Jump to content

IP address continuous blocking


Recommended Posts

This is a copy of the log of ip address blocking. I dont know what is wrong but malwarebytes is not detecting any viruses.

00:00:01 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:00:04 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:00:10 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:01:22 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:01:25 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:01:31 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:02:43 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:02:46 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:02:52 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:04:04 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:04:07 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:04:13 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:05:07 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:05:10 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:05:16 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:05:25 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:05:28 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:05:28 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:05:31 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:05:34 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:05:38 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:06:42 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:06:45 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:06:46 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:06:49 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:06:51 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:06:55 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:07:11 David Khaski IP-BLOCK 67.29.139.153 (Type: outgoing)

00:07:14 David Khaski IP-BLOCK 67.29.139.153 (Type: outgoing)

00:08:07 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:10 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:16 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:27 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:29 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:30 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:32 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:36 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:37 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:08:48 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:08:50 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:08:52 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:08:53 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:08:58 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:08:59 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:09:10 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:09:11 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:09:13 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:09:14 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:09:19 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:09:20 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:09:28 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:09:31 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:09:37 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:29 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:32 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:36 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:38 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:39 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:45 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:49 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:50 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:10:52 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:53 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:10:58 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:10:59 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:11:11 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:11:14 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:11:20 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:10 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:13 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:19 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:28 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:31 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:37 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:49 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:12:52 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:12:53 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:56 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:12:58 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:13:02 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:10 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:13 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:14 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:13:17 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:13:19 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:23 David Khaski IP-BLOCK 91.213.217.190 (Type: outgoing)

00:13:31 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:34 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:35 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:38 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:40 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:13:44 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:14:52 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:14:55 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:15:01 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:16:13 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:16:16 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:16:22 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:17:34 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:17:37 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:17:43 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:18:55 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:18:58 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:19:04 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:20:16 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:20:19 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:20:25 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:21:37 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:21:40 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

00:21:46 David Khaski IP-BLOCK 95.64.56.6 (Type: outgoing)

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6830

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/10/2011 6:06:18 PM

mbam-log-2011-06-10 (18-06-18).txt

Scan type: Full scan (C:\|)

Objects scanned: 294210

Time elapsed: 2 hour(s), 53 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

This is a copy of the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:41:32 AM, on 6/12/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\csifcsvc.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\Downlo~1\MyWebEx\319\raagtx.exe

C:\Program Files\Microsoft Office\Office14\GROOVE.EXE

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Update\1.3.21.57\GoogleCrashHandler.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer, optimized for Bing and MSN

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"

O4 - HKLM\..\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -check_deprecation

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"

O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')

O4 - Startup: Microsoft SharePoint Workspace.lnk = C:\Program Files\Microsoft Office\Office14\GROOVE.EXE

O4 - Global Startup: QuickBooks Remote Access.LNK = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

The MBAM log:

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6863

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/15/2011 8:40:22 PM

mbam-log-2011-06-15 (20-40-22).txt

Scan type: Quick scan

Objects scanned: 220643

Time elapsed: 20 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

The Combofix log:

ComboFix 11-06-15.02 - David Khaski 06/15/2011 18:52:44.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2046.1484 [GMT -4:00]

Running from: c:\documents and settings\David Khaski\Desktop\ComboFix.exe

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\David Khaski\Application Data\alot

c:\documents and settings\David Khaski\Application Data\Google\T-Scan

c:\documents and settings\David Khaski\Application Data\Google\T-Scan\n.gif

c:\documents and settings\David Khaski\Application Data\Google\T-Scan\t.gif

c:\documents and settings\David Khaski\Application Data\Google\T-Scan\Thumbs.db

c:\documents and settings\David Khaski\Application Data\Google\T-Scan\y.gif

c:\documents and settings\David Khaski\Application Data\Help\coma.exe

c:\documents and settings\David Khaski\Application Data\PriceGong

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\1.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\a.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\b.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\c.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\d.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\e.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\f.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\g.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\h.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\i.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\J.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\k.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\l.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\m.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\n.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\o.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\p.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\q.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\r.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\s.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\t.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\u.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\v.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\w.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\x.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\y.xml

c:\documents and settings\David Khaski\Application Data\PriceGong\Data\z.xml

c:\documents and settings\David Khaski\WINDOWS

c:\documents and settings\Moise Khaski\Application Data\PriceGong

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Moise Khaski\Application Data\PriceGong\Data\z.xml

c:\documents and settings\Moise Khaski\WINDOWS

c:\windows\Google Pack Screensaver Uninstaller.exe

c:\windows\system32\Packet.dll

c:\windows\system32\spool\prtprocs\w32x86\atx_print.dll

c:\windows\system32\wpcap.dll

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MYWEBSEARCHSERVICE

-------\Legacy_NPF

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2011-05-15 to 2011-06-15 )))))))))))))))))))))))))))))))

.

.

2011-06-15 22:15 . 2011-06-15 22:18 -------- d-----w- C:\32788R22FWJFW

2011-06-14 13:17 . 2011-06-14 13:17 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-14 13:17 . 2011-06-15 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2011-06-14 13:17 . 2011-06-14 13:17 -------- d-----w- c:\program files\NOS

2011-06-14 13:16 . 2011-06-14 13:16 -------- d-----w- C:\godlike3

2011-06-14 12:50 . 2011-06-14 12:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2011-06-13 03:06 . 2011-06-12 05:29 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-06-13 01:05 . 2011-05-25 19:15 29544 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll

2011-06-12 23:49 . 2011-06-12 23:49 -------- d-----w- c:\documents and settings\David Khaski\Application Data\Registry Mechanic

2011-06-12 16:42 . 2010-08-05 12:46 37336 ----a-w- c:\windows\system32\CleanMFT32.exe

2011-06-12 16:42 . 2008-04-02 19:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx

2011-06-12 16:42 . 2008-04-02 19:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx

2011-06-12 16:42 . 2008-04-02 19:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx

2011-06-12 05:29 . 2011-06-12 05:29 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-12 05:27 . 2011-05-25 06:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-06-12 02:49 . 2011-06-12 02:50 -------- d-----w- c:\documents and settings\David Khaski\Local Settings\Application Data\Deployment

2011-06-12 02:42 . 2011-06-12 02:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-06-10 19:17 . 2011-06-10 19:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-06-10 01:55 . 2011-06-10 01:59 -------- dc-h--w- c:\windows\ie8

2011-06-10 01:47 . 2010-10-18 11:10 7680 ------w- c:\windows\system32\dllcache\iecompat.dll

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VERIZON_BROAD

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ConduitEngine

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Viewpoint

2011-05-29 20:43 . 2011-05-29 20:43 -------- d-----w- c:\program files\Common Files\Intuit Shared

2011-05-29 20:32 . 2011-05-31 12:05 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\Lacerte

2011-05-29 19:39 . 2009-08-20 21:40 4194304 ----a-w- c:\windows\system32\cdintf400.dll

2011-05-29 19:28 . 2011-05-29 19:49 -------- d-----w- C:\ProWin10

2011-05-29 18:54 . 2011-05-29 19:44 -------- d-----w- C:\BasWin10

2011-05-29 02:58 . 2011-05-29 03:03 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\CasinoOnNet

2011-05-29 02:58 . 2011-05-29 03:00 -------- d-----w- c:\program files\CasinoOnNet

2011-05-18 21:35 . 2011-06-15 15:38 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-18 20:53 . 2011-05-18 20:53 -------- d-----w- c:\program files\TelevisionFanatic

2011-05-18 20:48 . 2011-05-18 20:49 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\RebateInformer

2011-05-18 20:48 . 2011-05-18 20:48 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\AppGraffiti

2011-05-18 20:48 . 2011-05-19 18:33 -------- d-----w- c:\program files\AppGraffiti

2011-05-18 20:48 . 2011-05-18 20:48 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\PCPowerSpeed

2011-05-18 20:48 . 2011-06-10 22:38 -------- d-----w- c:\program files\RebateInformer

2011-05-18 20:48 . 2011-05-18 20:48 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\Inbox Toolbar

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 13:11 . 2009-07-21 00:00 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2009-07-21 00:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 08:52 . 2010-05-03 11:09 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 06:25 . 2007-04-27 12:59 73728 ----a-w- c:\windows\system32\javacpl.cpl

2008-04-29 21:19 . 2008-06-12 00:44 78561280 ----a-w- c:\program files\Common Files\ATX Fixed Asset Manager Evaluation Workstation.msi

2006-08-20 03:12 . 2006-08-20 03:12 774144 ----a-w- c:\program files\RngInterstitial.dll

2009-11-17 22:07 . 2008-06-29 14:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlay]

@="{B44A5D93-1351-41A1-BD91-5E92435D8ECD}"

[HKEY_CLASSES_ROOT\CLSID\{B44A5D93-1351-41A1-BD91-5E92435D8ECD}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveDownloadOverlay]

@="{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}"

[HKEY_CLASSES_ROOT\CLSID\{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSharedOverlay]

@="{84CEF1E4-1356-4063-845F-05047F4DD52C}"

[HKEY_CLASSES_ROOT\CLSID\{84CEF1E4-1356-4063-845F-05047F4DD52C}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveUploadOverlay]

@="{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}"

[HKEY_CLASSES_ROOT\CLSID\{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]

"GrooveMonitor"="c:\program files\Microsoft Office\Office14\GROOVEMN.EXE" [2010-03-25 944008]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-12 1122304]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-18 8192]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2010-06-09 161336]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-12-03 126976]

.

c:\documents and settings\David Khaski\Start Menu\Programs\Startup\

Microsoft SharePoint Workspace.lnk - c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Remote Access.LNK - c:\windows\Downlo~1\MyWebEx\319\raagtx.exe [2010-11-3 38200]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ lsdelete

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk

backup=c:\windows\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Remote Access.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Remote Access.LNK

backup=c:\windows\pss\QuickBooks Remote Access.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^David Khaski^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

path=c:\documents and settings\David Khaski\Start Menu\Programs\Startup\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2009-11-17 22:07 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1173191900\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livedrive]

2010-04-22 14:06 1348608 ----a-w- c:\program files\Livedrive\Livedrive.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2011-05-29 13:11 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]

2008-12-03 15:12 69632 ----a-w- c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SavRoam"=3 (0x3)

"MDM"=2 (0x2)

"iPod Service"=3 (0x3)

"idsvc"=3 (0x3)

"gusvc"=2 (0x2)

"gupdate"=2 (0x2)

"GoogleDesktopManager-110309-193829"=3 (0x3)

"GameConsoleService"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"RPSUpdaterR"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"IDriverT"=3 (0x3)

"MyWebSearchService"=2 (0x2)

"WMPNetworkSvc"=2 (0x2)

"atnthost"=2 (0x2)

"Radialpoint Security Services"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Documents and Settings\\David Khaski\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1173191900\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.0a\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AOL 9.0b\\waol.exe"=

"c:\\Program Files\\AOL 9.0c\\waol.exe"=

"c:\\Program Files\\AOL 9.0d\\waol.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\AOL 9.1a\\waol.exe"=

"c:\\Program Files\\AOL 9.1b\\waol.exe"=

"c:\\Program Files\\AOL 9.1c\\waol.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Documents and Settings\\David Khaski\\My Documents\\drjava-20080124-1942.exe"=

"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=

"c:\\Program Files\\Java\\jre1.6.0_04\\bin\\javaw.exe"=

"c:\\Program Files\\Intuit\\QuickBooks Basic\\QBDBMgrN.exe"=

"c:\\Program Files\\Curse\\CurseClient.exe"=

"c:\\My Games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=

"c:\\Program Files\\Brother\\Brmfl08i\\FAXRX.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=

"c:\\Magic\\Program\\Manalink.exe"=

"c:\\PVSW\\Bin\\W3DBSMGR.EXE"=

"c:\\DacEasy\\pvsw\\W3DBSMGR.EXE"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\David Khaski\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Moise Khaski\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"54925:UDP"= 54925:UDP:Brother Network Scanner

"1:TCP"= 1:TCP:LPT1

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/23/2009 9:12 PM 207792]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/16/2007 10:10 AM 691696]

R1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [7/28/2010 5:25 PM 146904]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/20/2009 8:00 PM 366640]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/11/2007 10:32 AM 24652]

R3 EraserUtilDrvI11;EraserUtilDrvI11;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI11.sys [6/14/2011 9:27 AM 105592]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [5/25/2011 2:00 AM 15232]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/20/2009 8:00 PM 22712]

R3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [6/23/2009 4:27 PM 20480]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:47 PM 135664]

S3 EraserUtilDrvI10;EraserUtilDrvI10;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:47 PM 135664]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/16/2005 6:18 AM 14336]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 9:10 PM 359624]

S4 atnthost;WebEx Remote Access Agent;c:\windows\Downlo~1\MyWebEx\319\atnthost.exe [11/3/2010 8:07 PM 16776]

S4 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/29/2008 10:31 AM 30192]

S4 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/16/2005 6:18 AM 5120]

S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 8:27 PM 124608]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - LAVASOFT_KERNEXPLORER

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 06:00]

.

2011-06-15 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-04 04:29]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:47]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:47]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611407486-3785993524-1144906567-1006Core.job

- c:\documents and settings\David Khaski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 21:52]

.

2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611407486-3785993524-1144906567-1006UA.job

- c:\documents and settings\David Khaski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 21:52]

.

2011-06-10 c:\windows\Tasks\Norton Security Scan for Moise Khaski.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 08:18]

.

2011-06-14 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-06-12 12:46]

.

2011-06-15 c:\windows\Tasks\RMSmartUpdate.job

- c:\program files\Registry Mechanic\Update.exe [2011-06-12 12:46]

.

2011-06-15 c:\windows\Tasks\User_Feed_Synchronization-{6780BEE6-2189-4DB0-92BD-64F495379380}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

2011-06-15 c:\windows\Tasks\User_Feed_Synchronization-{A78D56A3-BCEE-4D47-9CB7-18007CB57D6B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2786678

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

TCP: DhcpNameServer = 192.168.1.1 68.237.161.12

FF - ProfilePath - c:\documents and settings\David Khaski\Application Data\Mozilla\Firefox\Profiles\ptkf1ro6.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine -

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: XULRunner: {DB449582-D599-4237-8FDC-295649FBEFC4} - c:\documents and settings\David Khaski\Local Settings\Application Data\{DB449582-D599-4237-8FDC-295649FBEFC4}

FF - Ext: XULRunner: {3E3F6067-6C88-44FE-BDD1-55DDEB47A6D1} - c:\documents and settings\Moise Khaski\Local Settings\Application Data\{3E3F6067-6C88-44FE-BDD1-55DDEB47A6D1}

FF - Ext: XULRunner: {D9F7ED81-4825-48DD-8577-C84F0794B17A} - c:\documents and settings\Maurice Khaski\Local Settings\Application Data\{D9F7ED81-4825-48DD-8577-C84F0794B17A}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: TelevisionFanatic: 64ffxtbr@TelevisionFanatic.com - c:\program files\TelevisionFanatic\bar\1.bin

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)

BHO-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\ConduitEngine\ConduitEngine.dll

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll

Toolbar-{30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\ConduitEngine\ConduitEngine.dll

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll

Notify-NavLogon - (no file)

MSConfigStartUp-64435830 - c:\docume~1\ALLUSE~1\APPLIC~1\64435830\64435830.exe

MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

MSConfigStartUp-lphcgqjj0e7de - c:\windows\system32\lphcgqjj0e7de.exe

MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

MSConfigStartUp-RebateInformer - c:\progra~1\REBATE~1\REBATE~1.EXE

MSConfigStartUp-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe

MSConfigStartUp-RegWork - c:\program files\RegWork\RegWork.exe

MSConfigStartUp-sniffer - c:\windows\Temp\_ex-08.exe

MSConfigStartUp-vxdhm - c:\documents and settings\David Khaski\Application Data\Google\xtgoj6119471.exe

MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe

AddRemove-conduitEngine - c:\program files\ConduitEngine\ConduitEngineUninstall.exe

AddRemove-Google Chrome - c:\program files\Google\Chrome\Application\11.0.696.60\Installer\setup.exe

AddRemove-Google Pack Screensaver - c:\windows\Google Pack Screensaver Uninstaller.exe

AddRemove-Plaxo - c:\documents and settings\Moise Khaski\Local Settings\Application Data\Plaxo\3.25.0.87\uninstall.exe

AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_2BE6CD75D520F20B.exe

AddRemove-{2A8E36DD-061D-4877-9736-30E7266A4669} - c:\program files\InstallShield Installation Information\{2A8E36DD-061D-4877-9736-30E7266A4669}\setup.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-15 19:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\docume~1\DAVIDK~1\LOCALS~1\Temp\ArmUI.ini 148526 bytes

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys >>UNKNOWN [0x87037ECC]<<

c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86009879; SUB DWORD [EBP-0x4], 0x86009135; PUSH EDI; CALL 0xffffffffffffdf2c; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A50BAB8]

3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A580920]

5 PCTCore[0xB9DA3891] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A580B00]

[0x8A121658] -> IRP_MJ_CREATE -> 0x87037ECC

kernel: MBR read successfully

_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }

detected disk devices:

\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&2510770d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x87037AF1

user & kernel MBR OK

sectors 312499998 (+221): user != kernel

Warning: possible TDL3 rootkit infection !

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,96,59,70,a3,a3,2b,46,b4,32,e0,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,96,59,70,a3,a3,2b,46,b4,32,e0,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(5368)

c:\windows\system32\WININET.dll

c:\program files\Livedrive\LivedriveExtensions.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP3\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\windows\system32\drivers\CDAC11BA.EXE

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\windows\csifcsvc.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\fxssvc.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Brother\ControlCenter3\brccMCtl.exe

c:\program files\Brother\Brmfcmon\BrMfimon.exe

c:\windows\stsystra.exe

c:\windows\eHome\ehmsas.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

c:\program files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

.

**************************************************************************

.

Completion time: 2011-06-15 19:51:17 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-15 23:50

.

Pre-Run: 20,024,811,520 bytes free

Post-Run: 22,126,256,128 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - F36383A57AEAE665324FCD4B180EAD5C

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:44:28 PM, on 6/15/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\csifcsvc.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\Downlo~1\MyWebEx\319\raagtx.exe

C:\Program Files\Microsoft Office\Office14\GROOVE.EXE

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\winmine.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2786678

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (file missing)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: BrowserHelper Class - {EDF48A39-1442-463F-9F4E-F376A78D034A} - C:\Program Files\Livedrive\LivedriveExplorerExtensions.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -check_deprecation

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"

O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')

O4 - Startup: Microsoft SharePoint Workspace.lnk = C:\Program Files\Microsoft Office\Office14\GROOVE.EXE

O4 - Global Startup: QuickBooks Remote Access.LNK = ?

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

Link to post
Share on other sites

  • Staff

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Reboot and post a fresh DDS log.

Link to post
Share on other sites

omboFix 11-06-22.02 - David Khaski 06/22/2011 19:32:10.3.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2046.1705 [GMT -4:00]

Running from: c:\documents and settings\David Khaski\Desktop\ComboFix.exe

AV: Immunet Protect *Disabled/Updated* {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\David Khaski\Application Data\msupdate.log

c:\documents and settings\Moise Khaski\Application Data\msupdate.log

c:\documents and settings\Moise Khaski\Desktop\Search.lnk

c:\windows\system32\bszip.dll

c:\windows\system32\drivers\npf.sys

.

.

((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))

.

.

2011-06-22 23:10 . 2011-06-22 23:29 -------- d-----w- C:\32788R22FWJFW

2011-06-19 07:36 . 2011-06-19 07:36 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS

2011-06-19 07:36 . 2011-06-19 07:36 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS

2011-06-19 07:36 . 2011-06-19 07:36 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS

2011-06-19 07:36 . 2011-06-19 07:36 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS

2011-06-19 07:36 . 2011-06-19 07:36 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS

2011-06-19 07:36 . 2011-06-19 07:36 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS

2011-06-19 07:36 . 2011-06-19 07:36 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS

2011-06-19 07:36 . 2011-06-19 07:36 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS

2011-06-19 07:35 . 2011-06-19 07:35 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS

2011-06-19 07:35 . 2011-06-19 07:35 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS

2011-06-19 07:35 . 2011-06-19 07:35 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS

2011-06-19 07:35 . 2011-06-19 07:35 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS

2011-06-19 07:35 . 2011-06-19 07:35 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS

2011-06-19 07:35 . 2011-06-19 07:35 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS

2011-06-19 07:35 . 2011-06-19 07:35 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS

2011-06-19 07:35 . 2011-06-19 07:35 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS

2011-06-19 07:35 . 2011-06-19 07:35 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS

2011-06-19 07:15 . 2011-06-19 07:15 77824 ----a-w- c:\windows\system32\drivers\tsk16E.tmp

2011-06-19 07:02 . 2011-06-19 07:02 -------- d-----w- C:\9a9de187a29165f0a8d87d

2011-06-19 07:00 . 2011-06-19 07:02 -------- d-----w- C:\b807216b11abdca78f

2011-06-16 11:27 . 2011-06-16 11:27 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\Immunet

2011-06-16 05:04 . 2011-06-16 05:05 -------- d-----w- C:\f7ca5591a6ec160bb54a0510e913d7b2

2011-06-16 03:56 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-16 01:37 . 2011-06-16 01:37 -------- d-----w- c:\documents and settings\All Users\Immunet

2011-06-16 01:37 . 2011-06-16 01:37 -------- d-----w- c:\documents and settings\David Khaski\Application Data\Immunet

2011-06-16 01:37 . 2011-06-16 01:37 31184 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys

2011-06-16 01:37 . 2011-06-16 01:37 41424 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys

2011-06-16 01:36 . 2011-06-22 23:22 -------- d-----w- c:\program files\Immunet Protect

2011-06-14 13:17 . 2011-06-14 13:17 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-14 13:17 . 2011-06-15 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2011-06-14 13:17 . 2011-06-14 13:17 -------- d-----w- c:\program files\NOS

2011-06-14 12:50 . 2011-06-14 12:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2011-06-13 03:06 . 2011-06-12 05:29 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-06-13 01:05 . 2011-05-25 19:15 29544 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll

2011-06-12 23:49 . 2011-06-12 23:49 -------- d-----w- c:\documents and settings\David Khaski\Application Data\Registry Mechanic

2011-06-12 16:42 . 2010-08-05 12:46 37336 ----a-w- c:\windows\system32\CleanMFT32.exe

2011-06-12 16:42 . 2008-04-02 19:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx

2011-06-12 16:42 . 2008-04-02 19:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx

2011-06-12 16:42 . 2008-04-02 19:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx

2011-06-12 05:29 . 2011-06-12 05:29 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-12 05:27 . 2011-05-25 06:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-06-12 02:49 . 2011-06-12 02:50 -------- d-----w- c:\documents and settings\David Khaski\Local Settings\Application Data\Deployment

2011-06-12 02:42 . 2011-06-12 02:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-06-10 19:17 . 2011-06-10 19:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-06-10 01:55 . 2011-06-10 01:59 -------- dc-h--w- c:\windows\ie8

2011-06-10 01:47 . 2010-10-18 11:10 7680 ------w- c:\windows\system32\dllcache\iecompat.dll

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VERIZON_BROAD

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ConduitEngine

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Viewpoint

2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-06-07 16:35 . 2011-06-07 16:35 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

2011-05-29 20:43 . 2011-05-29 20:43 -------- d-----w- c:\program files\Common Files\Intuit Shared

2011-05-29 20:32 . 2011-05-31 12:05 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\Lacerte

2011-05-29 19:39 . 2009-08-20 21:40 4194304 ----a-w- c:\windows\system32\cdintf400.dll

2011-05-29 19:28 . 2011-05-29 19:49 -------- d-----w- C:\ProWin10

2011-05-29 18:54 . 2011-05-29 19:44 -------- d-----w- C:\BasWin10

2011-05-29 02:58 . 2011-05-29 03:03 -------- d-----w- c:\documents and settings\Moise Khaski\Application Data\CasinoOnNet

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-19 07:33 . 2005-08-16 10:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-06-16 05:17 . 2009-04-14 19:35 187328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\9.0\1033\ResourceCache.dll

2011-06-16 05:16 . 2009-04-14 19:33 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll

2011-06-15 15:38 . 2011-05-18 21:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-29 13:11 . 2009-07-21 00:00 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2009-07-21 00:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 08:52 . 2010-05-03 11:09 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 06:25 . 2007-04-27 12:59 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2006-01-24 11:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2005-08-16 10:18 385024 ------w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2008-04-29 21:19 . 2008-06-12 00:44 78561280 ----a-w- c:\program files\Common Files\ATX Fixed Asset Manager Evaluation Workstation.msi

2006-08-20 03:12 . 2006-08-20 03:12 774144 ----a-w- c:\program files\RngInterstitial.dll

2009-11-17 22:07 . 2008-06-29 14:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlay]

@="{B44A5D93-1351-41A1-BD91-5E92435D8ECD}"

[HKEY_CLASSES_ROOT\CLSID\{B44A5D93-1351-41A1-BD91-5E92435D8ECD}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveDownloadOverlay]

@="{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}"

[HKEY_CLASSES_ROOT\CLSID\{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSharedOverlay]

@="{84CEF1E4-1356-4063-845F-05047F4DD52C}"

[HKEY_CLASSES_ROOT\CLSID\{84CEF1E4-1356-4063-845F-05047F4DD52C}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveUploadOverlay]

@="{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}"

[HKEY_CLASSES_ROOT\CLSID\{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]

"GrooveMonitor"="c:\program files\Microsoft Office\Office14\GROOVEMN.EXE" [2010-03-25 944008]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-12 1122304]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-18 8192]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2010-06-09 161336]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

"Immunet Protect"="c:\program files\Immunet Protect\2.0.17\iptray.exe" [2011-06-16 2615624]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-12-03 126976]

.

c:\documents and settings\David Khaski\Start Menu\Programs\Startup\

Microsoft SharePoint Workspace.lnk - c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Remote Access.LNK - c:\windows\Downlo~1\MyWebEx\319\raagtx.exe [2010-11-3 38200]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ lsdelete

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk

backup=c:\windows\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Remote Access.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Remote Access.LNK

backup=c:\windows\pss\QuickBooks Remote Access.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^David Khaski^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

path=c:\documents and settings\David Khaski\Start Menu\Programs\Startup\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2009-11-17 22:07 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1173191900\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livedrive]

2010-04-22 14:06 1348608 ----a-w- c:\program files\Livedrive\Livedrive.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2011-05-29 13:11 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]

2008-12-03 15:12 69632 ----a-w- c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SavRoam"=3 (0x3)

"MDM"=2 (0x2)

"iPod Service"=3 (0x3)

"idsvc"=3 (0x3)

"gusvc"=2 (0x2)

"gupdate"=2 (0x2)

"GoogleDesktopManager-110309-193829"=3 (0x3)

"GameConsoleService"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"RPSUpdaterR"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"IDriverT"=3 (0x3)

"MyWebSearchService"=2 (0x2)

"WMPNetworkSvc"=2 (0x2)

"atnthost"=2 (0x2)

"Radialpoint Security Services"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Documents and Settings\\David Khaski\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1173191900\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.0a\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AOL 9.0b\\waol.exe"=

"c:\\Program Files\\AOL 9.0c\\waol.exe"=

"c:\\Program Files\\AOL 9.0d\\waol.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\AOL 9.1a\\waol.exe"=

"c:\\Program Files\\AOL 9.1b\\waol.exe"=

"c:\\Program Files\\AOL 9.1c\\waol.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Documents and Settings\\David Khaski\\My Documents\\drjava-20080124-1942.exe"=

"c:\\Program Files\\Intuit\\QuickBooks Basic\\QBDBMgrN.exe"=

"c:\\Program Files\\Curse\\CurseClient.exe"=

"c:\\My Games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=

"c:\\Program Files\\Brother\\Brmfl08i\\FAXRX.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=

"c:\\Magic\\Program\\Manalink.exe"=

"c:\\PVSW\\Bin\\W3DBSMGR.EXE"=

"c:\\DacEasy\\pvsw\\W3DBSMGR.EXE"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\David Khaski\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Moise Khaski\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"54925:UDP"= 54925:UDP:Brother Network Scanner

"1:TCP"= 1:TCP:LPT1

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/23/2009 9:12 PM 207792]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/16/2007 10:10 AM 691696]

S1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [7/28/2010 5:25 PM 146904]

S1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [6/15/2011 9:37 PM 41424]

S1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [6/15/2011 9:37 PM 31184]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:47 PM 135664]

S2 ImmunetProtect;Immunet Protect;c:\program files\Immunet Protect\2.0.17\agent.exe [6/15/2011 9:36 PM 756680]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/20/2009 8:00 PM 366640]

S3 EraserUtilDrvI10;EraserUtilDrvI10;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:47 PM 135664]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/20/2009 8:00 PM 22712]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]

S3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [6/23/2009 4:27 PM 20480]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/16/2005 6:18 AM 14336]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 9:10 PM 359624]

S4 atnthost;WebEx Remote Access Agent;c:\windows\Downlo~1\MyWebEx\319\atnthost.exe [11/3/2010 8:07 PM 16776]

S4 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/29/2008 10:31 AM 30192]

S4 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/16/2005 6:18 AM 5120]

S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 8:27 PM 124608]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

bdx REG_MULTI_SZ scan sysagent

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 06:00]

.

2011-06-22 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-04 04:29]

.

2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:47]

.

2011-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:47]

.

2011-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611407486-3785993524-1144906567-1006Core.job

- c:\documents and settings\David Khaski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 21:52]

.

2011-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611407486-3785993524-1144906567-1006UA.job

- c:\documents and settings\David Khaski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 21:52]

.

2011-06-17 c:\windows\Tasks\Norton Security Scan for Moise Khaski.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 08:18]

.

2011-06-22 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-06-12 12:46]

.

2011-06-22 c:\windows\Tasks\RMSmartUpdate.job

- c:\program files\Registry Mechanic\Update.exe [2011-06-12 12:46]

.

2011-06-22 c:\windows\Tasks\User_Feed_Synchronization-{6780BEE6-2189-4DB0-92BD-64F495379380}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

2011-06-22 c:\windows\Tasks\User_Feed_Synchronization-{A78D56A3-BCEE-4D47-9CB7-18007CB57D6B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

TCP: DhcpNameServer = 192.168.1.1 68.237.161.12

FF - ProfilePath - c:\documents and settings\David Khaski\Application Data\Mozilla\Firefox\Profiles\ptkf1ro6.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine -

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: XULRunner: {DB449582-D599-4237-8FDC-295649FBEFC4} - c:\documents and settings\David Khaski\Local Settings\Application Data\{DB449582-D599-4237-8FDC-295649FBEFC4}

FF - Ext: XULRunner: {3E3F6067-6C88-44FE-BDD1-55DDEB47A6D1} - c:\documents and settings\Moise Khaski\Local Settings\Application Data\{3E3F6067-6C88-44FE-BDD1-55DDEB47A6D1}

FF - Ext: XULRunner: {D9F7ED81-4825-48DD-8577-C84F0794B17A} - c:\documents and settings\Maurice Khaski\Local Settings\Application Data\{D9F7ED81-4825-48DD-8577-C84F0794B17A}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

Notify-NavLogon - (no file)

SafeBoot-81749221.sys

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-22 20:01

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,96,59,70,a3,a3,2b,46,b4,32,e0,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,96,59,70,a3,a3,2b,46,b4,32,e0,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(268)

c:\windows\system32\WINHTTP.dll

.

Completion time: 2011-06-22 20:07:41

ComboFix-quarantined-files.txt 2011-06-23 00:07

ComboFix2.txt 2011-06-15 23:51

.

Pre-Run: 15,599,292,416 bytes free

Post-Run: 16,104,374,272 bytes free

.

- - End Of File - - 525BFC5BFD86FAB76793A23EE61BE758

Hijack this log:

SIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Google\Update\1.3.21.57\GoogleCrashHandler.exe

C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\csifcsvc.exe

C:\Program Files\Immunet Protect\2.0.17\agent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe

C:\Program Files\Brother\ControlCenter3\brccMCtl.exe

C:\Program Files\Brother\Brmfcmon\BrMfimon.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\WINDOWS\stsystra.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe

C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE

C:\WINDOWS\Downlo~1\MyWebEx\319\raagtx.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Microsoft Office\Office14\GROOVE.EXE

C:\WINDOWS\system32\winmine.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\MsiExec.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\David Khaski\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (file missing)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: BrowserHelper Class - {EDF48A39-1442-463F-9F4E-F376A78D034A} - C:\Program Files\Livedrive\LivedriveExplorerExtensions.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -check_deprecation

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [immunet Protect] "C:\Program Files\Immunet Protect\2.0.17\iptray.exe"

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"

O4 - HKCU\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RealUpgradeHelper] "C:\Program Files\Common Files\Real\Update_OB\upgrdhlp.exe" "RealNetworks|RealPlayer|6.0" (User 'Default user')

O4 - Startup: Microsoft SharePoint Workspace.lnk = C:\Program Files\Microsoft Office\Office14\GROOVE.EXE

O4 - Global Startup: QuickBooks Remote Access.LNK = ?

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games

Link to post
Share on other sites

  • Staff

Hi,

Please see:

HijackThis Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

This goes for uTorrent and anything else you may have installed.

Link to post
Share on other sites

  • 2 weeks later...

Sorry about the delay, here is the new combofix log. If you see any other item related to p2p or stuff like that please tell me so I can delete them.

ComboFix 11-07-07.06 - David Khaski 07/08/2011 10:39:05.5.2 - x86 MINIMAL

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2046.1616 [GMT -4:00]

Running from: c:\documents and settings\David Khaski\Desktop\ComboFix.exe

AV: Immunet Protect *Enabled/Updated* {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((( Files Created from 2011-06-08 to 2011-07-08 )))))))))))))))))))))))))))))))

.

.

2011-07-08 14:06 . 2011-07-08 14:33 -------- d-----w- C:\32788R22FWJFW

2011-06-19 07:15 . 2011-06-19 07:15 77824 ----a-w- c:\windows\system32\drivers\tsk16E.tmp

2011-06-19 07:02 . 2011-06-19 07:02 -------- d-----w- C:\9a9de187a29165f0a8d87d

2011-06-19 07:00 . 2011-06-19 07:02 -------- d-----w- C:\b807216b11abdca78f

2011-06-16 05:04 . 2011-06-16 05:05 -------- d-----w- C:\f7ca5591a6ec160bb54a0510e913d7b2

2011-06-16 03:56 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-16 01:37 . 2011-06-16 01:37 -------- d-----w- c:\documents and settings\All Users\Immunet

2011-06-16 01:37 . 2011-06-16 01:37 -------- d-----w- c:\documents and settings\David Khaski\Application Data\Immunet

2011-06-16 01:37 . 2011-06-16 01:37 31184 ----a-w- c:\windows\system32\drivers\ImmunetSelfProtect.sys

2011-06-16 01:37 . 2011-06-16 01:37 41424 ----a-w- c:\windows\system32\drivers\ImmunetProtect.sys

2011-06-16 01:36 . 2011-07-08 14:26 -------- d-----w- c:\program files\Immunet Protect

2011-06-14 13:17 . 2011-06-14 13:17 -------- d-----w- c:\windows\system32\wbem\Repository

2011-06-14 13:17 . 2011-06-15 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2011-06-14 13:17 . 2011-06-14 13:17 -------- d-----w- c:\program files\NOS

2011-06-13 03:06 . 2011-06-12 05:29 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-06-13 01:05 . 2011-05-25 19:15 29544 ----a-w- c:\program files\Mozilla Firefox\plugins\np_gp.dll

2011-06-12 23:49 . 2011-06-12 23:49 -------- d-----w- c:\documents and settings\David Khaski\Application Data\Registry Mechanic

2011-06-12 16:42 . 2010-08-05 12:46 37336 ----a-w- c:\windows\system32\CleanMFT32.exe

2011-06-12 16:42 . 2008-04-02 19:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx

2011-06-12 16:42 . 2008-04-02 19:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx

2011-06-12 16:42 . 2008-04-02 19:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx

2011-06-12 05:29 . 2011-06-29 05:31 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-06-12 05:27 . 2011-05-25 06:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-06-12 02:49 . 2011-06-12 02:50 -------- d-----w- c:\documents and settings\David Khaski\Local Settings\Application Data\Deployment

2011-06-12 02:42 . 2011-06-12 02:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-06-10 19:17 . 2011-06-10 19:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2011-06-10 01:55 . 2011-06-10 01:59 -------- dc-h--w- c:\windows\ie8

2011-06-10 01:48 . 2011-06-14 13:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\VERIZON_BROAD

2011-06-10 01:47 . 2010-10-18 11:10 7680 ------w- c:\windows\system32\dllcache\iecompat.dll

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VERIZON_BROAD

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ConduitEngine

2011-06-10 01:42 . 2011-06-10 01:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Viewpoint

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-06-19 07:33 . 2005-08-16 10:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2011-06-16 05:17 . 2009-04-14 19:35 187328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\9.0\1033\ResourceCache.dll

2011-06-16 05:16 . 2009-04-14 19:33 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll

2011-06-15 15:38 . 2011-05-18 21:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-29 13:11 . 2009-07-21 00:00 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2009-07-21 00:00 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 08:52 . 2010-05-03 11:09 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 06:25 . 2007-04-27 12:59 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-02 15:31 . 2005-08-16 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2005-08-16 10:18 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2006-01-24 11:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2005-08-16 10:18 385024 ------w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2005-08-16 10:18 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2008-04-29 21:19 . 2008-06-12 00:44 78561280 ----a-w- c:\program files\Common Files\ATX Fixed Asset Manager Evaluation Workstation.msi

2006-08-20 03:12 . 2006-08-20 03:12 774144 ----a-w- c:\program files\RngInterstitial.dll

2009-11-17 22:07 . 2008-06-29 14:32 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupOverlay]

@="{B44A5D93-1351-41A1-BD91-5E92435D8ECD}"

[HKEY_CLASSES_ROOT\CLSID\{B44A5D93-1351-41A1-BD91-5E92435D8ECD}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveDownloadOverlay]

@="{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}"

[HKEY_CLASSES_ROOT\CLSID\{CBCDB610-6B68-4EE9-B7A2-1282FD0C9292}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveSharedOverlay]

@="{84CEF1E4-1356-4063-845F-05047F4DD52C}"

[HKEY_CLASSES_ROOT\CLSID\{84CEF1E4-1356-4063-845F-05047F4DD52C}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\LivedriveUploadOverlay]

@="{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}"

[HKEY_CLASSES_ROOT\CLSID\{39A1715A-E4CD-4F1E-B5C4-36B5DB80124E}]

2010-04-22 14:06 329520 ----a-w- c:\program files\Livedrive\LivedriveExtensions.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-05 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]

"GrooveMonitor"="c:\program files\Microsoft Office\Office14\GROOVEMN.EXE" [2010-03-25 944008]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-11-12 1122304]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-08-12 114688]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-18 8192]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2010-06-09 161336]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

"Immunet Protect"="c:\program files\Immunet Protect\2.0.17\iptray.exe" [2011-06-16 2615624]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2008-12-03 126976]

.

c:\documents and settings\David Khaski\Start Menu\Programs\Startup\

Microsoft SharePoint Workspace.lnk - c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Remote Access.LNK - c:\windows\Downlo~1\MyWebEx\319\raagtx.exe [2010-11-3 38200]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ lsdelete

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Pervasive.SQL Workgroup Engine.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Pervasive.SQL Workgroup Engine.lnk

backup=c:\windows\pss\Pervasive.SQL Workgroup Engine.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Remote Access.LNK]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Remote Access.LNK

backup=c:\windows\pss\QuickBooks Remote Access.LNKCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^David Khaski^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

path=c:\documents and settings\David Khaski\Start Menu\Programs\Startup\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2009-11-17 22:07 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

2008-06-24 18:34 41824 ----a-w- c:\program files\Common Files\AOL\1173191900\ee\aolsoftware.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

2005-01-12 19:54 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livedrive]

2010-04-22 14:06 1348608 ----a-w- c:\program files\Livedrive\Livedrive.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2011-05-29 13:11 1047656 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]

2008-12-03 15:12 69632 ----a-w- c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SavRoam"=3 (0x3)

"MDM"=2 (0x2)

"iPod Service"=3 (0x3)

"idsvc"=3 (0x3)

"gusvc"=2 (0x2)

"gupdate"=2 (0x2)

"GoogleDesktopManager-110309-193829"=3 (0x3)

"GameConsoleService"=3 (0x3)

"Bonjour Service"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"RPSUpdaterR"=3 (0x3)

"Pml Driver HPZ12"=2 (0x2)

"IDriverT"=3 (0x3)

"MyWebSearchService"=2 (0x2)

"WMPNetworkSvc"=2 (0x2)

"atnthost"=2 (0x2)

"Radialpoint Security Services"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Documents and Settings\\David Khaski\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\fxsclnt.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1173191900\\ee\\aolsoftware.exe"=

"c:\\Program Files\\AOL 9.0a\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AOL 9.0b\\waol.exe"=

"c:\\Program Files\\AOL 9.0c\\waol.exe"=

"c:\\Program Files\\AOL 9.0d\\waol.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\AOL 9.1a\\waol.exe"=

"c:\\Program Files\\AOL 9.1b\\waol.exe"=

"c:\\Program Files\\AOL 9.1c\\waol.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Documents and Settings\\David Khaski\\My Documents\\drjava-20080124-1942.exe"=

"c:\\Program Files\\Intuit\\QuickBooks Basic\\QBDBMgrN.exe"=

"c:\\Program Files\\Curse\\CurseClient.exe"=

"c:\\My Games\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=

"c:\\Program Files\\Brother\\Brmfl08i\\FAXRX.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\My Games\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=

"c:\\Magic\\Program\\Manalink.exe"=

"c:\\PVSW\\Bin\\W3DBSMGR.EXE"=

"c:\\DacEasy\\pvsw\\W3DBSMGR.EXE"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=

"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\David Khaski\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Moise Khaski\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"54925:UDP"= 54925:UDP:Brother Network Scanner

"1:TCP"= 1:TCP:LPT1

.

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/23/2009 9:12 PM 207792]

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/16/2007 10:10 AM 691696]

S1 CbFs;CbFs;c:\windows\system32\drivers\cbfs.sys [7/28/2010 5:25 PM 146904]

S1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [6/15/2011 9:37 PM 41424]

S1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [6/15/2011 9:37 PM 31184]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:47 PM 135664]

S2 ImmunetProtect;Immunet Protect;c:\program files\Immunet Protect\2.0.17\agent.exe [6/15/2011 9:36 PM 756680]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [7/20/2009 8:00 PM 366640]

S3 EraserUtilDrvI10;EraserUtilDrvI10;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:47 PM 135664]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/20/2009 8:00 PM 22712]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]

S3 ndisrd;WinpkFilter Service;c:\windows\system32\drivers\ndisrd.sys [6/23/2009 4:27 PM 20480]

S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/16/2005 6:18 AM 14336]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/23/2009 9:10 PM 359624]

S4 atnthost;WebEx Remote Access Agent;c:\windows\Downlo~1\MyWebEx\319\atnthost.exe [11/3/2010 8:07 PM 16776]

S4 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/29/2008 10:31 AM 30192]

S4 Radialpoint Security Services;Radialpoint Security Services;c:\windows\system32\dllhost.exe [8/16/2005 6:18 AM 5120]

S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 8:27 PM 124608]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

bdx REG_MULTI_SZ scan sysagent

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 11:19]

.

2011-07-08 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-04 04:29]

.

2011-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:47]

.

2011-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:47]

.

2011-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611407486-3785993524-1144906567-1006Core.job

- c:\documents and settings\David Khaski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 21:52]

.

2011-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611407486-3785993524-1144906567-1006UA.job

- c:\documents and settings\David Khaski\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-05 21:52]

.

2011-07-01 c:\windows\Tasks\Norton Security Scan for Moise Khaski.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 08:18]

.

2011-07-07 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-06-12 12:46]

.

2011-07-08 c:\windows\Tasks\RMSmartUpdate.job

- c:\program files\Registry Mechanic\Update.exe [2011-06-12 12:46]

.

2011-07-08 c:\windows\Tasks\User_Feed_Synchronization-{6780BEE6-2189-4DB0-92BD-64F495379380}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

2011-07-08 c:\windows\Tasks\User_Feed_Synchronization-{A78D56A3-BCEE-4D47-9CB7-18007CB57D6B}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

Trusted Zone: turbotax.com

Trusted Zone: musicmatch.com\online

TCP: DhcpNameServer = 192.168.1.1 68.237.161.12

FF - ProfilePath - c:\documents and settings\David Khaski\Application Data\Mozilla\Firefox\Profiles\ptkf1ro6.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine -

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}

FF - Ext: XULRunner: {DB449582-D599-4237-8FDC-295649FBEFC4} - c:\documents and settings\David Khaski\Local Settings\Application Data\{DB449582-D599-4237-8FDC-295649FBEFC4}

FF - Ext: XULRunner: {3E3F6067-6C88-44FE-BDD1-55DDEB47A6D1} - c:\documents and settings\Moise Khaski\Local Settings\Application Data\{3E3F6067-6C88-44FE-BDD1-55DDEB47A6D1}

FF - Ext: XULRunner: {D9F7ED81-4825-48DD-8577-C84F0794B17A} - c:\documents and settings\Maurice Khaski\Local Settings\Application Data\{D9F7ED81-4825-48DD-8577-C84F0794B17A}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

.

Notify-NavLogon - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-08 11:01

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,96,59,70,a3,a3,2b,46,b4,32,e0,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,96,59,70,a3,a3,2b,46,b4,32,e0,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(700)

c:\windows\system32\WININET.dll

c:\program files\Livedrive\LivedriveExtensions.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\msi.dll

.

Completion time: 2011-07-08 11:08:43

ComboFix-quarantined-files.txt 2011-07-08 15:08

.

Pre-Run: 29,249,413,120 bytes free

Post-Run: 29,346,783,232 bytes free

.

- - End Of File - - 5E539D2BE81C8A6E0A75DBBA08C2CA54

Link to post
Share on other sites

  • Staff

Hi,

I notice that you are using more than one antivirus program (Immunet, Spyware Doctor, and Symantec). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

I ran the scan twice since I did not have enough time to finish the first scan. Here are the results from the first scan:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=fe29f44163fd944c8178c0bd1d33f383

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-07-15 10:40:30

# local_time=2011-07-15 06:40:30 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 55704794 55704794 0 0

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=209610

# found=7

# cleaned=7

# scan_time=27034

C:\Documents and Settings\David Khaski\Application Data\Sun\Java\Deployment\cache\6.0\18\4f46b492-5636d65f multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\David Khaski\Application Data\Sun\Java\Deployment\cache\6.0\28\26d395dc-5cccc5f5 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\David Khaski\Application Data\Sun\Java\Deployment\cache\6.0\32\4e5c2020-3acb5031 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Maurice Khaski\Application Data\Sun\Java\Deployment\cache\6.0\28\7e4c53dc-4c03ac81 Java/TrojanDownloader.Agent.NCA trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Maurice Khaski\Local Settings\Temp\MGS54.tmp probably a variant of Win32/Agent.GZLOTD trojan (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Moise Khaski\Application Data\Sun\Java\Deployment\cache\6.0\22\69932116-7b5de284 Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Moise Khaski\Application Data\Sun\Java\Deployment\cache\6.0\50\2e0b34b2-24527d13 Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

__________________________

And the results of the second:

version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=fe29f44163fd944c8178c0bd1d33f383

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-07-17 03:34:50

# local_time=2011-07-17 11:34:50 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 55859597 55859597 0 0

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=513726

# found=0

# cleaned=0

# scan_time=19493

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.17

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET Online Scanner v3

Symantec AntiVirus

Authentium AntiVirus SDK - 2

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner (remove only)

Java 6 Update 26

Java SE Development Kit 6 Update 4

Java SE Development Kit 6 Update 16

Java DB 10.4.2.1

Flash Player Out of Date!

Adobe Flash Player 10.0.45.2

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe

Ad-Aware AAWTray.exe

Malwarebytes' Anti-Malware mbamservice.exe

Malwarebytes' Anti-Malware mbamgui.exe

Symantec AntiVirus DefWatch.exe

Symantec AntiVirus Rtvscan.exe

``````````End of Log````````````

___________________

As for other issues, I have not really had any in the past few weeks since running the combofix, though apparently based on the ESET scan, there were some malware files. Also I should mention, I uninstalled Immunet and Spyware Doctor.

Link to post
Share on other sites

  • Staff

Hi,

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

HijackThis 2.0.2

Java™ SE Development Kit 6 Update 4

Java™ SE Development Kit 6 Update 16

Java DB 10.4.2.1

Adobe Flash Player 10.0.45.2

Restart your computer.

Get the latest version of Java and Adobe Flash Player.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

  • Staff

Great!

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.