 284744 ----a-w- c:\windows\system32\guard32.dll

2011-05-01 21:42:43 -------- dc----w- c:\documents and settings\james dean\local settings\application data\CutePDF Writer

2011-05-01 21:27:41 -------- dc----w- c:\program files\GPLGS

2011-05-01 21:23:56 87552 ----a-w- c:\windows\system32\cpwmon2k.dll

2011-05-01 21:23:23 -------- dc----w- c:\program files\Acro Software

2011-04-30 17:42:46 -------- dc----w- c:\documents and settings\james dean\application data\PriceGong

.

==================== Find3M ====================

.

2011-04-26 21:12:04 249856 -c----w- c:\windows\Setup1.exe

2011-04-26 21:11:56 73216 -c--a-w- c:\windows\ST6UNST.EXE

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 12:11:34.75 ===============

attach.zip

Link to post
Share on other sites

  • Staff

Hi,

In the future, please do not add spaces to logs.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi,

Sorry about that, I hadn't realised that my PC had double spaced it all out.

Here are the logs from the MWB, combofix and dds runs.

Thank you for your help.

- BaadJim

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6743

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

01/06/2011 14:00:58

mbam-log-2011-06-01 (14-00-58).txt

Scan type: Quick scan

Objects scanned: 173741

Time elapsed: 40 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 11-05-31.02 - James Dean 01/06/2011 15:31:52.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1396 [GMT 1:00]

Running from: c:\documents and settings\James Dean\Desktop\ComboFix.exe

FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\James Dean\Application Data\GoogleToolbar

c:\documents and settings\James Dean\Application Data\GoogleToolbar\GoogleUpdater.exe

c:\documents and settings\James Dean\Application Data\PriceGong

c:\documents and settings\James Dean\Application Data\PriceGong\Data\1.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\a.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\b.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\c.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\d.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\e.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\f.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\g.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\h.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\i.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\J.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\k.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\l.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\m.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\n.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\o.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\p.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\q.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\r.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\s.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\t.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\u.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\v.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\w.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\x.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\y.xml

c:\documents and settings\James Dean\Application Data\PriceGong\Data\z.xml

E:\install.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-05-01 to 2011-06-01 )))))))))))))))))))))))))))))))

.

.

2011-05-29 19:36 . 2011-05-29 19:36 -------- dc----w- c:\documents and settings\James Dean\Application Data\Malwarebytes

2011-05-29 19:36 . 2011-05-29 08:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 19:36 . 2011-05-29 19:36 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-29 19:36 . 2011-05-29 08:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-20 20:00 . 2011-05-20 20:00 -------- dc----w- c:\documents and settings\All Users\Application Data\ATI

2011-05-20 19:46 . 2010-02-10 20:20 593920 ------w- c:\windows\system32\ati2sgag.exe

2011-05-20 19:44 . 2010-02-11 04:35 155648 ----a-w- c:\windows\system32\ati2evxx.dll

2011-05-20 19:44 . 2010-02-11 04:33 602112 ----a-w- c:\windows\system32\ati2evxx.exe

2011-05-20 19:11 . 2011-05-20 19:11 -------- dc----w- c:\program files\ATI

2011-05-20 19:10 . 2011-05-20 19:48 -------- dc----w- c:\program files\ATI Technologies

2011-05-19 19:09 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2011-05-19 19:09 . 2001-08-17 21:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2011-05-19 19:07 . 2004-08-03 21:29 19551 -c--a-w- c:\windows\system32\dllcache\watv02nt.sys

2011-05-19 19:06 . 2001-08-17 12:52 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys

2011-05-19 19:05 . 2004-08-03 21:31 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys

2011-05-19 19:04 . 2001-08-17 12:52 45312 -c--a-w- c:\windows\system32\dllcache\ql12160.sys

2011-05-19 19:03 . 2008-04-13 18:54 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys

2011-05-19 19:02 . 2001-08-17 12:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2011-05-19 19:01 . 2001-08-17 12:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys

2011-05-19 19:00 . 2001-08-17 12:28 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys

2011-05-19 18:59 . 2001-08-17 11:19 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys

2011-05-19 18:58 . 2001-08-17 11:11 24649 -c--a-w- c:\windows\system32\dllcache\dfe650d.sys

2011-05-19 18:57 . 2001-08-17 12:52 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys

2011-05-19 18:56 . 2001-08-17 11:13 89952 -c--a-w- c:\windows\system32\dllcache\b1cbase.sys

2011-05-19 18:55 . 2001-08-17 13:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys

2011-05-19 14:34 . 2011-05-19 14:34 -------- dc----w- c:\documents and settings\James Dean\Application Data\TrojanHunter

2011-05-19 14:31 . 2011-05-19 14:32 -------- dc----w- c:\documents and settings\All Users\Application Data\TrojanHunter

2011-05-19 11:14 . 2011-05-19 11:14 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-05-19 11:14 . 2011-05-19 11:14 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-05-17 18:14 . 2011-05-17 18:14 -------- dc----w- c:\documents and settings\James Dean\Local Settings\Application Data\Zachtronics Industries

2011-05-12 23:33 . 2011-05-12 23:33 -------- dc----w- c:\documents and settings\James Dean\Local Settings\Application Data\splash damage

2011-05-12 14:15 . 2011-05-29 23:07 -------- dc----w- c:\documents and settings\All Users\Application Data\Skype Extras

2011-05-12 14:15 . 2011-05-12 14:15 -------- dc----w- c:\program files\Common Files\Skype

2011-05-07 07:28 . 2011-05-07 07:28 781272 -c--a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll

2011-05-07 07:28 . 2011-05-07 07:28 1874904 -c--a-w- c:\program files\Mozilla Firefox\mozjs.dll

2011-05-07 07:28 . 2011-05-07 07:28 89048 -c--a-w- c:\program files\Mozilla Firefox\libEGL.dll

2011-05-07 07:28 . 2011-05-07 07:28 465880 -c--a-w- c:\program files\Mozilla Firefox\libGLESv2.dll

2011-05-07 07:28 . 2011-05-07 07:28 15832 -c--a-w- c:\program files\Mozilla Firefox\mozalloc.dll

2011-05-07 07:28 . 2011-05-07 07:28 1892184 -c--a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll

2011-05-07 07:28 . 2011-05-07 07:28 1974616 -c--a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll

2011-05-07 07:28 . 2011-05-07 07:28 142296 -c--a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-26 21:12 . 2011-04-26 21:12 249856 -c----w- c:\windows\Setup1.exe

2011-04-26 21:11 . 2011-04-26 21:11 73216 -c--a-w- c:\windows\ST6UNST.EXE

2011-03-07 05:33 . 2008-09-06 22:44 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2001-08-23 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-05-07 07:28 . 2011-05-07 07:28 142296 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-11-29 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2010-11-29 15:26 3908192 -c--a-w- c:\program files\ConduitEngine\ConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

2010-11-29 15:26 3908192 -c--a-w- c:\program files\uTorrentBar\tbuTo0.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-11-29 3908192]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTo0.dll" [2010-11-29 3908192]

.

[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]

"Steam"="e:\program files\steam\steam.exe" [2010-11-17 1242448]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"igndlm.exe"="e:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-18 15146376]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]

"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"GrooveMonitor"="e:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]

"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-09-14 73728]

"THGuard"="e:\program files\TrojanHunter 5.3\THGuard.exe" [2010-10-23 1070360]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]

.

c:\documents and settings\James Dean\Start Menu\Programs\Startup\

Xfire.lnk - e:\program files\Xfire\Xfire.exe [2010-7-9 3493776]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"e:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"e:\\Program Files\\Trillian\\trillian.exe"=

"e:\\Program Files\\Xfire\\Xfire.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\geometry wars\\GeometryWars.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp3.bat"=

"e:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp4.bat"=

"e:\\Program Files\\Steam\\steamapps\\common\\commander keen\\testapp5.bat"=

"e:\\Program Files\\Steam\\steamapps\\common\\uplink\\Uplink.exe"=

"e:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=

"e:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=

"e:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\last remnant - demo sel\\Binaries\\TLRDemo.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\javaw.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\world of goo demo\\WorldOfGoo.exe"=

"e:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\vegas - make it big\\casino.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\ghost master\\ghost.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\sacred gold\\Sacred.exe"=

"e:\\Program Files\\mIRC\\mirc.exe"=

"e:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"e:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"e:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"e:\\Program Files\\Steam\\steamapps\\common\\flock demo\\Flock.exe"=

"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=

"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=

"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=

"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

"c:\\WINDOWS\\system32\\lxcfcoms.exe"=

"e:\\Program Files\\Aracnum\\Arcanum.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"e:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=

"e:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=

"e:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=

"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\zuma deluxe\\Zuma.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\peggle deluxe\\Peggle.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\bejeweled 2 deluxe\\WinBej2.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\tropico 3 - demo\\Tropico3 Demo.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization v - demo\\Launcher.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\sid meier's civilization v - demo\\CivilizationV.exe"=

"c:\\Program Files\\CambridgeSoft\\ChemOffice2010\\ChemDraw\\ChemDraw.exe"=

"e:\\Program Files\\SecondLifeViewer2\\SLVoice.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\hacker evolution untold - demo\\Hacker Evolution Untold.exe"=

"e:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=

"e:\\Program Files\\Microsoft Games\\Rise of Nations\\nations.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\sid meier's pirates!\\Pirates!.exe"=

"c:\\Documents and Settings\\James Dean\\My Documents\\Downloads\\ChampionsOnlineF2P.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\doom 3\\Doom3.exe"=

"c:\\Documents and Settings\\James Dean\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\just cause 2\\JustCause2.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

"e:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [08/09/2008 22:14 86552]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [26/03/2011 19:16 160560]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [26/03/2011 19:15 44784]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [21/08/2008 13:55 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [21/08/2008 13:55 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [21/08/2008 13:56 566296]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [17/02/2011 19:06 111152]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [17/02/2011 19:06 122032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/09/2010 00:47 136176]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [21/08/2008 13:55 99352]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [21/08/2008 13:55 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [21/08/2008 13:56 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [21/08/2008 13:56 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [21/08/2008 13:56 566296]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [21/09/2010 00:14 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/09/2010 00:47 136176]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [08/09/2008 22:14 24876]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/10/2010 18:13 697328]

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

2011-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-19 23:47]

.

2011-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-19 23:47]

.

2011-05-30 c:\windows\Tasks\Norton Security Scan for James Dean.job

- c:\progra~1\NORTON~2\Engine\300~1.103\Nss.exe [2011-02-07 20:15]

.

2011-06-01 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678

uInternet Settings,ProxyOverride = *.local

IE: Copy to Semagic - e:\program files\Semagic\copy.htm

IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Semagic - e:\program files\Semagic\link.htm

TCP: DhcpNameServer = 10.122.0.1

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

FF - ProfilePath - c:\documents and settings\James Dean\Application Data\Mozilla\Firefox\Profiles\245vuu5x.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc08e10&v=6.010.006.004&i=26&tp=ab&iy=b&ychte=uk&lng=en-GB&q=

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

HKLM-Run-MFARestart - c:\documents and settings\All Users\Application Data\MFAData\pack\avgrunasx.exe

Notify-WgaLogon - (no file)

AddRemove-Cities XL - Demo - e:\program files\Monte Cristo\Cities XL - Demo\uninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-01 15:44

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,RunDLLEntry???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-746137067-1177238915-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:39,74,2b,6e,95,46,5c,03,ab,fe,11,0d,06,c1,12,c4,8d,14,64,b7,39,13,2b,

49,80,97,9f,2a,03,34,3b,1f,01,42,31,a6,bc,02,6d,29,21,20,d6,71,35,4f,f9,66,\

"??"=hex:ac,88,ac,c7,ce,e4,92,65,4a,af,b5,ae,96,95,e1,d1

.

[HKEY_USERS\S-1-5-21-746137067-1177238915-839522115-1003\Software\SecuROM\License information*]

"datasecu"=hex:11,02,05,90,46,0b,a3,a1,70,c8,15,57,cd,10,2d,9a,66,0d,d3,df,f4,

e0,ee,b7,97,f3,ad,0e,e2,33,f5,cc,3c,d1,33,f6,08,c7,56,67,fa,d2,d2,37,1c,bd,\

"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1076)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-06-01 15:47:00

ComboFix-quarantined-files.txt 2011-06-01 14:46

.

Pre-Run: 1,339,359,232 bytes free

Post-Run: 2,000,293,888 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 8761582A3F2CE4F9114D0A85B0EF63D0

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Run by James Dean at 16:11:42 on 2011-06-01

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1421 [GMT 1:00]

.

FW: AVG Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\lxcfcoms.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\iTunes\iTunesHelper.exe

E:\Program Files\TrojanHunter 5.3\THGuard.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

E:\Program Files\Xfire\Xfire.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Documents and Settings\James Dean\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

mURLSearchHooks: H - No File

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [steam] "e:\program files\steam\steam.exe" -silent

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [igndlm.exe] e:\program files\download manager\DLM.exe /windowsstart /startifwork

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [GrooveMonitor] "e:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,RunDLLEntry

mRun: [THGuard] "e:\program files\trojanhunter 5.3\THGuard.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

StartupFolder: c:\docume~1\jamesd~1\startm~1\programs\startup\xfire.lnk - e:\program files\xfire\Xfire.exe

IE: Copy to Semagic - e:\program files\semagic\copy.htm

IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Semagic - e:\program files\semagic\link.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220906988796

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\james dean\application data\mozilla\firefox\profiles\245vuu5x.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc08e10&v=6.010.006.004&i=26&tp=ab&iy=b&ychte=uk&lng=en-GB&q=

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-9-8 86552]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2011-3-26 160560]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2011-3-26 44784]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-8-21 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-8-21 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-8-21 566296]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-2-17 111152]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-2-17 122032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-20 136176]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-8-21 99352]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-8-21 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-8-21 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-8-21 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-8-21 566296]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-9-21 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-20 136176]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-9-8 24876]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-06-01 14:29:42 -------- dcsha-r- C:\cmdcons

2011-06-01 14:26:37 98816 -c--a-w- c:\windows\sed.exe

2011-06-01 14:26:37 518144 -c--a-w- c:\windows\SWREG.exe

2011-06-01 14:26:37 256512 -c--a-w- c:\windows\PEV.exe

2011-06-01 14:26:37 208896 -c--a-w- c:\windows\MBR.exe

2011-05-29 19:36:38 -------- dc----w- c:\documents and settings\james dean\application data\Malwarebytes

2011-05-29 19:36:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 19:36:09 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-29 19:36:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-20 19:46:35 593920 ------w- c:\windows\system32\ati2sgag.exe

2011-05-20 19:44:11 155648 ----a-w- c:\windows\system32\ati2evxx.dll

2011-05-20 19:44:10 602112 ----a-w- c:\windows\system32\ati2evxx.exe

2011-05-20 19:11:04 -------- dc----w- c:\program files\ATI

2011-05-20 19:10:41 -------- dc----w- c:\program files\ATI Technologies

2011-05-19 19:09:00 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2011-05-19 19:09:00 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2011-05-19 19:07:59 19551 -c--a-w- c:\windows\system32\dllcache\watv02nt.sys

2011-05-19 19:06:59 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys

2011-05-19 19:05:59 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys

2011-05-19 19:04:59 45312 -c--a-w- c:\windows\system32\dllcache\ql12160.sys

2011-05-19 19:03:59 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys

2011-05-19 19:02:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2011-05-19 19:01:59 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys

2011-05-19 19:00:59 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys

2011-05-19 18:59:59 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys

2011-05-19 18:58:59 24649 -c--a-w- c:\windows\system32\dllcache\dfe650d.sys

2011-05-19 18:57:58 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys

2011-05-19 18:56:59 96640 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys

2011-05-19 18:55:55 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys

2011-05-19 14:34:03 -------- dc----w- c:\documents and settings\james dean\application data\TrojanHunter

2011-05-19 14:31:43 -------- dc----w- c:\documents and settings\all users\application data\TrojanHunter

2011-05-19 11:14:55 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-05-19 11:14:54 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-05-17 18:14:12 -------- dc----w- c:\documents and settings\james dean\local settings\application data\Zachtronics Industries

2011-05-12 23:33:39 -------- dc----w- c:\documents and settings\james dean\local settings\application data\splash damage

2011-05-12 14:15:41 -------- dc----w- c:\documents and settings\all users\application data\Skype Extras

2011-05-07 07:28:38 781272 -c--a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-05-07 07:28:37 89048 -c--a-w- c:\program files\mozilla firefox\libEGL.dll

2011-05-07 07:28:37 465880 -c--a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-05-07 07:28:37 1874904 -c--a-w- c:\program files\mozilla firefox\mozjs.dll

2011-05-07 07:28:37 15832 -c--a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-05-07 07:28:36 1974616 -c--a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-05-07 07:28:36 1892184 -c--a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-05-07 07:28:36 142296 -c--a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

==================== Find3M ====================

.

2011-04-26 21:12:04 249856 -c----w- c:\windows\Setup1.exe

2011-04-26 21:11:56 73216 -c--a-w- c:\windows\ST6UNST.EXE

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll

.

============= FINISH: 16:11:57.42 ===============

Link to post
Share on other sites

  • Staff

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for uTorrent and anything else you have installed.

Link to post
Share on other sites

Hi,

Sorry for the delay. I'm currently visiting family so I'm not at the infected PC at the moment. I've uninstalled the bittorrent clients that were on my computer and I don't think there's anything else on there. Once I get back later today I'll post up the MWB and DDS logs. Are there any other logs that you recommend I post up?

Thanks for your patience.

Link to post
Share on other sites

Hi,

I've got MBAM and DDS to run, although I've noticed that the MBAM scan took 50 minutes this time around which is quite a worry. I did an update and scan just a few minutes ago to keep up to date.

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6863

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

15/06/2011 20:26:32

mbam-log-2011-06-15 (20-26-32).txt

Scan type: Quick scan

Objects scanned: 168898

Time elapsed: 51 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21

Run by James Dean at 20:28:32 on 2011-06-15

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1546 [GMT 1:00]

.

FW: AVG Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\lxcfcoms.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Documents and Settings\James Dean\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

mURLSearchHooks: H - No File

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo0.dll

TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background

uRun: [steam] "e:\program files\steam\steam.exe" -silent

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [igndlm.exe] e:\program files\download manager\DLM.exe /windowsstart /startifwork

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [GrooveMonitor] "e:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,RunDLLEntry

mRun: [THGuard] "e:\program files\trojanhunter 5.3\THGuard.exe"

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

StartupFolder: c:\docume~1\jamesd~1\startm~1\programs\startup\xfire.lnk - e:\program files\xfire\Xfire.exe

IE: Copy to Semagic - e:\program files\semagic\copy.htm

IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Semagic - e:\program files\semagic\link.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220906988796

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\james dean\application data\mozilla\firefox\profiles\245vuu5x.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc08e10&v=6.010.006.004&i=26&tp=ab&iy=b&ychte=uk&lng=en-GB&q=

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

============= SERVICES / DRIVERS ===============

.

R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2008-9-8 86552]

R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2011-3-26 160560]

R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2011-3-26 44784]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-8-21 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-8-21 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-8-21 566296]

R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2011-2-17 111152]

R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2011-2-17 122032]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-20 136176]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-8-21 99352]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-8-21 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-8-21 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-8-21 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-8-21 566296]

S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2010-9-21 25832]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-20 136176]

S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-9-8 24876]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-06-01 14:29:42 -------- dcsha-r- C:\cmdcons

2011-06-01 14:26:37 98816 -c--a-w- c:\windows\sed.exe

2011-06-01 14:26:37 518144 -c--a-w- c:\windows\SWREG.exe

2011-06-01 14:26:37 256512 -c--a-w- c:\windows\PEV.exe

2011-06-01 14:26:37 208896 -c--a-w- c:\windows\MBR.exe

2011-05-29 19:36:38 -------- dc----w- c:\documents and settings\james dean\application data\Malwarebytes

2011-05-29 19:36:10 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 19:36:09 -------- dc----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-29 19:36:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-20 19:46:35 593920 ------w- c:\windows\system32\ati2sgag.exe

2011-05-20 19:44:11 155648 ----a-w- c:\windows\system32\ati2evxx.dll

2011-05-20 19:44:10 602112 ----a-w- c:\windows\system32\ati2evxx.exe

2011-05-20 19:11:04 -------- dc----w- c:\program files\ATI

2011-05-20 19:10:41 -------- dc----w- c:\program files\ATI Technologies

2011-05-19 19:09:00 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2011-05-19 19:09:00 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2011-05-19 19:07:59 19551 -c--a-w- c:\windows\system32\dllcache\watv02nt.sys

2011-05-19 19:06:59 7040 -c--a-w- c:\windows\system32\dllcache\tandqic.sys

2011-05-19 19:05:59 32768 -c--a-w- c:\windows\system32\dllcache\sisnic.sys

2011-05-19 19:04:59 45312 -c--a-w- c:\windows\system32\dllcache\ql12160.sys

2011-05-19 19:03:59 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys

2011-05-19 19:02:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys

2011-05-19 19:01:59 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys

2011-05-19 19:00:59 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys

2011-05-19 18:59:59 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys

2011-05-19 18:58:59 24649 -c--a-w- c:\windows\system32\dllcache\dfe650d.sys

2011-05-19 18:57:58 7680 -c--a-w- c:\windows\system32\dllcache\cd20xrnt.sys

2011-05-19 18:56:59 96640 -c--a-w- c:\windows\system32\dllcache\b57xp32.sys

2011-05-19 18:55:55 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys

2011-05-19 14:34:03 -------- dc----w- c:\documents and settings\james dean\application data\TrojanHunter

2011-05-19 14:31:43 -------- dc----w- c:\documents and settings\all users\application data\TrojanHunter

2011-05-19 11:14:55 1060864 ----a-w- c:\windows\system32\mfc71.dll

2011-05-19 11:14:54 1700352 ----a-w- c:\windows\system32\gdiplus.dll

2011-05-17 18:14:12 -------- dc----w- c:\documents and settings\james dean\local settings\application data\Zachtronics Industries

.

==================== Find3M ====================

.

2011-04-26 21:12:04 249856 -c----w- c:\windows\Setup1.exe

2011-04-26 21:11:56 73216 -c--a-w- c:\windows\ST6UNST.EXE

.

============= FINISH: 20:29:08.40 ===============

Thank you for your help.

attach 15th June 2011.txt.zip

Link to post
Share on other sites

  • Staff

Hi,

Grab a fresh copy of ComboFix, run it, and post its log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Hi,

Just to keep you updated, I've given ComboFix a run. As you suggested I downloaded a fresh copy of it and ran it. After running the 50 stages my computer rebooted and then it popped back up saying that it was preparing the log. The first time I tried to run it the computer rebooted again and there was no log. The second time I tried to run it I think explorer.exe stopped responding completely. It didn't give me a log either. I get the bad impression that I've done something wrong with respect to that.

Since the last ComboFix run, the only thing I've really done is uninstall uTorrent and update the Malwarebytes software. I'm going to go ahead and run the online scan and your security tool now, I'll let you know if that works.

Thanks.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.