Jump to content

Error Message While trying to open MWB - Google takes me to Add sites


Recommended Posts

When I try to open MWB I get an error message that states "Windows cant access- I do not have permission". I have downloaded MWB gave it a different name and installed- when I attempt to run it will scan for 3 seconds and close. While attempting to access websites from Google it takes me to add sites. Often when I try to launch Internet Exp. It will come up with an error "cant connect". I had the Rogue Virus 3 weeks ago and managed to clean it out....so I thought...

Help

Link to post
Share on other sites

post-32477-1261866970.gif

Logs will be closed if you haven't replied within 3 days

Please do not attach the scan results from Combofx. Use copy/paste.

DO NOT use any TOOLS such as Combofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Close all browsers before running ATF: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

All files are unlocked- I updated Combofix before I ran it today, here are the results.

Thank you again for the help :)

omboFix 11-09-26.01 - Angela 09/25/2011 14:55:59.5.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1724 [GMT -7:00]

Running from: C:\Users\Angela\Desktop\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

/wow section - STAGE 50

Access is denied.

Access is denied.

Access is denied.

Access is denied.

Access is denied.

/wow section not completed

Link to post
Share on other sites

Sorry About that - Here are the results

ComboFix 11-09-26.01 - Angela 09/25/2011 15:44:00.7.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1941 [GMT -7:00]

Running from: c:\users\Angela\Desktop\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\CouponAlert_2pEI

c:\program files\Saveme2.exe

c:\program files\Saveme2.exe\changes.rtf

c:\program files\Saveme2.exe\Languages\arabic.lng

c:\program files\Saveme2.exe\Languages\belarusian.lng

c:\program files\Saveme2.exe\Languages\bosnian.lng

c:\program files\Saveme2.exe\Languages\bulgarian.lng

c:\program files\Saveme2.exe\Languages\catalan.lng

c:\program files\Saveme2.exe\Languages\chineseSI.lng

c:\program files\Saveme2.exe\Languages\chineseTR.lng

c:\program files\Saveme2.exe\Languages\croatian.lng

c:\program files\Saveme2.exe\Languages\czech.lng

c:\program files\Saveme2.exe\Languages\danish.lng

c:\program files\Saveme2.exe\Languages\dutch.lng

c:\program files\Saveme2.exe\Languages\english.lng

c:\program files\Saveme2.exe\Languages\estonian.lng

c:\program files\Saveme2.exe\Languages\finnish.lng

c:\program files\Saveme2.exe\Languages\french.lng

c:\program files\Saveme2.exe\Languages\german.lng

c:\program files\Saveme2.exe\Languages\greek.lng

c:\program files\Saveme2.exe\Languages\hebrew.lng

c:\program files\Saveme2.exe\Languages\hungarian.lng

c:\program files\Saveme2.exe\Languages\italian.lng

c:\program files\Saveme2.exe\Languages\korean.lng

c:\program files\Saveme2.exe\Languages\latvian.lng

c:\program files\Saveme2.exe\Languages\lithuanian.lng

c:\program files\Saveme2.exe\Languages\macedonian.lng

c:\program files\Saveme2.exe\Languages\norwegian.lng

c:\program files\Saveme2.exe\Languages\polish.lng

c:\program files\Saveme2.exe\Languages\portugueseBR.lng

c:\program files\Saveme2.exe\Languages\portuguesePT.lng

c:\program files\Saveme2.exe\Languages\romanian.lng

c:\program files\Saveme2.exe\Languages\russian.lng

c:\program files\Saveme2.exe\Languages\serbian.lng

c:\program files\Saveme2.exe\Languages\slovak.lng

c:\program files\Saveme2.exe\Languages\slovenian.lng

c:\program files\Saveme2.exe\Languages\spanish.lng

c:\program files\Saveme2.exe\Languages\swedish.lng

c:\program files\Saveme2.exe\Languages\thai.lng

c:\program files\Saveme2.exe\Languages\turkish.lng

c:\program files\Saveme2.exe\Languages\vietnamese.lng

c:\program files\Saveme2.exe\license.txt

c:\program files\Saveme2.exe\mbam.chm

c:\program files\Saveme2.exe\mbam.dll

c:\program files\Saveme2.exe\mbam.exe

c:\program files\Saveme2.exe\mbamcore.dll

c:\program files\Saveme2.exe\mbamext.dll

c:\program files\Saveme2.exe\mbamgui.exe

c:\program files\Saveme2.exe\mbamnet.dll

c:\program files\Saveme2.exe\mbamservice.exe

c:\program files\Saveme2.exe\ssubtmr6.dll

c:\program files\Saveme2.exe\unins000.dat

c:\program files\Saveme2.exe\unins000.exe

c:\program files\Saveme2.exe\unins000.msg

c:\program files\Saveme2.exe\vbalsgrid6.ocx

c:\program files\Search Toolbar

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\SearchToolbarUninstall.exe

c:\program files\Search Toolbar\SearchToolbarUpdater.exe

c:\programdata\AppleNotifierManager.dll

c:\users\Angela\AppData\Local\{C1E1C8B6-31B4-489C-B5BC-E7D06FE4DF89}

c:\users\Angela\AppData\Local\{C1E1C8B6-31B4-489C-B5BC-E7D06FE4DF89}\chrome.manifest

c:\users\Angela\AppData\Local\{C1E1C8B6-31B4-489C-B5BC-E7D06FE4DF89}\chrome\content\_cfg.js

c:\users\Angela\AppData\Local\{C1E1C8B6-31B4-489C-B5BC-E7D06FE4DF89}\chrome\content\overlay.xul

c:\users\Angela\AppData\Local\{C1E1C8B6-31B4-489C-B5BC-E7D06FE4DF89}\install.rdf

c:\users\Angela\AppData\Roaming\Microsoft\Windows\Recent\Dell.url

c:\users\Angela\g2ax_customer_downloadhelper_win32_x86.exe

c:\windows\system32\5daa6e12-14f6-1f3f-2340-a90a63fa33a2.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_4c641cf1

-------\Service_MBAMService

-------\Service_MBAMService

.

.

((((((((((((((((((((((((( Files Created from 2011-08-25 to 2011-09-25 )))))))))))))))))))))))))))))))

.

.

2011-09-25 22:56 . 2011-09-25 23:02 -------- d-----w- c:\users\Angela\AppData\Local\temp

2011-09-25 22:56 . 2011-09-25 22:56 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-25 22:56 . 2011-09-25 22:56 -------- d-----w- c:\users\Joshua\AppData\Local\temp

2011-09-23 06:45 . 2011-09-23 06:45 -------- d-----w- C:\TDSSKiller_Quarantine

2011-09-23 05:54 . 2011-09-23 05:54 -------- d-----w- c:\users\Angela\Mine

2011-09-22 06:21 . 2011-09-22 06:21 -------- d--h--w- c:\windows\PIF

2011-09-21 02:25 . 2011-09-21 02:25 -------- d-----w- c:\users\Angela\AppData\Roaming\Malwarebytes

2011-09-21 02:25 . 2011-09-21 02:25 -------- d-----w- c:\programdata\Malwarebytes

2011-09-21 02:25 . 2011-09-21 02:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-21 02:25 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-20 04:00 . 2011-09-20 04:00 -------- d-----w- c:\users\Joshua\AppData\Local\Google

2011-09-20 03:47 . 2011-09-20 03:47 -------- d-----w- C:\ce5685f94ed7c81570e0a0b6a18b32

2011-09-10 05:53 . 2011-09-10 05:53 -------- d-----w- c:\windows\system32\EventProviders

2011-08-31 04:25 . 2011-08-31 04:25 -------- d-----w- c:\users\Angela\AppData\Local\MediaGet2

2011-08-31 04:25 . 2011-08-31 04:25 -------- d-----w- c:\users\Angela\AppData\Local\Media Get LLC

2011-08-31 01:52 . 2011-08-31 01:52 -------- d-----w- c:\programdata\Trymedia

2011-08-31 01:42 . 2006-08-17 08:47 40960 ----a-w- c:\windows\system32\Fish Tycoon.scr

2011-08-31 00:51 . 2011-08-31 00:51 -------- d-----w- c:\users\Angela\AppData\Local\FunnyMiners

2011-08-29 01:21 . 2010-09-01 04:43 -------- d-----w- C:\BigFishGamesCache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-12 23:14 . 2011-09-24 18:39 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{60E47929-6D09-4316-AF18-43CFD8697535}\mpengine.dll

2011-08-08 04:49 . 2011-08-08 03:42 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-08-08 04:48 . 2011-08-08 04:48 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-08-08 04:48 . 2011-08-08 03:42 270240 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-08-08 03:42 . 2011-08-08 03:42 138056 ----a-w- c:\users\Angela\AppData\Roaming\PnkBstrK.sys

2011-08-08 03:42 . 2011-08-08 03:42 189248 ----a-w- c:\windows\system32\PnkBstrB.ex0

2011-08-08 03:42 . 2011-08-08 03:42 75136 ----a-w- c:\windows\system32\PnkBstrA.exe

2011-08-07 05:52 . 2011-07-27 05:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-06 14:56 . 2011-08-10 15:07 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-07-03 07:52 . 2011-07-03 07:52 0 ---ha-w- c:\users\Angela\AppData\Local\BIT1DDC.tmp

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-01-17 23:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-03-18 15:11 2471240 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

2011-01-17 23:54 175912 ----a-w- c:\program files\Vuze_Remote\prxtbVuze.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-09-29 05:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-19 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-03-11 3563520]

"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-02-19 438403]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-16 2048352]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]

"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-19 274608]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

.

c:\users\Joshua\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-09-01 04:03 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\srv228]

@="service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk

backup=c:\windows\pss\QuickSet.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Angela^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=c:\users\Angela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=c:\windows\pss\LimeWire On Startup.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 08:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 18:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2007-10-03 20:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-10-18 18:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]

2008-06-13 02:56 4758904 ----a-w- c:\program files\Dell Video Chat\DellVideoChat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2008-01-21 17:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-06-08 04:13 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-31 908056]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 136176]

R2 srv228;srv228;c:\windows\system32\svchost.exe [2008-01-21 21504]

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [2011-03-18 947528]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]

R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 136176]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-01 22216]

R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2009-12-18 20480]

R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2009-12-18 174720]

R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys [2007-08-18 29952]

R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys [2007-08-18 41856]

R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys [2007-08-18 39936]

R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys [2007-08-18 59520]

R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-31 335240]

S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-20 108552]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-06-25 73728]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-31 297752]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]

S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-03-14 54784]

S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-03-13 203264]

S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-03-11 149208]

S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-03-11 277624]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LPDService REG_MULTI_SZ LPDSVC

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv228

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 22:20]

.

2011-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 22:20]

.

2011-09-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1673808188-843090318-945326680-1000.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 18:33]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Save Flash - j:\flash saving plugin\FlashSButton.dll/210

IE: Save YouTube Video - j:\flash saving plugin\FlashSButton.dll/217

LSP: mswsock.dll

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{9EA7AB09-BE04-4609-AE4A-179476516D01}: NameServer = 66.174.92.14 69.78.96.14

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-*{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)

BHO-{021F341B-8329-437E-8722-DAEC8C28E66b} - c:\windows\system32\wscui32.dll

BHO-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll

Toolbar-{0974BA1E-64EC-11DE-B2A5-E43756D89593} - c:\progra~1\BEARSH~1\MediaBar\ToolBar\BearshareMediabarDx.dll

HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Saveme2.exe\mbam.exe

HKLM-Run-Malwarebytes' Anti-Malware - c:\program files\Saveme2.exe\mbamgui.exe

HKU-Default-Run-AppleNotifierManager - c:\programdata\AppleNotifierManager.dll

AddRemove-5daa6e12-14f6-1f3f-2340-a90a63fa33a2 - c:\windows\system32\5daa6e12-14f6-1f3f-2340-a90a63fa33a2.exe

AddRemove-Army Men RTS - j:\army men rts\Uninstall.exe

AddRemove-Endless War Defense_is1 - j:\endlesswardefense_at\unins000.exe

AddRemove-Feudalism 2_is1 - j:\feudalism2_at\unins000.exe

AddRemove-Fish Tycoon - j:\fish tycoon\Uninstall.exe

AddRemove-Flash Saving Plugin - j:\flash saving plugin\uninstall.exe

AddRemove-Funny_Miners_is1 - j:\documents\unins000.exe

AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\Saveme2.exe\unins000.exe

AddRemove-OpenTTD - j:\ttd\uninstall.exe

AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe

AddRemove-Tradewinds 2 Free Trial - j:\progra~1\TRADEW~1\UNWISE.EXE

AddRemove-Zombie Storm_is1 - j:\zombie storm_at\unins000.exe

.

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\4c641cf1]

"ImagePath"="\systemroot\4045169740:3013337870.exe"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\srv228]

"servicedll"="\\?\globalroot\Device\HarddiskVolume3\Windows\Temp\srv228.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,4f,55,99,72,a6,c1,4a,87,e9,66,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,4f,55,99,72,a6,c1,4a,87,e9,66,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\system32\WLANExt.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\windows\system32\PnkBstrA.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\AVG\AVG8\avgtray.exe

c:\windows\4045169740:3013337870.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\DellTPad\HidFind.exe

c:\program files\DellTPad\Apntex.exe

c:\windows\ehome\ehmsas.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2011-09-25 16:09:02 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-25 23:09

.

Pre-Run: 148,289,347,584 bytes free

Post-Run: 148,130,791,424 bytes free

.

- - End Of File - - 76BE14D0F6CED4C1D434FDF5D64896A5

Link to post
Share on other sites

It looks like you have a nasty backdoor infection.

Try running a new MBAM scan.

Good Morning!

I tried several times, It will scan to file 7 then close and disable. I reload it again and same results. Opened in safe mode scan will run but does not locate much. I tried in safemode w/networking - scan closes and disables. Windows fire wall will also not allow me to turn it on. Last night I attempted to open new admin. account to try to scan it there - no luck. I have MWB Pro - it has blocked some programs- Ill give you the results. Computer is still running the same with the exception of my key pad started working again and less redirects- Happy that I have baby steps :)

Thank you again for looking into this-

Scan results-

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 6.0.6001 Service Pack 1 (Safe Mode)

Internet Explorer 8.0.6001.19088

9/21/2011 7:01:09 PM

mbam-log-2011-09-21 (19-01-09).txt

Scan type: Quick scan

Objects scanned: 208064

Time elapsed: 12 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 17

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\0.11144394504592203.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.06207708225695008.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.15970668356871787.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.23537098658435196.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.33919606925901413.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.5793005225634117.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.778724373970275.exe (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\jar_cache1157642732145715343.tmp (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\jar_cache1454014251043209717.tmp (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\jar_cache5324039586793385930.tmp (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\jar_cache5448849235760043407.tmp (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\jar_cache8371907080765092705.tmp (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\jar_cache9190061081836869228.tmp (Malware.Packer) -> Quarantined and deleted successfully.

c:\Windows\Temp\wxmcseorna.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\Temp\rterrd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.30651794965273926.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

c:\Windows\Temp\0.5935843456002534.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.

LOG-

20:29:41 Angela MESSAGE Protection started successfully

20:29:47 Angela MESSAGE IP Protection started successfully

20:30:09 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 51898, Process: avgnsx.exe)

20:30:17 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 51912, Process: avgnsx.exe)

20:30:33 Angela IP-BLOCK 212.95.55.18 (Type: outgoing, Port: 52253, Process: avgnsx.exe)

20:30:33 Angela IP-BLOCK 212.95.55.18 (Type: outgoing, Port: 52268, Process: avgnsx.exe)

20:30:41 Angela IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 52326, Process: avgnsx.exe)

20:30:57 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 52473, Process: avgnsx.exe)

20:31:13 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 52771, Process: avgnsx.exe)

20:38:20 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 53583, Process: avgnsx.exe)

20:38:45 Angela IP-BLOCK 208.87.32.69 (Type: outgoing, Port: 53601, Process: avgnsx.exe)

20:39:33 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 53621, Process: avgnsx.exe)

20:39:41 Angela IP-BLOCK 208.73.210.48 (Type: outgoing, Port: 53627, Process: avgnsx.exe)

20:40:21 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 53645, Process: avgnsx.exe)

20:40:53 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 53667, Process: avgnsx.exe)

20:41:18 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 53687, Process: avgnsx.exe)

20:41:18 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 53689, Process: avgnsx.exe)

20:41:42 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 53697, Process: avgnsx.exe)

20:42:14 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 53717, Process: avgnsx.exe)

20:42:22 Angela IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 53737, Process: avgnsx.exe)

20:42:22 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 53745, Process: avgnsx.exe)

20:42:22 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 53761, Process: avgnsx.exe)

20:42:38 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 54017, Process: avgnsx.exe)

20:42:38 Angela IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 54033, Process: avgnsx.exe)

20:42:38 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 54037, Process: avgnsx.exe)

20:43:03 Angela IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 54195, Process: avgnsx.exe)

20:43:19 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 54383, Process: avgnsx.exe)

20:46:25 Angela IP-BLOCK 208.73.210.29 (Type: outgoing, Port: 55579, Process: avgnsx.exe)

20:46:58 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 55661, Process: avgnsx.exe)

20:46:58 Angela IP-BLOCK 208.87.32.69 (Type: outgoing, Port: 55663, Process: avgnsx.exe)

21:08:42 Angela MESSAGE Protection started successfully

21:08:47 Angela MESSAGE IP Protection started successfully

21:14:36 Angela MESSAGE Protection started successfully

21:14:41 Angela MESSAGE IP Protection started successfully

21:18:08 Angela MESSAGE IP Protection stopped

21:18:12 Angela MESSAGE Database updated successfully

21:18:14 Angela MESSAGE IP Protection started successfully

21:20:21 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 49399, Process: avgnsx.exe)

21:20:21 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 49544, Process: avgnsx.exe)

21:20:37 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 49736, Process: avgnsx.exe)

21:20:45 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 49770, Process: avgnsx.exe)

21:21:01 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 49848, Process: avgnsx.exe)

21:21:17 Angela IP-BLOCK 206.161.121.100 (Type: outgoing, Port: 50058, Process: avgnsx.exe)

21:22:22 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 50381, Process: avgnsx.exe)

21:22:38 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 50405, Process: avgnsx.exe)

21:22:54 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 50439, Process: avgnsx.exe)

21:23:26 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 50507, Process: avgnsx.exe)

22:19:10 Angela MESSAGE Protection started successfully

22:19:16 Angela MESSAGE IP Protection started successfully

22:23:06 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49185, Process: avgnsx.exe)

22:23:06 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49190, Process: avgnsx.exe)

22:27:24 Angela IP-BLOCK 67.29.139.153 (Type: outgoing, Port: 51097, Process: avgnsx.exe)

22:27:33 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 51117, Process: avgnsx.exe)

22:28:13 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 51469, Process: avgnsx.exe)

22:28:21 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 51501, Process: avgnsx.exe)

22:46:46 Angela MESSAGE Protection started successfully

22:46:52 Angela MESSAGE IP Protection started successfully

23:25:56 Angela MESSAGE Protection started successfully

23:26:01 Angela MESSAGE IP Protection started successfully

23:29:20 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49175, Process: avgnsx.exe)

23:29:20 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49178, Process: avgnsx.exe)

23:34:58 Angela IP-BLOCK 208.87.33.151 (Type: outgoing, Port: 49574, Process: avgnsx.exe)

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

Rootkit::
c:\windows\4045169740:3013337870.exe

Folder::
c:\program files\Vuze_Remote
c:\program files\ConduitEngine
c:\program files\Ask.com

Driver::
srv228

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"itnetsvcs"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\4c641cf1]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\srv228]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Sorry it took me so long to get back to you.

Ok- I put the text file in Combofix here are the files

I attempted to rum MWB and only got thru 3 files before it closed out and deleted.

Windows defender will not turn on (not like that has saved me) Good thing is when I opened Google I had the Google picture of the day not just a page that says Google.

Thank you again for all the help! I appreciate you! :)

.

ComboFix 11-09-26.02 - Angela 09/26/2011 21:41:18.11.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1711 [GMT -7:00]

Running from: c:\users\Angela\Desktop\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2011-08-27 to 2011-09-27 )))))))))))))))))))))))))))))))

.

.

2011-09-27 04:54 . 2011-09-27 04:54 -------- d-----w- c:\users\Angela\AppData\Local\temp

2011-09-27 04:54 . 2011-09-27 04:54 -------- d-----w- c:\users\Joshua\AppData\Local\temp

2011-09-27 04:54 . 2011-09-27 04:54 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-09-26 04:39 . 2011-09-26 04:41 -------- d-----w- c:\users\Flower

2011-09-26 03:41 . 2011-09-26 03:42 -------- d-----w- c:\users\UGGG

2011-09-24 18:39 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{60E47929-6D09-4316-AF18-43CFD8697535}\mpengine.dll

2011-09-23 06:45 . 2011-09-23 06:45 -------- d-----w- C:\TDSSKiller_Quarantine

2011-09-23 05:54 . 2011-09-23 05:54 -------- d-----w- c:\users\Angela\Mine

2011-09-22 06:21 . 2011-09-22 06:21 -------- d--h--w- c:\windows\PIF

2011-09-21 02:25 . 2011-09-21 02:25 -------- d-----w- c:\users\Angela\AppData\Roaming\Malwarebytes

2011-09-21 02:25 . 2011-09-21 02:25 -------- d-----w- c:\programdata\Malwarebytes

2011-09-21 02:25 . 2011-09-26 23:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-21 02:25 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-20 04:00 . 2011-09-20 04:00 -------- d-----w- c:\users\Joshua\AppData\Local\Google

2011-09-20 03:47 . 2011-09-20 03:47 -------- d-----w- C:\ce5685f94ed7c81570e0a0b6a18b32

2011-09-10 05:53 . 2011-09-10 05:53 -------- d-----w- c:\windows\system32\EventProviders

2011-08-31 04:25 . 2011-08-31 04:25 -------- d-----w- c:\users\Angela\AppData\Local\MediaGet2

2011-08-31 04:25 . 2011-08-31 04:25 -------- d-----w- c:\users\Angela\AppData\Local\Media Get LLC

2011-08-31 01:52 . 2011-08-31 01:52 -------- d-----w- c:\programdata\Trymedia

2011-08-31 01:42 . 2006-08-17 08:47 40960 ----a-w- c:\windows\system32\Fish Tycoon.scr

2011-08-31 00:51 . 2011-08-31 00:51 -------- d-----w- c:\users\Angela\AppData\Local\FunnyMiners

2011-08-29 01:21 . 2010-09-01 04:43 -------- d-----w- C:\BigFishGamesCache

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-08-08 04:49 . 2011-08-08 03:42 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-08-08 04:48 . 2011-08-08 04:48 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-08-08 04:48 . 2011-08-08 03:42 270240 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-08-08 03:42 . 2011-08-08 03:42 138056 ----a-w- c:\users\Angela\AppData\Roaming\PnkBstrK.sys

2011-08-08 03:42 . 2011-08-08 03:42 189248 ----a-w- c:\windows\system32\PnkBstrB.ex0

2011-08-08 03:42 . 2011-08-08 03:42 75136 ----a-w- c:\windows\system32\PnkBstrA.exe

2011-08-07 05:52 . 2011-07-27 05:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-06 14:56 . 2011-08-10 15:07 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2011-07-03 07:52 . 2011-07-03 07:52 0 ---ha-w- c:\users\Angela\AppData\Local\BIT1DDC.tmp

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-01-17 23:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-03-18 15:11 2471240 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

2011-01-17 23:54 175912 ----a-w- c:\program files\Vuze_Remote\prxtbVuze.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

2010-09-29 05:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-29 1400712]

"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

.

[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-19 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-03-11 3563520]

"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-02-19 438403]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-16 2048352]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]

"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-19 274608]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

.

c:\users\Joshua\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-09-01 04:03 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk

backup=c:\windows\pss\QuickSet.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Angela^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=c:\users\Angela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=c:\windows\pss\LimeWire On Startup.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 08:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 18:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2007-10-03 20:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-10-18 18:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]

2008-06-13 02:56 4758904 ----a-w- c:\program files\Dell Video Chat\DellVideoChat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2008-01-21 17:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-06-08 04:13 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-31 908056]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 136176]

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [2011-03-18 947528]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]

R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 136176]

R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2009-12-18 20480]

R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2009-12-18 174720]

R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys [2007-08-18 29952]

R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys [2007-08-18 41856]

R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys [2007-08-18 39936]

R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys [2007-08-18 59520]

R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-31 335240]

S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-20 108552]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-06-25 73728]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-31 297752]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-01 366152]

S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-03-14 54784]

S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-03-13 203264]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-01 22216]

S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-03-11 149208]

S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-03-11 277624]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LPDService REG_MULTI_SZ LPDSVC

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv228

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 22:20]

.

2011-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 22:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Save Flash - j:\flash saving plugin\FlashSButton.dll/210

IE: Save YouTube Video - j:\flash saving plugin\FlashSButton.dll/217

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{9EA7AB09-BE04-4609-AE4A-179476516D01}: NameServer = 66.174.92.14 69.78.96.14

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-srv228

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-26 21:54

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,4f,55,99,72,a6,c1,4a,87,e9,66,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,4f,55,99,72,a6,c1,4a,87,e9,66,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2011-09-26 21:57:49

ComboFix-quarantined-files.txt 2011-09-27 04:57

ComboFix2.txt 2011-09-25 23:09

.

Pre-Run: 140,429,324,288 bytes free

Post-Run: 140,390,727,680 bytes free

.

- - End Of File - - 658E5CB34097BD1390CF88F4BE6DE985

Link to post
Share on other sites

OHH WOW! Here is the log for today - I think this thing is mad now!

01:05:53 Angela MESSAGE Protection started successfully

01:05:59 Angela MESSAGE IP Protection started successfully

16:34:20 Angela MESSAGE Protection started successfully

16:34:28 Angela MESSAGE IP Protection started successfully

16:35:12 Angela ERROR Scheduled update failed: No address found failed with error code 11004

16:36:34 Angela MESSAGE IP Protection stopped

16:36:38 Angela MESSAGE Database updated successfully

16:36:40 Angela MESSAGE IP Protection started successfully

16:42:21 Angela MESSAGE IP Protection stopped

20:25:10 Angela MESSAGE Protection started successfully

20:25:17 Angela MESSAGE IP Protection started successfully

20:44:51 Angela MESSAGE Protection started successfully

20:44:56 Angela MESSAGE IP Protection started successfully

21:16:59 Angela MESSAGE Protection started successfully

21:17:04 Angela MESSAGE IP Protection started successfully

22:04:40 Angela MESSAGE Protection started successfully

22:04:46 Angela MESSAGE IP Protection started successfully

22:07:47 Angela MESSAGE IP Protection stopped

22:07:51 Angela MESSAGE Database updated successfully

22:07:53 Angela MESSAGE IP Protection started successfully

22:08:23 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49194, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49195, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49196, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49197, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49198, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49199, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49200, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49201, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49202, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.136 (Type: outgoing, Port: 49203, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49204, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.136 (Type: outgoing, Port: 49205, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49206, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.136 (Type: outgoing, Port: 49207, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49208, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.136 (Type: outgoing, Port: 49209, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.137 (Type: outgoing, Port: 49210, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49211, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.137 (Type: outgoing, Port: 49212, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49213, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.138 (Type: outgoing, Port: 49215, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49216, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.138 (Type: outgoing, Port: 49217, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49218, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49220, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49221, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49222, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49223, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49224, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49225, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49226, Process: iexplore.exe)

22:08:23 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49227, Process: iexplore.exe)

22:33:00 Angela MESSAGE Protection started successfully

22:33:06 Angela MESSAGE IP Protection started successfully

22:38:06 Angela MESSAGE IP Protection stopped

22:38:09 Angela MESSAGE Database updated successfully

22:38:11 Angela MESSAGE IP Protection started successfully

Link to post
Share on other sites

I updated and scanned it managed to get to 720 files before it closed and disabled my Malwarebytes. I downloaded again and updated 3 other times - still closed out. My internet is faster now but I was redirected once. Windows fire wall still wont turn on.

Here is the log that I do have from MWB.

Hope your day is well! :)

05:08:04 Angela MESSAGE Protection started successfully

05:08:14 Angela MESSAGE IP Protection started successfully

05:25:17 Angela MESSAGE Protection started successfully

05:25:22 Angela MESSAGE IP Protection started successfully

05:47:17 Angela MESSAGE Protection started successfully

05:47:28 Angela MESSAGE IP Protection started successfully

05:50:44 Angela MESSAGE IP Protection stopped

05:50:47 Angela MESSAGE Database updated successfully

05:50:49 Angela MESSAGE IP Protection started successfully

06:16:08 Angela IP-BLOCK 221.132.34.163 (Type: outgoing, Port: 49704, Process: svchost.exe)

06:16:08 Angela IP-BLOCK 221.132.34.163 (Type: outgoing, Port: 49705, Process: svchost.exe)

16:16:36 Angela MESSAGE Protection started successfully

16:16:41 Angela MESSAGE IP Protection started successfully

16:17:18 Angela ERROR Scheduled update failed: No address found failed with error code 11004

16:20:24 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49184, Process: avgnsx.exe)

16:20:24 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49186, Process: avgnsx.exe)

16:20:32 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49194, Process: avgnsx.exe)

16:20:40 Angela IP-BLOCK 38.99.183.32 (Type: outgoing, Port: 49270, Process: avgnsx.exe)

16:20:40 Angela IP-BLOCK 38.99.183.32 (Type: outgoing, Port: 49293, Process: avgnsx.exe)

16:20:40 Angela IP-BLOCK 38.99.183.25 (Type: outgoing, Port: 49300, Process: avgnsx.exe)

16:20:40 Angela IP-BLOCK 38.99.183.25 (Type: outgoing, Port: 49306, Process: avgnsx.exe)

16:20:40 Angela IP-BLOCK 38.99.183.32 (Type: outgoing, Port: 49314, Process: avgnsx.exe)

16:21:28 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49392, Process: avgnsx.exe)

16:21:28 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49396, Process: avgnsx.exe)

16:21:28 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49412, Process: avgnsx.exe)

16:21:28 Angela IP-BLOCK 194.11.16.137 (Type: outgoing, Port: 49416, Process: avgnsx.exe)

16:21:28 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49418, Process: avgnsx.exe)

16:21:28 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49422, Process: avgnsx.exe)

16:21:36 Angela IP-BLOCK 38.99.183.32 (Type: outgoing, Port: 49452, Process: avgnsx.exe)

16:21:36 Angela IP-BLOCK 38.99.183.25 (Type: outgoing, Port: 49465, Process: avgnsx.exe)

16:21:36 Angela IP-BLOCK 38.99.183.32 (Type: outgoing, Port: 49469, Process: avgnsx.exe)

16:27:28 Angela MESSAGE IP Protection stopped

16:27:31 Angela MESSAGE Database updated successfully

16:27:33 Angela MESSAGE IP Protection started successfully

Link to post
Share on other sites

Ok, I opened ComboFix ran it this morning and got access denied messages again. I ran it again as administrator several times and access denied again. When I launched it it did update and rebooted my computer. I scanned again as admin and same thing access denied. I attempted to load combofix again and when I selected to replace existing a message came up stating the current version is set to read only and I need to rename the new download. I did this and the new download is not anywhere to be found. I did this several times. In combofix I unclicked the read only box and tried to run it again same thing access denied. When the scan is running and the access denied comes up it states Could not find c:/combofix/remMtPts. This did not come out on the report.

Thank you again for your time :)

ComboFix 11-09-28.06 - Angela 09/28/2011 18:44:16.18.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1641 [GMT -7:00]

Running from: C:\Users\Angela\Desktop\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

/wow section - STAGE 50

Access is denied.

Access is denied.

Access is denied.

Access is denied.

Access is denied.

/wow section not completed

Ran MWB it scanned 2 files and closed.

Here is the Protection log;

05:03:59 Angela MESSAGE Protection started successfully

05:04:23 Angela MESSAGE IP Protection started successfully

05:29:26 Angela MESSAGE Protection started successfully

05:29:35 Angela MESSAGE IP Protection started successfully

06:00:20 Angela MESSAGE Protection started successfully

06:00:25 Angela MESSAGE IP Protection started successfully

16:46:14 Angela MESSAGE Protection started successfully

16:46:20 Angela MESSAGE IP Protection started successfully

16:49:08 Angela MESSAGE IP Protection stopped

16:49:13 Angela MESSAGE Database updated successfully

16:49:15 Angela MESSAGE IP Protection started successfully

16:49:28 Angela MESSAGE Scheduled update executed successfully

16:49:29 Angela MESSAGE IP Protection stopped

16:49:32 Angela MESSAGE Database updated successfully

16:49:34 Angela MESSAGE IP Protection started successfully

16:49:40 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49277, Process: avgnsx.exe)

16:50:21 Angela IP-BLOCK 67.215.6.218 (Type: outgoing, Port: 49298, Process: avgnsx.exe)

17:15:53 Angela MESSAGE Protection started successfully

17:15:58 Angela MESSAGE IP Protection started successfully

17:39:28 Angela MESSAGE Protection started successfully

17:39:33 Angela MESSAGE IP Protection started successfully

18:00:51 Angela MESSAGE Protection started successfully

18:00:55 Angela MESSAGE IP Protection started successfully

18:26:33 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49360, Process: avgnsx.exe)

18:26:41 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49362, Process: avgnsx.exe)

18:26:41 Angela IP-BLOCK 195.3.145.182 (Type: outgoing, Port: 49367, Process: avgnsx.exe)

18:26:41 Angela IP-BLOCK 194.11.16.137 (Type: outgoing, Port: 49369, Process: avgnsx.exe)

18:26:41 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49373, Process: avgnsx.exe)

18:26:41 Angela IP-BLOCK 194.11.16.135 (Type: outgoing, Port: 49378, Process: avgnsx.exe)

18:30:18 Angela IP-BLOCK 221.132.34.163 (Type: outgoing, Port: 49587, Process: svchost.exe)

18:30:18 Angela IP-BLOCK 221.132.34.163 (Type: outgoing, Port: 49588, Process: svchost.exe)

18:30:26 Angela IP-BLOCK 38.99.183.25 (Type: outgoing, Port: 49607, Process: avgnsx.exe)

18:35:08 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49691, Process: avgnsx.exe)

18:35:08 Angela IP-BLOCK 195.3.145.183 (Type: outgoing, Port: 49706, Process: avgnsx.exe)

18:35:08 Angela IP-BLOCK 195.3.145.105 (Type: outgoing, Port: 49708, Process: avgnsx.exe)

18:38:46 Angela IP-BLOCK 38.99.183.32 (Type: outgoing, Port: 50275, Process: avgnsx.exe)

18:38:54 Angela IP-BLOCK 38.99.183.25 (Type: outgoing, Port: 50295, Process: avgnsx.exe)

18:40:22 Angela IP-BLOCK 195.3.145.110 (Type: outgoing, Port: 50354, Process: svchost.exe)

18:40:22 Angela IP-BLOCK 195.3.145.110 (Type: outgoing, Port: 50355, Process: svchost.exe)

19:01:32 Angela MESSAGE Protection started successfully

19:01:37 Angela MESSAGE IP Protection started successfully

Link to post
Share on other sites

You have a nasty RootKit that has Backdoor capabilities

Let's uninstall CF and get a fresh copy.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

Download Combofix from any of the links below but rename it to Iexplorer.com before saving it to your desktop.

* IMPORTANT !!! Save Iexplorer.com to your Desktop

Link 1

Link 2<--Right Click and use Save As if using this link.

Double click on the Iexplorer.com ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Link to post
Share on other sites

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Let's uninstall CF and get a fresh copy.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Download Combofix from any of the links below but rename it to Iexplorer.com before saving it to your desktop.

* IMPORTANT !!! Save Iexplorer.com to your Desktop

Link 1

Link 2<--Right Click and use Save As if using this link.

Double click on the Iexplorer.com ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Link to post
Share on other sites

Hello,

I am back online :) Computer is a little slow but working!

Here are the results of combofix

ComboFix 11-10-02.03 - Angela 10/02/2011 21:24:56.20.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1597 [GMT -7:00]

Running from: c:\users\Angela\Desktop\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\google\common\google updater\googleupdaterservice.exe

c:\users\Angela\AppData\Roaming\completescan

c:\users\Angela\AppData\Roaming\install

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\bnupdate.log

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_4c641cf1

.

.

((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))

.

.

2011-10-03 03:56 . 2011-10-03 04:00 -------- d-----w- c:\windows\LastGood.Tmp

2011-10-03 03:55 . 2011-10-03 03:55 -------- d-----w- c:\program files\Novatel Wireless

2011-10-02 04:24 . 2011-10-02 04:33 -------- d-----w- c:\users\Angela\AppData\Local\Adobe

2011-09-29 06:12 . 2011-09-29 06:12 -------- d-----w- c:\programdata\Kaspersky Lab

2011-09-26 04:39 . 2011-09-26 04:41 -------- d-----w- c:\users\Flower

2011-09-26 03:41 . 2011-09-26 03:42 -------- d-----w- c:\users\UGGG

2011-09-23 06:45 . 2011-09-23 06:45 -------- d-----w- C:\TDSSKiller_Quarantine

2011-09-23 05:54 . 2011-09-23 05:54 -------- d-----w- c:\users\Angela\Mine

2011-09-22 06:21 . 2011-09-22 06:21 -------- d--h--w- c:\windows\PIF

2011-09-21 02:25 . 2011-09-21 02:25 -------- d-----w- c:\users\Angela\AppData\Roaming\Malwarebytes

2011-09-21 02:25 . 2011-09-21 02:25 -------- d-----w- c:\programdata\Malwarebytes

2011-09-21 02:25 . 2011-09-30 06:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-09-21 02:25 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-20 04:00 . 2011-09-20 04:00 -------- d-----w- c:\users\Joshua\AppData\Local\Google

2011-09-20 03:47 . 2011-09-20 03:47 -------- d-----w- C:\ce5685f94ed7c81570e0a0b6a18b32

2011-09-10 05:53 . 2011-09-10 05:53 -------- d-----w- c:\windows\system32\EventProviders

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-12 23:14 . 2011-09-24 18:39 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{60E47929-6D09-4316-AF18-43CFD8697535}\mpengine.dll

2011-08-08 04:49 . 2011-08-08 03:42 139080 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-08-08 04:48 . 2011-08-08 04:48 270240 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-08-08 04:48 . 2011-08-08 03:42 270240 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-08-08 03:42 . 2011-08-08 03:42 138056 ----a-w- c:\users\Angela\AppData\Roaming\PnkBstrK.sys

2011-08-08 03:42 . 2011-08-08 03:42 189248 ----a-w- c:\windows\system32\PnkBstrB.ex0

2011-08-08 03:42 . 2011-08-08 03:42 75136 ----a-w- c:\windows\system32\PnkBstrA.exe

2011-08-07 05:52 . 2011-07-27 05:31 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-06 14:56 . 2011-08-10 15:07 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2011-03-18 15:11 2471240 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-03-18 2471240]

.

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-12-19 39408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-06-30 196608]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-06-25 442467]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-03-11 3563520]

"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-02-19 438403]

"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2008-01-14 132392]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]

"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-16 2048352]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]

"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-19 274608]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

.

c:\users\Flower\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

.

c:\users\Joshua\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]

.

c:\users\UGGG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-5-13 1058088]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]

2008-09-01 04:03 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"mixer"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickSet.lnk

backup=c:\windows\pss\QuickSet.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Angela^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=c:\users\Angela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=c:\windows\pss\LimeWire On Startup.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 08:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]

2009-05-21 18:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]

2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]

2008-02-29 04:18 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]

2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]

2007-10-03 20:44 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

2007-10-18 18:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]

2008-06-13 02:56 4758904 ----a-w- c:\program files\Dell Video Chat\DellVideoChat.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

2008-01-21 17:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2009-06-08 04:13 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

.

R0 qqygtjl;qqygtjl;c:\windows\System32\drivers\kuraot.sys [x]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-07-20 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-31 908056]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 136176]

R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [2011-03-18 947528]

R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]

R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 136176]

R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2009-12-18 20480]

R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2009-12-18 174720]

R3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\DRIVERS\PTDMBus.sys [2007-08-18 29952]

R3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\DRIVERS\PTDMMdm.sys [2007-08-18 41856]

R3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\DRIVERS\PTDMVsp.sys [2007-08-18 39936]

R3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\DRIVERS\PTDMWWAN.sys [2007-08-18 59520]

R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-05-25 32408]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-31 335240]

S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe [2008-06-25 73728]

S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-31 297752]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-01 366152]

S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2008-03-14 54784]

S3 k57nd60x;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-03-13 203264]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-01 22216]

S3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\DRIVERS\OA001Ufd.sys [2008-03-11 149208]

S3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\DRIVERS\OA001Vid.sys [2008-03-11 277624]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

LPDService REG_MULTI_SZ LPDSVC

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

srv228

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 22:20]

.

2011-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-19 22:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Save Flash - j:\flash saving plugin\FlashSButton.dll/210

IE: Save YouTube Video - j:\flash saving plugin\FlashSButton.dll/217

TCP: DhcpNameServer = 192.168.1.1

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB

.

- - - - ORPHANS REMOVED - - - -

.

URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)

.

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,4f,55,99,72,a6,c1,4a,87,e9,66,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,4f,55,99,72,a6,c1,4a,87,e9,66,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\system32\WLANExt.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\windows\system32\PnkBstrA.exe

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\AVG\AVG8\avgtray.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\ehome\ehmsas.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\HP\Digital Imaging\bin\hpqbam08.exe

c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE

.

**************************************************************************

.

Completion time: 2011-10-02 21:57:03 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-03 04:57

.

Pre-Run: 127,461,400,576 bytes free

Post-Run: 126,923,321,344 bytes free

.

- - End Of File - - B9456B4777232BE72FA28064F557751B

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.