Jump to content

hello4


Recommended Posts

i just went to open the start menu as the browser was doing what i described and the start would not open up and stay open it would imediatly close. i am assuming this part of the same thing. I got MBAM running. Ill post the log as soon as i get home from work. itll be in about 6 hrs

Link to post
Share on other sites

ComboFix 11-07-20.02 - Owner 07/21/2011 14:48:57.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.565 [GMT -4:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\My Documents\CFScript.txt

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Fast Browser SearchP

.

.

((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))

.

.

2011-07-18 15:36 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2011-07-18 06:36 . 2011-07-18 06:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-07-18 01:54 . 2011-07-18 01:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-07-18 01:53 . 2011-07-18 01:53 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2011-07-18 01:50 . 2011-07-18 01:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-07-18 01:12 . 2011-07-18 01:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData

2011-07-18 01:12 . 2011-07-18 01:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-07-18 01:11 . 2011-07-18 01:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-07-17 02:08 . 2011-07-17 02:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache

2011-07-16 22:46 . 2011-07-16 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache

2011-07-16 18:05 . 2011-07-16 18:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Skinux

2011-07-11 19:08 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL

2011-07-11 19:08 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FCTB000061649

2011-07-11 19:07 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData

2011-07-11 19:06 . 2011-07-17 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB

2011-07-08 17:21 . 2011-07-08 17:21 -------- d-----w- c:\program files\Apple Software Update

2011-07-08 17:18 . 2011-07-08 17:18 -------- d-----w- c:\program files\iPod

2011-07-08 17:18 . 2011-07-19 21:31 -------- d-----w- c:\program files\iTunes

2011-07-01 17:05 . 2011-07-01 17:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-25 00:04 . 2011-06-25 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin

2011-06-25 00:01 . 2011-02-15 17:17 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys

2011-06-25 00:00 . 2011-06-25 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Affinegy

2011-06-25 00:00 . 2011-06-25 00:00 -------- d-----w- c:\program files\Belkin

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-18 00:24 . 2005-04-13 18:50 45312 ----a-w- c:\windows\system32\drivers\ql12160.sys

2011-07-06 23:52 . 2009-04-01 01:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 23:52 . 2009-04-01 01:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 14:02 . 2005-04-13 16:56 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-26 10:44 . 2009-02-10 03:36 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2011-05-26 10:44 . 2009-02-10 03:36 88 --sh--r- c:\documents and settings\All Users\Application Data\0170302121.sys

2011-05-02 15:31 . 2005-04-13 17:16 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2005-04-13 16:56 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2005-04-13 16:55 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 22:35 . 2011-04-26 22:35 1752543 ----a-w- C:\rgo_installer.exe

2011-04-26 11:07 . 2005-04-13 16:56 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-26 11:07 . 2005-04-13 16:55 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-04-25 16:11 . 2005-04-13 16:56 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2005-04-13 16:55 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2005-04-13 16:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2005-04-13 16:55 385024 ----a-w- c:\windows\system32\html.iec

.

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AOL 9.1\AOL .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\AOL\1123289240\EE\AOLSoftware .exe
c:\program files\Common Files\AOL\1123289240\EE\SSCRun .exe
c:\program files\Common Files\AOL\ACS\AOLDial .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140 .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\Digital Media Reader\shwiconem .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\iTunes\iTunesHelper .exe
c:\windows\ehome\ehtray .exe
c:\windows\SMINST\RECGUARD .exe
</pre>

.

((((((((((((((((((((((((((((( SnapShot_2011-07-20_18.21.10 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-07-21 19:01 . 2011-07-21 19:01 16384 c:\windows\temp\Perflib_Perfdata_74.dat

+ 2005-04-13 16:56 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll

+ 2005-04-13 16:56 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll

+ 2005-08-06 00:43 . 2011-07-21 07:04 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2005-04-13 16:55 . 2010-09-18 06:53 953856 c:\windows\system32\mfc40u.dll

+ 2005-04-13 16:55 . 2010-09-18 06:53 954368 c:\windows\system32\mfc40.dll

- 2005-04-13 16:55 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll

+ 2005-04-13 16:55 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll

+ 2005-04-13 16:55 . 2010-09-18 06:53 953856 c:\windows\system32\dllcache\mfc40u.dll

- 2005-04-13 16:55 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll

+ 2005-04-13 16:55 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll

+ 2010-09-24 01:02 . 2010-09-24 01:02 798208 c:\windows\Installer\26bb9ed.msp

- 2005-08-06 00:43 . 2011-07-19 19:37 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2011-07-21 07:05 . 2011-07-21 07:05 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\4e3dd4d7f9aeda74a2fcefee036e5070\System.Web.Extensions.Design.ni.dll

+ 2011-07-21 07:05 . 2011-07-21 07:05 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\4fb1c0c07f40248b463f2e33444b9477\System.Web.Entity.ni.dll

+ 2011-07-21 07:05 . 2011-07-21 07:05 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\4dfcffc6e6d02bdcdc185d5527a8097e\System.Web.Entity.Design.ni.dll

+ 2011-07-21 07:05 . 2011-07-21 07:05 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b921d1cffcd5e80ea14c51db967edd6\System.Web.DynamicData.ni.dll

+ 2010-08-05 14:57 . 2010-08-05 14:57 4066304 c:\windows\Installer\26bba22.msp

+ 2010-10-22 19:45 . 2010-10-22 19:45 8444928 c:\windows\Installer\26bba01.msp

+ 2011-07-21 07:05 . 2011-07-21 07:05 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\647bfe6da40e8160b967c41424901dc8\System.Web.Extensions.ni.dll

+ 2011-07-21 07:05 . 2011-07-21 07:05 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ead07662976fb7094811461c568643d5\System.ServiceModel.Web.ni.dll

- 2009-08-09 07:10 . 2009-08-09 07:10 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll

+ 2011-07-21 07:00 . 2011-07-21 07:01 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{8c49a3d1-585b-4eab-985d-6ad480b4f23d}"= "c:\program files\Kentucky Wildcats Toolbar\Helper.dll" [2010-02-06 242688]

.

[HKEY_CLASSES_ROOT\clsid\{8c49a3d1-585b-4eab-985d-6ad480b4f23d}]

[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]

[HKEY_CLASSES_ROOT\TypeLib\{763C8C3E-9677-474E-B4BD-6ABC7DDDE090}]

[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A118156-5307-4BFB-9548-B423FDF368A8}]

2010-02-06 22:47 1445888 ----a-w- c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{7EF32AD9-C8AC-44E3-A39F-913E777ADEEE}"= "c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll" [2010-02-06 1445888]

.

[HKEY_CLASSES_ROOT\clsid\{7ef32ad9-c8ac-44e3-a39f-913e777adeee}]

[HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{880EC4BB-9C31-4429-9452-D6F388B0C230}]

[HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{7EF32AD9-C8AC-44E3-A39F-913E777ADEEE}"= "c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll" [2010-02-06 1445888]

.

[HKEY_CLASSES_ROOT\clsid\{7ef32ad9-c8ac-44e3-a39f-913e777adeee}]

[HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{880EC4BB-9C31-4429-9452-D6F388B0C230}]

[HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Aim6"="" [N/A]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [N/A]

"AOL Fast Start"="c:\progra~1\AOL9~1.1\AOL.EXE" [N/A]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [N/A]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]

"CHotkey"="zHotkey.exe" [2005-05-03 543232]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2011-07-16 37380]

"HostManager"="c:\program files\Common Files\AOL\1123289240\ee\AOLSoftware.exe" [N/A]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]

"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-09 323216]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-06 26112]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [N/A]

"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [N/A]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [N/A]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [N/A]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [N/A]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]

"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [N/A]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [N/A]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

KEYEXP.lnk - c:\documents and settings\Owner\My Documents\ben\KEYEXP.EXE [2003-11-7 838656]

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-6-27 122880]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1123289240\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:14 PM 135664]

S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 8:44 AM 580992]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:14 PM 135664]

S3 pelps2m;i8042 Keyboard & PS/2 Mouse Port Driver;c:\windows\system32\drivers\pelps2m.sys [2/24/2006 6:31 PM 19968]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

2011-07-21 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-15 19:09]

.

2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:14]

.

2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:14]

.

2011-07-21 c:\windows\Tasks\User_Feed_Synchronization-{D4193A7F-2282-4635-B799-C73E7C516306}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://facebook.com/

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZSzim029YYUS&fl=0&ptb=3cfl_pRGo3kTXXCMNJ9.8g&url=http://www.ask.com/web&q={searchTerms}&l=zs&o=sb

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: intuit.com\ttlc

Trusted Zone: pogo.com\www

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 192.168.2.1

DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB

DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pxkpp7yw.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/

FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF - user.js: browser.search.order.1 - Search

FF - user.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-21 15:02

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(604)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3224)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Common Files\aolshare\aolshcpy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\zHotkey.exe

c:\windows\SOUNDMAN.EXE

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wscntfy.exe

c:\windows\eHome\ehmsas.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2011-07-21 15:08:35 - machine was rebooted

ComboFix-quarantined-files.txt 2011-07-21 19:08

ComboFix2.txt 2011-07-21 17:44

ComboFix3.txt 2011-07-20 20:40

ComboFix4.txt 2011-07-20 18:30

ComboFix5.txt 2011-07-21 18:41

.

Pre-Run: 155,434,274,816 bytes free

Post-Run: 155,414,970,368 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 37F3341058A0F04ACBB6C2D9C114AC36

Link to post
Share on other sites

Sorry didnt realize it didnt copy right. here is the MBAM

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7232

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/22/2011 6:01:02 PM

mbam-log-2011-07-22 (18-01-01).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 354319

Time elapsed: 2 hour(s), 56 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

looking through my processes i got one im wondering about. as far as i can tell it only showed up on my first combofix run. It is running 5 times and almost all the time the number in the cpu colum equals 100. my cpu is staying at 100.

2011-07-17 01:32:01 113152 ----a-w- c:\documents and settings\all users\application data\6QEoebUl.exe

Link to post
Share on other sites

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

c:\documents and settings\all users\application data\6QEoebUl.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

Link to post
Share on other sites

virusscan.jotti.org

Filename: 6QEoebUl.exe

Status:

Scan finished. 9 out of 20 scanners reported malware.

Scan taken on: Sat 23 Jul 2011 15:47:23 (CET) Permalink

Scanners

[ArcaVir]

2011-07-23 Found nothing

[F-Secure Anti-Virus]

2011-07-23 Gen:Variant.Kazy.25302

[Avast! antivirus]

2011-07-23 Found nothing

[G DATA]

2011-07-23 Gen:Variant.Kazy.25302

[Grisoft AVG Anti-Virus]

2011-07-23 Found nothing

[ikarus]

2011-07-23 Gen.Variant.Kates

[Avira AntiVir]

2011-07-22 TR/Dropper.Gen

[Kaspersky Anti-Virus]

2011-07-23 Found nothing

[softwin BitDefender]

2011-07-23 Gen:Variant.Kazy.25302

[ESET NOD32]

2011-07-23 Win32/Kryptik.QLX

[ClamAV]

2011-07-23 Found nothing

[Panda Antivirus]

2011-07-23 Found nothing

[CPsecure]

2011-07-23 Found nothing

[Quick Heal]

2011-07-22 Found nothing

[Dr.Web]

2011-07-23 Found nothing

[sophos]

2011-07-23 Sus/UnkPack-C

[Emsisoft Anti-Malware]

2011-07-23 Gen.Variant.Kates!IK

[VirusBlokAda VBA32]

2011-07-22 Malware-Cryptor.Limpopo

[Frisk F-Prot Antivirus]

2011-07-22 Found nothing

[VirusBuster]

2011-07-22 Found nothing

Link to post
Share on other sites

First:

You need to update Java.

javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 26 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 26 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

    Next:

    Copy/paste the text in the Codebox below into notepad:

    Here's how to do that:

    Click Start > Run type Notepad click OK.

    This will open an empty notepad file:

    Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

    KillAll::

    File::
    c:\documents and settings\all users\application data\6QEoebUl.exe

    RenV::
    c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
    c:\program files\AOL 9.1\AOL .exe
    c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
    c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor .exe
    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
    c:\program files\Common Files\AOL\1123289240\EE\AOLSoftware .exe
    c:\program files\Common Files\AOL\1123289240\EE\SSCRun .exe
    c:\program files\Common Files\AOL\ACS\AOLDial .exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe
    c:\program files\Common Files\Java\Java Update\jusched .exe
    c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140 .exe
    c:\program files\CyberLink\PowerDVD\PDVDServ .exe
    c:\program files\Digital Media Reader\shwiconem .exe
    c:\program files\HP\HP Software Update\HPWuSchd2 .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\windows\ehome\ehtray .exe
    c:\windows\SMINST\RECGUARD .exe

    Save this file to your desktop, Save this as "CFScript"

    Here's how to do that:

    1.Click File;

    2.Click Save As... Change the directory to your desktop;

    3.Change the Save as type to "All Files";

    4.Type in the file name: CFScript

    5.Click Save ...

    CFScriptB-4.gif

    Drag CFScript.txt into ComboFix.exe

    Then post the results log using Copy / Paste

    Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

when i was rebooting from deleteing the java stuff the hello4 showed up as nonresponsive again during the shut down.

ComboFix 11-07-20.02 - Owner 07/24/2011 20:36:17.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.406 [GMT -4:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\My Documents\CFScript.txt

.

FILE ::

"c:\documents and settings\all users\application data\6QEoebUl.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\all users\application data\6QEoebUl.exe

c:\windows\Tasks\At1.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At2.job

.

.

((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))

.

.

2011-07-25 00:06 . 2011-07-25 00:05 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-07-24 09:01 . 2011-07-24 09:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo

2011-07-24 02:14 . 2011-07-24 02:14 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2011-07-23 07:25 . 2011-07-23 07:25 -------- d-----w- c:\windows\system32\%APPDATA%

2011-07-18 15:36 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll

2011-07-18 06:36 . 2011-07-18 06:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2011-07-18 01:54 . 2011-07-18 01:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2011-07-18 01:53 . 2011-07-18 01:53 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

2011-07-18 01:50 . 2011-07-18 01:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-07-18 01:12 . 2011-07-18 01:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData

2011-07-18 01:12 . 2011-07-18 01:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2011-07-18 01:11 . 2011-07-18 01:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2011-07-17 02:08 . 2011-07-17 02:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache

2011-07-16 22:46 . 2011-07-16 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache

2011-07-16 18:05 . 2011-07-16 18:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Skinux

2011-07-11 19:08 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL

2011-07-11 19:08 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FCTB000061649

2011-07-11 19:07 . 2011-07-25 00:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData

2011-07-11 19:06 . 2011-07-17 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB

2011-07-08 17:21 . 2011-07-08 17:21 -------- d-----w- c:\program files\Apple Software Update

2011-07-08 17:18 . 2011-07-08 17:18 -------- d-----w- c:\program files\iPod

2011-07-08 17:18 . 2011-07-25 00:36 -------- d-----w- c:\program files\iTunes

2011-07-01 17:05 . 2011-07-01 17:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-25 00:05 . 2010-08-05 02:05 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-18 00:24 . 2005-04-13 18:50 45312 ----a-w- c:\windows\system32\drivers\ql12160.sys

2011-07-06 23:52 . 2009-04-01 01:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 23:52 . 2009-04-01 01:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-02 14:02 . 2005-04-13 16:56 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-26 10:44 . 2009-02-10 03:36 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys

2011-05-26 10:44 . 2009-02-10 03:36 88 --sh--r- c:\documents and settings\All Users\Application Data\0170302121.sys

2011-05-02 15:31 . 2005-04-13 17:16 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2005-04-13 16:56 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2005-04-13 16:55 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 22:35 . 2011-04-26 22:35 1752543 ----a-w- C:\rgo_installer.exe

2011-04-26 11:07 . 2005-04-13 16:56 293376 ----a-w- c:\windows\system32\winsrv.dll

2011-04-26 11:07 . 2005-04-13 16:55 33280 ----a-w- c:\windows\system32\csrsrv.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-07-20_18.21.10 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-07-25 00:51 . 2011-07-25 00:51 16384 c:\windows\temp\Perflib_Perfdata_850.dat

+ 2005-04-13 16:56 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll

+ 2005-04-13 16:56 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll

+ 2005-08-06 00:43 . 2011-07-21 07:04 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe

+ 2005-04-13 16:55 . 2010-09-18 06:53 953856 c:\windows\system32\mfc40u.dll

+ 2005-04-13 16:55 . 2010-09-18 06:53 954368 c:\windows\system32\mfc40.dll

+ 2005-04-13 16:55 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll

- 2005-04-13 16:55 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll

- 2011-04-04 11:06 . 2011-02-03 01:40 157472 c:\windows\system32\javaws.exe

+ 2011-07-25 00:06 . 2011-07-25 00:05 157472 c:\windows\system32\javaws.exe

+ 2011-07-25 00:06 . 2011-07-25 00:05 145184 c:\windows\system32\javaw.exe

- 2011-04-04 11:06 . 2011-02-03 01:40 145184 c:\windows\system32\javaw.exe

+ 2011-07-25 00:06 . 2011-07-25 00:05 145184 c:\windows\system32\java.exe

- 2011-04-04 11:06 . 2011-02-03 01:40 145184 c:\windows\system32\java.exe

+ 2005-04-13 16:55 . 2010-09-18 06:53 953856 c:\windows\system32\dllcache\mfc40u.dll

- 2005-04-13 16:55 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll

+ 2005-04-13 16:55 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll

+ 2002-09-14 06:42 . 2002-09-14 06:42 212992 c:\windows\SMINST\RECGUARD.exe

+ 2011-07-25 00:05 . 2011-07-25 00:05 675840 c:\windows\Installer\c1278.msi

+ 2010-09-24 01:02 . 2010-09-24 01:02 798208 c:\windows\Installer\26bb9ed.msp

+ 2005-08-06 00:43 . 2011-07-21 07:04 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe

- 2005-08-06 00:43 . 2011-07-19 19:37 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2005-08-06 00:43 . 2011-07-21 07:04 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe

+ 2011-07-21 07:05 . 2011-07-21 07:05 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\4e3dd4d7f9aeda74a2fcefee036e5070\System.Web.Extensions.Design.ni.dll

+ 2011-07-21 07:05 . 2011-07-21 07:05 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\4fb1c0c07f40248b463f2e33444b9477\System.Web.Entity.ni.dll

+ 2011-07-21 07:05 . 2011-07-21 07:05 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\4dfcffc6e6d02bdcdc185d5527a8097e\System.Web.Entity.Design.ni.dll

+ 2011-07-21 07:05 . 2011-07-21 07:05 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b921d1cffcd5e80ea14c51db967edd6\System.Web.DynamicData.ni.dll

+ 2010-08-05 14:57 . 2010-08-05 14:57 4066304 c:\windows\Installer\26bba22.msp

+ 2010-10-22 19:45 . 2010-10-22 19:45 8444928 c:\windows\Installer\26bba01.msp

+ 2011-07-21 07:05 . 2011-07-21 07:05 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\647bfe6da40e8160b967c41424901dc8\System.Web.Extensions.ni.dll

+ 2011-07-21 07:05 . 2011-07-21 07:05 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ead07662976fb7094811461c568643d5\System.ServiceModel.Web.ni.dll

+ 2011-07-21 07:00 . 2011-07-21 07:01 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll

- 2009-08-09 07:10 . 2009-08-09 07:10 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{8c49a3d1-585b-4eab-985d-6ad480b4f23d}"= "c:\program files\Kentucky Wildcats Toolbar\Helper.dll" [2010-02-06 242688]

.

[HKEY_CLASSES_ROOT\clsid\{8c49a3d1-585b-4eab-985d-6ad480b4f23d}]

[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]

[HKEY_CLASSES_ROOT\TypeLib\{763C8C3E-9677-474E-B4BD-6ABC7DDDE090}]

[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A118156-5307-4BFB-9548-B423FDF368A8}]

2010-02-06 22:47 1445888 ----a-w- c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{7EF32AD9-C8AC-44E3-A39F-913E777ADEEE}"= "c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll" [2010-02-06 1445888]

.

[HKEY_CLASSES_ROOT\clsid\{7ef32ad9-c8ac-44e3-a39f-913e777adeee}]

[HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{880EC4BB-9C31-4429-9452-D6F388B0C230}]

[HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{7EF32AD9-C8AC-44E3-A39F-913E777ADEEE}"= "c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll" [2010-02-06 1445888]

.

[HKEY_CLASSES_ROOT\clsid\{7ef32ad9-c8ac-44e3-a39f-913e777adeee}]

[HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{880EC4BB-9C31-4429-9452-D6F388B0C230}]

[HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AOL Fast Start"="c:\progra~1\AOL9~1.1\AOL.EXE" [2008-11-06 50472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968]

"CHotkey"="zHotkey.exe" [2005-05-03 543232]

"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"HostManager"="c:\program files\Common Files\AOL\1123289240\ee\AOLSoftware.exe" [2008-06-24 41824]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-09 323216]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-06 26112]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]

"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2011-02-25 1770400]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2010-11-24 233936]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

KEYEXP.lnk - c:\documents and settings\Owner\My Documents\ben\KEYEXP.EXE [2003-11-7 838656]

OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-6-27 122880]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1123289240\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:14 PM 135664]

S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 8:44 AM 580992]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:14 PM 135664]

S3 pelps2m;i8042 Keyboard & PS/2 Mouse Port Driver;c:\windows\system32\drivers\pelps2m.sys [2/24/2006 6:31 PM 19968]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]

.

2011-07-25 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-15 19:09]

.

2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:14]

.

2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:14]

.

2011-07-24 c:\windows\Tasks\User_Feed_Synchronization-{D4193A7F-2282-4635-B799-C73E7C516306}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://facebook.com/

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZSzim029YYUS&fl=0&ptb=3cfl_pRGo3kTXXCMNJ9.8g&url=http://www.ask.com/web&q={searchTerms}&l=zs&o=sb

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

Trusted Zone: intuit.com\ttlc

Trusted Zone: pogo.com\www

Trusted Zone: turbotax.com

TCP: DhcpNameServer = 192.168.2.1

DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB

DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pxkpp7yw.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/

FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.com

FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

FF - user.js: browser.search.order.1 - Search

FF - user.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Aim6 - (no file)

HKCU-Run-WMPNSCFG - c:\program files\Windows Media Player\WMPNSCFG.exe

HKLM-Run-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-24 20:52

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,61,5a,af,58,61,f4,40,97,28,40,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,61,5a,af,58,61,f4,40,97,28,40,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(604)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(2148)

c:\windows\system32\WININET.dll

c:\documents and settings\Owner\My Documents\ben\KYX95HK.DLL

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Common Files\aolshare\aolshcpy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\zHotkey.exe

c:\windows\SOUNDMAN.EXE

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\progra~1\AOL9~1.1\waol.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Common Files\Protexis\License Service\PsiService_2.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\dllhost.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\eHome\ehmsas.exe

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

c:\progra~1\AOL9~1.1\shellmon.exe

.

**************************************************************************

.

Completion time: 2011-07-24 21:01:24 - machine was rebooted

ComboFix-quarantined-files.txt 2011-07-25 01:01

ComboFix2.txt 2011-07-21 19:08

ComboFix3.txt 2011-07-21 17:44

ComboFix4.txt 2011-07-20 20:40

ComboFix5.txt 2011-07-25 00:26

.

Pre-Run: 155,965,509,632 bytes free

Post-Run: 155,972,915,200 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 14691DC6C689A96A48F852EBA91F3365

Link to post
Share on other sites

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
    Kas-Savetxt.gif
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Link to post
Share on other sites

We shal try a different one.

Please download Dr.Web CureIt . Save it to your desktop:

  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
  • This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Please post the Dr.Web.txt report in your next reply
  • Close Dr.Web Cureit.
    Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

Link to post
Share on other sites

msmsgs.exe;c:\program files\messenger;Probably Trojan.Packed;Incurable.Deleted.;

config.000;C:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_1.10.7.1;Probably BACKDOOR.Trojan;Incurable.Deleted.;

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4028;Probably BACKDOOR.Trojan;Incurable.Deleted.;

ppctl.dll;C:\Program Files\Common Files\AOL\1123289240\EE\services\antispyware\ver2_4_9_1\resources;Probably DLOADER.Trojan;Incurable.Deleted.;

GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Deleted.;

ppctl.dll;C:\Program Files\Common Files\Scanner;Probably DLOADER.Trojan;Incurable.Deleted.;

mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Probably Trojan.Packed;Incurable.Deleted.;

mirc.exe;C:\Program Files\mIRC;Program.mIRC.621;Incurable.Deleted.;

Launch.exe;C:\Program Files\Oberon Media\Lottso! Deluxe;Trojan.DownLoader1.5776;Incurable.Moved.;

Launch.exe;C:\Program Files\Oberon Media\Tri Peaks 2 Quest For The Ruby Ring;Trojan.DownLoader1.5776;Incurable.Moved.;

6QEoebUl.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data;Trojan.DownLoad2.31585;Deleted.;

6QEoebUl.exe_.vir;C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data;Probably Trojan.Packed.116;Incurable.Deleted.;

OctoshapeClient .exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Octoshape\Octoshape Streaming Services;Probably Trojan.Packed;Incurable.Deleted.;

OctoshapeClient.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Octoshape\Octoshape Streaming Services;Probably Trojan.Packed;Incurable.Deleted.;

Reader_sl.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Adobe\Reader 9.0\Reader;Probably Trojan.Packed;Incurable.Deleted.;

atiptaxx.exe.vir;C:\Qoobox\Quarantine\C\Program Files\ATI Technologies\ATI Control Panel;Probably Trojan.Packed;Incurable.Deleted.;

BelkinRouterMonitor.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Belkin\Router Setup and Monitor;Probably Trojan.Packed;Incurable.Deleted.;

AdobeARM.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\Adobe\ARM\1.0;Probably Trojan.Packed;Incurable.Deleted.;

AOLSoftware.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\1123289240\EE;Probably Trojan.Packed;Incurable.Deleted.;

SSCRun.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\1123289240\EE;Probably Trojan.Packed;Incurable.Deleted.;

AOLSP Scheduler.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\1123289240\EE\services\safetyCore\ver210_5_2_1;Probably Trojan.Packed;Incurable.Deleted.;

AOLDial.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\ACS;Probably Trojan.Packed;Incurable.Deleted.;

AppleSyncNotifier.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support;Probably Trojan.Packed;Incurable.Deleted.;

ACDaemon.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\ArcSoft\Connection Service\Bin;Probably Trojan.Packed;Incurable.Deleted.;

jusched.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\Java\Java Update;Probably Trojan.Packed;Incurable.Deleted.;

QFSCHD140.EXE.vir;C:\Qoobox\Quarantine\C\Program Files\Corel\WordPerfect Office X4\Programs;Probably Trojan.Packed;Incurable.Deleted.;

PDVDServ.exe.vir;C:\Qoobox\Quarantine\C\Program Files\CyberLink\PowerDVD;Probably Trojan.Packed;Incurable.Deleted.;

shwiconem.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Digital Media Reader;Probably Trojan.Packed;Incurable.Deleted.;

HPWuSchd2.exe.vir;C:\Qoobox\Quarantine\C\Program Files\HP\HP Software Update;Probably Trojan.Packed;Incurable.Deleted.;

iTunesHelper.exe.vir;C:\Qoobox\Quarantine\C\Program Files\iTunes;Probably Trojan.Packed;Incurable.Deleted.;

mcvsescn.exe.vir;C:\Qoobox\Quarantine\C\Program Files\McAfee.com\antivirus;Probably Trojan.Packed;Incurable.Deleted.;

oasclnt.exe.vir;C:\Qoobox\Quarantine\C\Program Files\McAfee.com\antivirus;Probably Trojan.Packed;Incurable.Deleted.;

MPfTray.exe.vir;C:\Qoobox\Quarantine\C\Program Files\McAfee.com\personal firewall;Probably Trojan.Packed;Incurable.Deleted.;

QTTask .exe.vir;C:\Qoobox\Quarantine\C\Program Files\QuickTime;Probably Trojan.Packed;Incurable.Deleted.;

QTTask.exe.vir;C:\Qoobox\Quarantine\C\Program Files\QuickTime;Probably Trojan.Packed;Incurable.Deleted.;

McciTrayApp.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Verizon;Probably Trojan.Packed;Incurable.Deleted.;

WMPNSCFG.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Windows Media Player;Probably Trojan.Packed;Incurable.Deleted.;

AOL.EXE.vir;C:\Qoobox\Quarantine\C\PROGRA~1\AOL9~1.1;Probably Trojan.Packed;Incurable.Deleted.;

dwtrig20.exe.vir;C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\MICROS~1\DW;Probably Trojan.Packed;Incurable.Deleted.;

ICO.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Probably Trojan.Packed;Incurable.Deleted.;

nAQATYM6.exe_.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Probably Trojan.Packed.116;Incurable.Deleted.;

A0020854.EXE;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP15;Probably Trojan.Packed;Incurable.Deleted.;

A0020861.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP15;Trojan.DownLoad2.31585;Deleted.;

A0020992.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP18;Probably Trojan.Packed;Incurable.Deleted.;

A0020993.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP19;Trojan.DownLoader1.5776;Incurable.Moved.;

A0020994.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP19;Trojan.DownLoader1.5776;Incurable.Moved.;

A0012092.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP2;Probably Trojan.Packed;Incurable.Deleted.;

A0012093.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP2;Probably Trojan.Packed;Incurable.Deleted.;

A0012131.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP3;Probably Trojan.Packed;Incurable.Deleted.;

A0012132.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP3;Probably Trojan.Packed;Incurable.Deleted.;

A0013139.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP3;Probably Trojan.Packed.116;Incurable.Deleted.;

A0019334.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP8;Probably BACKDOOR.Trojan;Incurable.Deleted.;

A0019802.EXE;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP9;Probably Trojan.Packed;Incurable.Deleted.;

CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Deleted.;

AOLicon.EXE;C:\WINDOWS\OPTIONS;Trojan.MulDrop2.17815;Incurable.Moved.;

recovery_guide_em_eng_9532288.exe;D:\i386\Apps\App00398;Trojan.MulDrop2.14884;Incurable.Moved.;

Link to post
Share on other sites

it seems like everything is running right except the system idle thingie that pops up when you press alt,ctrl,delete. only thing that pops up is a window with the processes running. i dont have the tabs that let me switch to programs anymore. it doesnt tell me the cpu usage at the bottom like it did. and i have no menu bar at the top of it either anymore. started doing this saturday night.

Link to post
Share on other sites

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

    •Free browser plug-in for Internet Explorer and Firefox

    •Real-time safety ratings

    •Ideal for Facebook, Twitter and LinkedIn

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.