IP-BLOCK 208.73.210.29

DollyDagger · August 31, 2011

Hello,

Malwarebytes blocked access to 208.73.210.29 last night, while computer was in sleep mode.

I was asleep as well, and was awoken by the sound that windows makes when you plug in a device(duh-DUNT!)

I opened the lid on my laptop, logged back on, and saw the tooltip balloon message.

(note: I am a Pro-Version user)

Here is the related protection log:

00:00:00 Owner MESSAGE Scheduled scan executed successfully

00:24:04 Owner MESSAGE Scheduled update executed successfully

00:24:05 Owner MESSAGE IP Protection stopped

00:24:07 Owner MESSAGE Scheduled scan executed successfully

00:24:24 Owner MESSAGE Database updated successfully

00:24:26 Owner MESSAGE IP Protection started successfully

00:52:07 Owner MESSAGE Scheduled update executed successfully

00:52:08 Owner MESSAGE IP Protection stopped

00:52:10 Owner MESSAGE Scheduled scan executed successfully

00:52:16 Owner MESSAGE Database updated successfully

00:52:18 Owner MESSAGE IP Protection started successfully

06:57:03 Owner MESSAGE Scheduled update executed successfully

06:57:04 Owner MESSAGE IP Protection stopped

06:57:06 Owner MESSAGE Scheduled scan executed successfully

06:57:06 Owner MESSAGE Database updated successfully

06:57:08 Owner MESSAGE IP Protection started successfully

09:42:03 Owner MESSAGE Scheduled update executed successfully

09:42:04 Owner MESSAGE IP Protection stopped

09:42:06 Owner MESSAGE Scheduled scan executed successfully

09:42:06 Owner MESSAGE Database updated successfully

09:42:08 Owner MESSAGE IP Protection started successfully

15:16:04 Owner MESSAGE Scheduled update executed successfully

15:16:05 Owner MESSAGE IP Protection stopped

15:16:07 Owner MESSAGE Scheduled scan executed successfully

15:16:08 Owner MESSAGE Database updated successfully

15:16:10 Owner MESSAGE IP Protection started successfully

21:37:04 Owner MESSAGE Scheduled update executed successfully

21:37:05 Owner MESSAGE IP Protection stopped

21:37:07 Owner MESSAGE Scheduled scan executed successfully

21:37:18 Owner MESSAGE Database updated successfully

21:37:20 Owner MESSAGE IP Protection started successfully

22:23:14 Owner IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 51973, Process: firefox.exe)

22:23:14 Owner IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 51974, Process: firefox.exe)

22:23:14 Owner IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 51975, Process: firefox.exe)

22:23:22 Owner IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 51979, Process: firefox.exe)

I have already run a full scan with MB, and then a full system scan with Norton.

Nothing came up as malicious.

I did a web search(Startpage.com https) on the blocked IP. Of course, the first search result directed me to this forum...

This is obviously not a good site for my computer

to try to access without my permission, IN sleep mode no less!

I've been told that you guys/gals are extremely helpful with these matters.

Thank you for your time

Blade81 · September 1, 2011

Hi,

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds file to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
[*]Save both reports to your desktop. Post them back to your topic.

DollyDagger · September 2, 2011

Attach_dds.zip

Hi,
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds file to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
[*]Save both reports to your desktop. Post them back to your topic.

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Owner at 22:40:49 on 2011-09-01

.

============== Running Processes ===============

.

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe

C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe

C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe

C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Users\Owner\Desktop\dds.scr

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://xfinity.comcast.net/?

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL

BHO: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - No File

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {58ECB495-38F0-49cb-A538-10282ABF65E7}

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A49582D6-6B4A-4C8C-B57D-F1BA9D1EFB27} : DhcpNameServer = 192.168.1.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO-X64: 0x1 - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll

BHO-X64: Symantec NCO BHO - No File

BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\IPS\IPSBHO.DLL

BHO-X64: Symantec Intrusion Prevention - No File

BHO-X64: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

BHO-X64: HP Smart BHO Class - No File

TB-X64: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - No File

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\5.1.0.29\coIEPlg.dll

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

IE-X64: {58ECB495-38F0-49cb-A538-10282ABF65E7}

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8vqib4s4.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=

FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS

FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prfh=sslEEE1N1Nfont_sizeEEEmediumN1Nlanguage_uiEEEenglishN1Ndisable_open_in_new_windowEEE0N1Ndisable_family_filterEEE1N1Nnum_of_resultsEEE10N1NlanguageEEEenglishN1Ndisable_video_family_filterEEE1N1NsuggestionsEEE0N1NorSave%20My%20SettingsClear%20Settings%20Saving%20your%20settings%20will%20set%20a%20anonymous%20%27cookie%27%20in%20your%20browser%20that%20remembers%20the%20setting%20for%20your%20next%20visit.|http://xfinity.comcast.net/?

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R? BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver

R? clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64

R? NETw4v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit

R? PerfHost;Performance Counter DLL Host

R? USBAAPL64;Apple Mobile USB Driver

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

S? AdobeARMservice;Adobe Acrobat Update Service

S? BHDrvx64;BHDrvx64

S? FontCache;Windows Font Cache Service

S? IDSVia64;IDSVia64

S? MBAMProtector;MBAMProtector

S? MBAMService;MBAMService

S? N360;Norton Security Suite

S? NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit

S? SymDS;Symantec Data Store

S? SymEFA;Symantec Extended File Attributes

S? SymIRON;Symantec Iron Driver

S? SYMTDIv;Symantec Vista Network Dispatch Driver

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-09-01 03:18:47 -------- d-----w- C:\Users\Owner\AppData\Local\Apple Computer

2011-09-01 02:40:26 -------- d-----w- C:\Program Files (x86)\NT Registry Optimizer

2011-08-29 06:36:23 -------- d-----w- C:\Program Files\iPod

2011-08-29 06:36:22 -------- d-----w- C:\Program Files (x86)\iTunes

2011-08-29 06:22:06 -------- d-----w- C:\Program Files\Speccy

2011-08-29 05:26:35 -------- d-----w- C:\Program Files\CCleaner

2011-08-29 04:17:06 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2011-08-29 04:17:06 2048 ----a-w- C:\Windows\System32\tzres.dll

2011-08-10 22:57:26 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat

2011-08-10 22:57:26 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat

2011-08-10 22:57:22 451072 ----a-w- C:\Windows\System32\winsrv.dll

2011-08-10 22:57:19 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys

2011-08-10 22:57:18 1427344 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-08-10 22:57:13 4699536 ----a-w- C:\Windows\System32\ntoskrnl.exe

.

==================== Find3M ====================

.

2011-08-19 17:07:07 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-08-11 03:57:54 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-08-01 22:22:12 627600 ----a-w- C:\Windows\System32\deployJava1.dll

2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll

2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll

2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll

2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-07-14 00:31:51 525792 ----a-w- C:\Windows\DIFxAPI.dll

2011-07-13 01:06:24 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS

2011-07-12 18:34:00 96104 ----a-w- C:\Windows\System32\dns-sd.exe

2011-07-12 18:34:00 85864 ----a-w- C:\Windows\System32\dnssd.dll

2011-07-12 18:20:54 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe

2011-07-12 18:20:54 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll

2011-07-07 02:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-07-07 02:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-07-06 01:37:00 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx

2011-07-06 01:37:00 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts

2011-07-04 11:43:53 40112 ----a-w- C:\Windows\avastSS.scr

.

============= FINISH: 22:41:28.37 ===============

Hope I did this right!!

Thanks for your help...

Blade81 · September 2, 2011

Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

DollyDagger · September 3, 2011

Hi again,
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

ComboFix 11-09-02.04 - Owner 09/02/2011 23:44:56.1.2 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4085.2590 [GMT -7:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\SysWow64\KBL.LOG

.

((((((((((((((((((((((((( Files Created from 2011-08-03 to 2011-09-03 )))))))))))))))))))))))))))))))

.

2011-09-03 17:57 . 2011-09-03 17:57 -------- d-----w- c:\users\Owner\AppData\Local\CrashDumps

2011-09-03 11:38 . 2011-09-03 17:57 -------- d-----w- c:\users\Owner\AppData\Local\temp

2011-09-03 11:38 . 2011-09-03 11:38 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-01 03:18 . 2011-09-01 03:18 -------- d-----w- c:\users\Owner\AppData\Local\Apple Computer

2011-09-01 02:40 . 2011-09-01 02:40 -------- d-----w- c:\program files (x86)\NT Registry Optimizer

2011-08-29 06:36 . 2011-08-29 06:36 -------- d-----w- c:\program files\iPod

2011-08-29 06:36 . 2011-08-29 06:36 -------- d-----w- c:\program files (x86)\iTunes

2011-08-29 06:22 . 2011-08-29 06:22 -------- d-----w- c:\program files\Speccy

2011-08-29 05:26 . 2011-08-29 05:36 -------- d-----w- c:\program files\CCleaner

2011-08-29 04:17 . 2011-07-11 13:45 2048 ----a-w- c:\windows\system32\tzres.dll

2011-08-29 04:17 . 2011-07-11 13:25 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2011-08-19 17:08 . 2011-08-19 17:08 -------- d-----w- c:\program files (x86)\Common Files\Java

2011-08-11 03:43 . 2011-08-11 03:43 -------- d-----w- c:\program files (x86)\Microsoft.NET

2011-08-10 22:57 . 2011-06-06 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2011-08-10 22:57 . 2011-06-06 10:59 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat

2011-08-10 22:57 . 2011-06-17 16:16 451072 ----a-w- c:\windows\system32\winsrv.dll

2011-08-10 22:57 . 2011-07-06 15:49 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-08-10 22:57 . 2011-06-17 20:14 1427344 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-08-10 22:57 . 2011-06-20 08:45 4699536 ----a-w- c:\windows\system32\ntoskrnl.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-19 17:07 . 2010-05-26 14:47 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-08-11 03:57 . 2011-05-26 06:08 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-08-01 22:22 . 2011-05-26 06:43 627600 ----a-w- c:\windows\system32\deployJava1.dll

2011-07-14 00:31 . 2009-12-19 01:40 525792 ----a-w- c:\windows\DIFxAPI.dll

2011-07-13 01:06 . 2011-07-13 01:03 174200 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS

2011-07-12 18:34 . 2011-07-12 18:34 96104 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 18:34 . 2011-07-12 18:34 85864 ----a-w- c:\windows\system32\dnssd.dll

2011-07-12 18:20 . 2011-07-12 18:20 83816 ----a-w- c:\windows\SysWow64\dns-sd.exe

2011-07-12 18:20 . 2011-07-12 18:20 73064 ----a-w- c:\windows\SysWow64\dnssd.dll

2011-07-07 02:52 . 2010-01-24 00:30 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys

2011-07-07 02:52 . 2010-01-24 00:30 25912 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-06 01:37 . 2011-07-06 01:37 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx

2011-07-06 01:37 . 2011-07-06 01:37 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts

2011-07-04 11:43 . 2010-06-29 03:00 40112 ----a-w- c:\windows\avastSS.scr

2011-07-04 11:43 . 2009-12-29 01:56 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe

2011-06-07 17:10 . 2011-07-12 19:48 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{10DF0BBF-91DC-4C78-A734-2B257EF5638E}\mpengine.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-07 449584]

"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-06 421888]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-08-19 421736]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]

R3 NETw4v64;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw4v64.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0501000.01D\SYMDS64.SYS [x]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0501000.01D\SYMEFA64.SYS [x]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110812.001\BHDrvx64.sys [2011-07-23 1151096]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110902.030\IDSvia64.sys [2011-08-10 488568]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0501000.01D\Ironx64.SYS [x]

S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360x64\0501000.01D\SYMTDIV.SYS [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-07 366640]

S2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe [2011-04-17 130008]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-08-01 136824]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw5v64.sys [x]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-08-24 01:34 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-08-05 c:\windows\Tasks\HPCeeScheduleForOwner.job

- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-12-19 19:58]

.

--------- x86-64 -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1702400]

"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 138264]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 203800]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 168472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://xfinity.comcast.net/?

uLocal Page = c:\windows\system32\blank.htm

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.1.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\8vqib4s4.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=

FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS

FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prfh=sslEEE1N1Nfont_sizeEEEmediumN1Nlanguage_uiEEEenglishN1Ndisable_open_in_new_windowEEE0N1Ndisable_family_filterEEE1N1Nnum_of_resultsEEE10N1NlanguageEEEenglishN1Ndisable_video_family_filterEEE1N1NsuggestionsEEE0N1NorSave%20My%20SettingsClear%20Settings%20Saving%20your%20settings%20will%20set%20a%20anonymous%20%27cookie%27%20in%20your%20browser%20that%20remembers%20the%20setting%20for%20your%20next%20visit.|http://xfinity.comcast.net/?

FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=SOLTDF&PC=SUN1&q=

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)

HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]

"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\5.1.0.29\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11a_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11a_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11a.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11a.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11a.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11a.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe

c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

c:\program files (x86)\CyberLink\Shared Files\RichVideo.exe

c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe

c:\windows\SysWOW64\DllHost.exe

.

**************************************************************************

.

Completion time: 2011-09-03 11:01:02 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-03 18:01

.

Pre-Run: 183,181,979,648 bytes free

Post-Run: 182,836,305,920 bytes free

.

- - End Of File - - A7AE085939A05E8D154BC078AF6A43F1

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Owner at 13:17:04 on 2011-09-03