Jump to content

Recommended Posts

Having troubles with computer. It used to be infected with cloud protection but i believe i have removed that. under further inspection i found the windup virus and it is messing stuff on the computer. All help is greatly appreciated.

.

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL

Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_23

Run by Thompson at 15:01:44 on 2011-10-22

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.679 [GMT -7:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atbroker.exe

C:\Windows\system32\userinit.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\consent.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop

uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop

uURLSearchHooks: Games.com Toolbar Search Class: {e3dce200-ae96-4a64-9fe7-b5d2d8569768} - c:\program files\games.com toolbar\gamescomtb.dll

uURLSearchHooks: H - No File

mURLSearchHooks: Games.com Toolbar Search Class: {e3dce200-ae96-4a64-9fe7-b5d2d8569768} - c:\program files\games.com toolbar\gamescomtb.dll

mURLSearchHooks: H - No File

BHO: {01d841c5-96f0-40a1-b561-6d1a76b59b00} - c:\users\thompson\appdata\local\ServiceCodec.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: : {11bf46c6-b3de-48bd-bf70-3ad85cab80b5} - c:\progra~1\sitera~1\SiteRank.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: EpicPlay Games: {56e4076b-a42b-4745-ba35-34da8ac4c2f2} - c:\program files\epicplay\epicPlayGames.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll

BHO: AppGraffiti: {6f6a5334-78e9-4d9b-8182-8b41ea8c39ef} - c:\progra~1\appgra~1\APPGRA~1.DLL

BHO: Games.com Toolbar Loader: {b07040d6-4cb3-4af4-8a5c-038b7cd8a5d8} - c:\program files\games.com toolbar\gamescomtb.dll

BHO: : {ccb69577-088b-4004-9ed8-ff5bcc83a039} - c:\progra~1\rebate~1\RebateI.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Games.com Toolbar: {9da1bcf1-77f5-41c5-b7c3-c597dc20752c} - c:\program files\games.com toolbar\gamescomtb.dll

TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll

TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File

TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter

uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN

uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent

uRun: [e8f6bfd7f628b3419bec6766a22b7de9] c:\users\thompson\downlo~1\BABYSI~1.EXE /r

uRun: [GoogleManagerVerifier] rundll32.exe "c:\programdata\GoogleManagerVerifier.dll",DllRegisterServer

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [lpc] rundll32.exe "c:\users\thompson\appdata\roaming\remote\iyjg96.dll", RegisterDll

uRun: [0] \\.\globalroot\Device\HarddiskVolume1\Users\Thompson\AppData\Local\Temp\0.48432462896758exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe

mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

mRun: [<NO NAME>]

mRun: [EmbarqVALite_McciTrayApp] "c:\program files\embarqvalite\EMBARQHelpHelper.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe

mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe

mRun: [lxbkbmgr.exe] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [startNowToolbarHelper] "c:\program files\startnow toolbar\ToolbarHelper.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNjkzNzAwNTg4LUZMMTArMS1ERFQrMjU3MTAtTFNEKzItVFVHKzMtRk9JKzExLUREMTBGKzEtU1QxMEZBUFArMS1GMTBNMTJBVCszLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQisx"&"prod=90"&"ver=10.0.1410

mRunOnce: [GrpConv] grpconv -o

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [volmgr] c:\windows\system32\config\systemprofile\appdata\local\volmgr.exe

StartupFolder: c:\users\thompson\appdata\roaming\micros~1\windows\startm~1\programs\startup\0.lnk - \\globalroot\device\harddiskvolume1\users\thompson\appdata\local\temp\0.48432462896758exe

StartupFolder: c:\users\thompson\appdata\roaming\micros~1\windows\startm~1\programs\startup\winupd.lnk - c:\users\thompson\appdata\local\temp\winupd.exe

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

dPolicies-system: DisableTaskMgr = 1 (0x1)

LSP: mswsock.dll

DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://aolsvc.aol.com/onlinegames/free-trial-doggie-dash/DoggieDash.1.0.0.6.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

TCP: DhcpNameServer = 10.0.0.1

TCP: Interfaces\{770F8B09-192C-4596-A6A9-3CE060E2CFED} : DhcpNameServer = 10.0.0.1

Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\rebate~1\RebateI.dll

Notify: igfxcui - igfxdev.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\thompson\appdata\roaming\mozilla\firefox\profiles\b72e9ya5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-games-chromesbox-en-us&tb_uuid=20110903072650199&tb_oid=08-09-2011&tb_mrud=08-09-2011

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e4633e2&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - component: c:\users\thompson\appdata\roaming\mozilla\firefox\profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\components\MailUtil.dll

FF - component: c:\users\thompson\appdata\roaming\mozilla\firefox\profiles\b72e9ya5.default\extensions\textlinks@epicplay.com\components\epicPlayGames.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\epicplay\npEpicHost.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\wildtangent games\app\browserintegration\registered\1\NP_wtapp.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Games.com Toolbar: {493b4069-8c4f-4b4a-8f8c-506200c9887a} - %profile%\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}

FF - Ext: EpicPlay Games : textlinks@epicplay.com - %profile%\extensions\textlinks@epicplay.com

FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}

FF - Ext: XUL Cache: {1f0129a0-4627-4af0-8297-5d39d91c74f2} - %profile%\extensions\{1f0129a0-4627-4af0-8297-5d39d91c74f2}

FF - Ext: XUL Cache: {372376e1-270c-4e1b-b7e0-36021852dfaa} - %profile%\extensions\{372376e1-270c-4e1b-b7e0-36021852dfaa}

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

S1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\drivers\Teefer3.sys [2011-1-13 43936]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]

S2 Symantec AntiVirus;Symantec Endpoint Protection;"c:\program files\symantec\symantec endpoint protection\rtvscan.exe" --> c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [?]

S2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-10-20 102448]

S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]

S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-2-21 1245064]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-10-22 22:01:05 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{21dbfdf1-3145-4ed9-9a47-362ef838946d}\offreg.dll

2011-10-22 21:49:42 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-22 02:59:34 35840 ----a-w- c:\windows\system32\drivers\netbios.sys

2011-10-21 00:17:15 -------- d-----w- c:\users\thompson\appdata\local\Symantec

2011-10-21 00:16:36 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2011-10-21 00:13:10 99744 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2011-10-20 23:56:06 357792 ----a-w- c:\windows\system32\Sysfer.dll

2011-10-20 23:55:07 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-10-20 23:42:46 -------- d-----w- c:\windows\pss

2011-10-19 03:34:45 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{21dbfdf1-3145-4ed9-9a47-362ef838946d}\mpengine.dll

2011-10-19 01:22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-19 00:52:25 48016 --sha-w- c:\windows\system32\c_60074.nl_

2011-10-18 23:40:13 -------- d-----w- c:\users\thompson\appdata\roaming\x4pmG5sQJdKfZhX

2011-10-18 23:40:13 -------- d-----w- c:\users\thompson\appdata\roaming\cCelIBrzPyAuSoF

2011-10-18 22:59:36 -------- d-----w- c:\users\thompson\appdata\roaming\v66ddWKK8f

2011-10-18 22:52:32 -------- d-----w- c:\users\thompson\appdata\roaming\ZgggRZZqhYXw

2011-10-18 22:52:25 -------- d-----w- c:\users\thompson\appdata\roaming\W6ssWWJ7fEL8

2011-10-18 22:30:29 -------- d-----w- c:\users\thompson\appdata\roaming\GD2onF4pm5Q7E

2011-10-18 22:30:27 -------- d-----w- c:\users\thompson\appdata\roaming\z9gTXqjYCk

2011-10-18 22:30:27 -------- d-----w- c:\users\thompson\appdata\roaming\EibF3pnG5Q6WR

2011-10-17 23:27:14 -------- d-----w- c:\users\thompson\appdata\roaming\CfEL9gTZqYwIrOt

2011-10-17 23:27:13 -------- d-----w- c:\users\thompson\appdata\roaming\QYCekIVrzNx0c2b

2011-10-17 23:21:10 -------- d-----w- c:\users\thompson\appdata\roaming\ynG5aQH6dW7R9Tq

2011-10-17 23:21:10 -------- d-----w- c:\users\thompson\appdata\roaming\hIBrzONyxA0v2b3

2011-10-17 23:17:08 -------- d-----w- c:\windows\PIF

2011-10-17 23:07:45 -------- d-----w- c:\users\thompson\appdata\roaming\v9lyDpJfXl

2011-10-17 23:07:44 -------- d-----w- c:\users\thompson\appdata\roaming\KaECtvH8k0

2011-10-17 22:23:42 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-10-17 18:57:50 -------- d-----w- c:\users\thompson\appdata\roaming\dccSS1iibD3n

2011-10-17 18:57:49 -------- d-----w- c:\users\thompson\appdata\roaming\BCCCwkkIVrlNtx0

2011-10-17 14:19:55 -------- d-----w- c:\users\thompson\appdata\roaming\Remote

2011-10-17 04:47:16 -------- d-----w- c:\users\thompson\appdata\roaming\Y444ammH5s

2011-10-17 04:47:08 -------- d-----w- c:\users\thompson\appdata\roaming\XjjUUeelIBrPN

2011-10-17 04:47:07 -------- d-----w- c:\users\thompson\appdata\roaming\O000yccA1iv2o

2011-10-17 04:47:07 -------- d-----w- c:\users\thompson\appdata\roaming\KYYXXwjjUVeIBzP

2011-10-17 04:41:57 -------- d-----w- c:\users\thompson\appdata\roaming\kxxxA0uuvSibFp

2011-10-17 04:41:57 -------- d-----w- c:\users\thompson\appdata\roaming\HuuvvS2ooF3pm5Q

2011-10-17 04:41:40 -------- d-----w- c:\users\thompson\appdata\roaming\u8TqYkVOx

2011-10-17 04:41:37 -------- d-----w- c:\users\thompson\appdata\roaming\gYYXXwjjUVlIBzP

2011-10-17 04:41:36 -------- d-----w- c:\users\thompson\appdata\roaming\kUUUVeelOBtz0yA

2011-10-14 06:58:13 -------- d-----w- c:\program files\PlayLinc

2011-10-14 06:07:00 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2011-10-14 06:07:00 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2011-10-13 09:24:25 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll

2011-10-13 09:23:27 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-10-13 02:44:22 267776 ----a-w- c:\users\thompson\appdata\local\ShellCodec.dll

2011-10-12 23:10:50 -------- d-----w- c:\programdata\SugarGames

2011-10-12 00:54:16 -------- d-----w- c:\users\thompson\appdata\roaming\playmink

2011-10-11 06:14:42 101888 ----a-w- c:\programdata\GoogleManagerVerifier.dll

2011-10-11 02:27:00 -------- d-----w- c:\program files\Hobby Farm

2011-10-11 02:12:59 -------- d-----w- c:\programdata\Big Fish Games

2011-10-11 02:12:54 -------- d-----w- c:\program files\bfgclient

2011-10-11 02:10:30 -------- d-----w- C:\BigFishGamesCache

2011-10-11 00:46:26 -------- d-----w- c:\program files\TidyView

2011-10-11 00:45:25 -------- d-----w- c:\program files\EpicPlay

2011-10-11 00:45:08 -------- d-----w- c:\program files\StartNow Toolbar

2011-10-09 03:32:54 -------- d-----w- c:\users\thompson\appdata\roaming\GamesCafe

2011-10-08 18:07:46 -------- d-----w- c:\users\thompson\appdata\roaming\PeaceCraft3

2011-10-06 03:50:46 -------- d-----w- c:\users\thompson\appdata\roaming\aliasworlds

2011-10-03 16:02:40 86016 ----a-w- c:\windows\unvise32.exe

2011-10-03 16:02:03 -------- d-----w- C:\Adams Divorce CD

2011-10-01 19:32:13 -------- d-----w- c:\program files\WildGames

2011-10-01 19:17:13 -------- d-----w- c:\program files\WildTangent Games

2011-09-28 18:46:40 -------- d-----w- c:\users\thompson\appdata\roaming\Blackberry Desktop

2011-09-24 06:44:25 -------- d-----w- c:\program files\HotDish

2011-09-24 04:37:29 -------- d-----w- c:\users\thompson\appdata\roaming\BlamGames

2011-09-24 04:35:47 -------- d-----w- c:\program files\Blam Games

.

==================== Find3M ====================

.

2011-10-22 21:43:34 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-10-22 21:41:00 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2011-10-22 03:11:33 43936 ----a-w- c:\windows\system32\drivers\Teefer3.sys

2011-10-21 00:56:23 71680 ----a-w- c:\windows\system32\drivers\tdx.sys

2011-10-20 23:30:34 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-10-19 00:51:56 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-10-16 21:06:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 15:03:30.26 ===============

attach.txt

mbam-log-2011-10-22 (14-59-52).txt

dds.txt

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Sometime during os start up the keyboard disables. It still has power and works prior to the os loading. Before combofix upon explorer startup a winupd####.exe would ask for permission to run. As of now internet is not available due to the dhcp process not running and not being able to startup i believe. That start menu is empty except for my computer.

ComboFix 11-10-29.03 - Thompson 10/29/2011 10:38:30.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.319 [GMT -7:00]

Running from: c:\users\Thompson\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\install.exe

c:\program files\EpicPlay\epICplaygames.dll

c:\program files\StartNow Toolbar

c:\program files\StartNow Toolbar\Resources\images\engine_images.png

c:\program files\StartNow Toolbar\Resources\images\engine_maps.png

c:\program files\StartNow Toolbar\Resources\images\engine_news.png

c:\program files\StartNow Toolbar\Resources\images\engine_videos.png

c:\program files\StartNow Toolbar\Resources\images\engine_web.png

c:\program files\StartNow Toolbar\Resources\images\icon_amazon.png

c:\program files\StartNow Toolbar\Resources\images\icon_ebay.png

c:\program files\StartNow Toolbar\Resources\images\icon_facebook.png

c:\program files\StartNow Toolbar\Resources\images\icon_games.png

c:\program files\StartNow Toolbar\Resources\images\icon_msn.png

c:\program files\StartNow Toolbar\Resources\images\icon_shopping.png

c:\program files\StartNow Toolbar\Resources\images\icon_travel.png

c:\program files\StartNow Toolbar\Resources\images\icon_twitter.png

c:\program files\StartNow Toolbar\Resources\images\startnow_logo.png

c:\program files\StartNow Toolbar\Resources\installer.xml

c:\program files\StartNow Toolbar\Resources\protect\index.html

c:\program files\StartNow Toolbar\Resources\protect\NotIE6.css

c:\program files\StartNow Toolbar\Resources\protect\OnlyIE6.css

c:\program files\StartNow Toolbar\Resources\protect\SearchProtectIcon.png

c:\program files\StartNow Toolbar\Resources\protect\window.css

c:\program files\StartNow Toolbar\Resources\protect\window.js

c:\program files\StartNow Toolbar\Resources\reactivate\index.html

c:\program files\StartNow Toolbar\Resources\reactivate\LeftImage.png

c:\program files\StartNow Toolbar\Resources\reactivate\NotIE6.css

c:\program files\StartNow Toolbar\Resources\reactivate\OnlyIE6.css

c:\program files\StartNow Toolbar\Resources\reactivate\window.css

c:\program files\StartNow Toolbar\Resources\reactivate\window.js

c:\program files\StartNow Toolbar\Resources\skin\chevron_button.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_hover.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_normal.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_background.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_left.png

c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_middle.png

c:\program files\StartNow Toolbar\Resources\skin\separator.png

c:\program files\StartNow Toolbar\Resources\skin\splitter.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png

c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png

c:\program files\StartNow Toolbar\Resources\toolbar.xml

c:\program files\StartNow Toolbar\Resources\update.xml

c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe

c:\program files\StartNow Toolbar\ToOLbar32.dll

c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe

c:\program files\StartNow Toolbar\uninstall.dat

c:\programdata\GoogleManagerVerifier.dll

c:\users\Thompson\AppData\Local\ShellCodec.dll

c:\users\Thompson\AppData\Local\Temp\0.48432462896758exe

c:\users\Thompson\AppData\Roaming\Adobe\plugs

c:\users\Thompson\AppData\Roaming\Adobe\shed

c:\users\Thompson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore

c:\users\Thompson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\System Restore.lnk

c:\users\Thompson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Restore\Uninstall System Restore.lnk

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{1f0129a0-4627-4af0-8297-5d39d91c74f2}

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{1f0129a0-4627-4af0-8297-5d39d91c74f2}\chrome.manifest

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{1f0129a0-4627-4af0-8297-5d39d91c74f2}\chrome\xulcache.jar

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{1f0129a0-4627-4af0-8297-5d39d91c74f2}\defaults\preferences\xulcache.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{1f0129a0-4627-4af0-8297-5d39d91c74f2}\install.rdf

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{372376e1-270c-4e1b-b7e0-36021852dfaa}

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{372376e1-270c-4e1b-b7e0-36021852dfaa}\chrome.manifest

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{372376e1-270c-4e1b-b7e0-36021852dfaa}\chrome\xulcache.jar

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{372376e1-270c-4e1b-b7e0-36021852dfaa}\defaults\preferences\xulcache.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{372376e1-270c-4e1b-b7e0-36021852dfaa}\install.rdf

c:\users\Thompson\AppData\Roaming\Remote

c:\users\Thompson\AppData\Roaming\Remote\iyjg96.dll

c:\users\Thompson\AppData\Roaming\Remote\iyjg96_shrd

c:\users\Thompson\AppData\Roaming\Remote\mnj.dat

c:\users\Thompson\AppData\Roaming\Remote\mxd1.txt

c:\users\Thompson\AppData\Roaming\Remote\oplk.dat

c:\users\Thompson\AppData\Roaming\Remote\ppkk.dat

c:\users\Thompson\AppData\Roaming\Remote\uuoo.dat

c:\users\Thompson\AppData\Roaming\Remote\whrwos

c:\users\Thompson\AppData\Roaming\Remote\xnhrr.dat

c:\windows\$NtUninstallKB39424$\2668165878

c:\windows\system32\c_60074.nls

c:\windows\System32\config\systemprofile\AppData\Local\b990dc6f\U

c:\windows\System32\config\systemprofile\AppData\Local\b990dc6f\U\800000cb.@

c:\windows\system32\config\systemprofile\AppData\Roaming\Adobe\plugs

c:\windows\system32\config\systemprofile\AppData\Roaming\Adobe\shed

c:\windows\$NtUninstallKB39424$ . . . . Failed to delete

c:\windows\system32\ . . . . Failed to delete

c:\windows\system32\drivers\ . . . . Failed to delete

.

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - The cat found it :)

c:\windows\system32\drivers\cdrom.sys was missing

Restored copy from - c:\windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_cdrom.inf_31bf3856ad364e35_6.0.6002.18005_none_6194d4eea0e93596\cdrom.sys

.

Infected copy of c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe was found and disinfected

Restored copy from - c:\program files\Common Files\Adobe\ARM\1.0\

.

Infected copy of c:\program files\Common Files\Symantec Shared\ccSvcHst.exe was found and disinfected

Restored copy from - c:\program files\Common Files\Symantec Shared\

.

Infected copy of c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe was found and disinfected

Restored copy from - c:\program files\Hewlett-Packard\HP Health Check\

.

Infected copy of c:\program files\Common Files\LightScribe\LSSrvc.exe was found and disinfected

Restored copy from - c:\program files\Common Files\LightScribe\

.

c:\windows\system32\lxbkcoms.exe . . . is infected!!

c:\windows\system32\lxbkcoms.exe . . . was deleted!! You should re-install the program it pertains to

.

Infected copy of c:\program files\Common Files\Motive\McciCMService.exe was found and disinfected

Restored copy from - c:\program files\Common Files\Motive\

.

Infected copy of c:\progra~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe was found and disinfected

Restored copy from - c:\progra~1\COMMON~1\SYMANT~1\CCPD-LC\

.

Infected copy of c:\windows\system32\DRIVERS\xaudio.exe was found and disinfected

Restored copy from - c:\windows\System32\DriverStore\FileRepository\trx200cz.inf_d6d56f45\XAudio.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_.i8042prt

-------\Service_.netbios

-------\Service_.netbt

-------\Service_Updater Service for StartNow Toolbar

-------\Service_Updater Service for StartNow Toolbar

.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))

.

.

2011-10-29 17:52 . 2011-10-29 17:52 -------- d-----w- c:\users\Guest\AppData\Local\temp

2011-10-29 17:52 . 2011-10-29 17:52 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-10-29 17:50 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-29 17:27 . 2008-01-21 02:24 184320 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-10-22 21:49 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-22 02:59 . 2011-10-22 21:37 35840 ----a-w- c:\windows\system32\drivers\netbios.sys

2011-10-21 00:17 . 2011-10-21 00:17 -------- d-----w- c:\users\Thompson\AppData\Local\Symantec

2011-10-21 00:16 . 2011-10-21 00:15 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2011-10-21 00:13 . 2011-04-28 06:11 99744 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2011-10-20 23:55 . 2011-10-21 00:12 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-10-19 01:22 . 2011-10-22 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-19 00:52 . 2011-10-22 22:01 48016 --sha-w- c:\windows\system32\c_60074.nl_

2011-10-18 23:40 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\cCelIBrzPyAuSoF

2011-10-18 23:40 . 2011-10-18 23:40 -------- d-----w- c:\users\Thompson\AppData\Roaming\x4pmG5sQJdKfZhX

2011-10-18 22:59 . 2011-10-18 22:59 -------- d-----w- c:\users\Thompson\AppData\Roaming\v66ddWKK8f

2011-10-18 22:52 . 2011-10-18 22:52 -------- d-----w- c:\users\Thompson\AppData\Roaming\ZgggRZZqhYXw

2011-10-18 22:52 . 2011-10-18 22:52 -------- d-----w- c:\users\Thompson\AppData\Roaming\W6ssWWJ7fEL8

2011-10-18 22:30 . 2011-10-18 22:30 -------- d-----w- c:\users\Thompson\AppData\Roaming\GD2onF4pm5Q7E

2011-10-18 22:30 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\z9gTXqjYCk

2011-10-18 22:30 . 2011-10-18 22:30 -------- d-----w- c:\users\Thompson\AppData\Roaming\EibF3pnG5Q6WR

2011-10-17 23:27 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\CfEL9gTZqYwIrOt

2011-10-17 23:27 . 2011-10-17 23:27 -------- d-----w- c:\users\Thompson\AppData\Roaming\QYCekIVrzNx0c2b

2011-10-17 23:21 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\ynG5aQH6dW7R9Tq

2011-10-17 23:21 . 2011-10-17 23:21 -------- d-----w- c:\users\Thompson\AppData\Roaming\hIBrzONyxA0v2b3

2011-10-17 23:17 . 2011-10-17 23:17 -------- d-----w- c:\windows\PIF

2011-10-17 23:07 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\v9lyDpJfXl

2011-10-17 23:07 . 2011-10-17 23:07 -------- d-----w- c:\users\Thompson\AppData\Roaming\KaECtvH8k0

2011-10-17 22:44 . 2011-10-17 22:44 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar

2011-10-17 22:23 . 2011-10-17 22:23 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-10-17 22:15 . 2011-10-29 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\AppData\Local\b990dc6f

2011-10-17 21:18 . 2011-10-17 21:18 -------- d-----w- c:\windows\Sun

2011-10-17 18:57 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\dccSS1iibD3n

2011-10-17 18:57 . 2011-10-17 18:57 -------- d-----w- c:\users\Thompson\AppData\Roaming\BCCCwkkIVrlNtx0

2011-10-17 04:47 . 2011-10-17 04:47 -------- d-----w- c:\users\Thompson\AppData\Roaming\Y444ammH5s

2011-10-17 04:47 . 2011-10-17 04:47 -------- d-----w- c:\users\Thompson\AppData\Roaming\XjjUUeelIBrPN

2011-10-17 04:47 . 2011-10-19 02:08 -------- d-----w- c:\users\Thompson\AppData\Roaming\KYYXXwjjUVeIBzP

2011-10-17 04:47 . 2011-10-17 04:47 -------- d-----w- c:\users\Thompson\AppData\Roaming\O000yccA1iv2o

2011-10-17 04:41 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\kxxxA0uuvSibFp

2011-10-17 04:41 . 2011-10-17 04:41 -------- d-----w- c:\users\Thompson\AppData\Roaming\HuuvvS2ooF3pm5Q

2011-10-17 04:41 . 2011-10-17 04:41 -------- d-----w- c:\users\Thompson\AppData\Roaming\u8TqYkVOx

2011-10-17 04:41 . 2011-10-19 02:08 -------- d-----w- c:\users\Thompson\AppData\Roaming\gYYXXwjjUVlIBzP

2011-10-17 04:41 . 2011-10-17 04:41 -------- d-----w- c:\users\Thompson\AppData\Roaming\kUUUVeelOBtz0yA

2011-10-14 07:18 . 2011-10-14 07:18 -------- d-----w- c:\users\Thompson\AppData\Roaming\acccore

2011-10-14 06:58 . 2011-10-14 06:58 -------- d-----w- c:\program files\PlayLinc

2011-10-14 06:07 . 2008-10-10 11:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2011-10-14 06:07 . 2008-10-10 11:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2011-10-14 05:46 . 2011-10-14 05:46 -------- d-----w- c:\program files\Ubisoft

2011-10-13 09:23 . 2011-05-25 02:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-10-12 23:10 . 2011-10-12 23:10 -------- d-----w- c:\programdata\SugarGames

2011-10-12 00:54 . 2011-10-12 00:54 -------- d-----w- c:\users\Thompson\AppData\Roaming\playmink

2011-10-11 02:27 . 2011-10-11 02:27 -------- d-----w- c:\program files\Hobby Farm

2011-10-11 02:12 . 2011-10-11 02:12 -------- d-----w- c:\programdata\Big Fish Games

2011-10-11 02:12 . 2011-10-11 02:13 -------- d-----w- c:\program files\bfgclient

2011-10-11 02:10 . 2011-10-12 00:53 -------- d-----w- C:\BigFishGamesCache

2011-10-11 00:46 . 2011-10-11 00:46 -------- d-----w- c:\program files\TidyView

2011-10-11 00:45 . 2011-10-29 17:48 -------- d-----w- c:\program files\EpicPlay

2011-10-09 03:32 . 2011-10-09 03:32 -------- d-----w- c:\users\Thompson\AppData\Roaming\GamesCafe

2011-10-08 18:07 . 2011-10-10 07:01 -------- d-----w- c:\users\Thompson\AppData\Roaming\PeaceCraft3

2011-10-06 03:50 . 2011-10-06 03:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\aliasworlds

2011-10-03 16:02 . 1999-12-17 17:13 86016 ----a-w- c:\windows\unvise32.exe

2011-10-03 16:02 . 2011-10-03 17:12 -------- d-----w- C:\Adams Divorce CD

2011-10-01 19:32 . 2011-10-16 21:08 -------- d-----w- c:\program files\WildGames

2011-10-01 19:17 . 2011-10-01 19:18 -------- d-----w- c:\program files\WildTangent Games

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-29 17:55 . 2011-10-29 17:55 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{21DBFDF1-3145-4ED9-9A47-362EF838946D}\offreg.dll

2011-10-29 17:52 . 2008-02-21 15:30 386560 ----a-w- c:\windows\system32\drivers\xaudio.exe

2011-10-22 21:43 . 2008-01-21 02:23 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-10-22 21:41 . 2008-01-21 02:23 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2011-10-22 03:11 . 2011-01-13 17:34 43936 ----a-w- c:\windows\system32\drivers\Teefer3.sys

2011-10-21 00:56 . 2008-01-21 02:24 71680 ----a-w- c:\windows\system32\drivers\tdx.sys

2011-10-20 23:30 . 2011-06-24 04:12 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-10-19 00:51 . 2008-01-21 02:23 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-10-16 21:06 . 2011-07-05 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-21 16:00 . 2011-10-19 03:34 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{21DBFDF1-3145-4ED9-9A47-362EF838946D}\mpengine.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}]

2011-07-14 06:53 351448 ----a-w- c:\progra~1\SITERA~1\SiteRank.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039}]

2011-09-12 15:46 832680 ----a-w- c:\progra~1\REBATE~1\RebateI.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]

"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-01 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-01 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-01 133656]

"EmbarqVALite_McciTrayApp"="c:\program files\EmbarqVALite\EMBARQHelpHelper.exe" [2010-01-04 1575760]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]

"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-03-31 115624]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjkzNzAwNTg4LUZMMTArMS1ERFQrMjU3MTAtTFNEKzItVFVHKzMtRk9JKzExLUREMTBGKzEtU1QxMEZBUFArMS1GMTBNMTJBVCszLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQisx∏=90&ver=10.0.1410" [?]

.

c:\users\Thompson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

0.lnk - \\globalroot\Device\HarddiskVolume1\Users\Thompson\AppData\Local\Temp\0.48432462896758exe [N/A]

winupd.lnk - c:\users\Thompson\AppData\Local\Temp\winupd.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0]

\\.\globalroot\Device\HarddiskVolume1\Users\Thompson\AppData\Local\Temp\0.48432462896758exe [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44e248a1fc1683b1d48f21e78627accc]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R0 72903297;72903297;c:\windows\system32\drivers\08537302.sys [x]

R0 81184693;81184693;c:\windows\system32\drivers\42451995.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe [x]

R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\DRIVERS\Teefer3.sys [2011-10-22 43936]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-10-29 64952]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-04-18 102448]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop

TCP: DhcpNameServer = 10.0.0.1

Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\REBATE~1\RebateI.dll

DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://aolsvc.aol.com/onlinegames/free-trial-doggie-dash/DoggieDash.1.0.0.6.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab

FF - ProfilePath - c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-games-chromesbox-en-us&tb_uuid=20110903072650199&tb_oid=08-09-2011&tb_mrud=08-09-2011

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e4633e2&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Games.com Toolbar: {493b4069-8c4f-4b4a-8f8c-506200c9887a} - %profile%\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}

FF - Ext: EpicPlay Games : textlinks@epicplay.com - %profile%\extensions\textlinks@epicplay.com

FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{01D841C5-96F0-40A1-B561-6D1A76B59B00} - c:\users\Thompson\AppData\Local\ServiceCodec.dll

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe

HKCU-Run-e8f6bfd7f628b3419bec6766a22b7de9 - c:\users\Thompson\DOWNLO~1\BABYSI~1.EXE

HKCU-Run-GoogleManagerVerifier - c:\programdata\GoogleManagerVerifier.dll

HKCU-Run-lpc - c:\users\Thompson\AppData\Roaming\Remote\iyjg96.dll

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

HKLM-Run-StartNowToolbarHelper - c:\program files\StartNow Toolbar\ToolbarHelper.exe

SafeBoot-01322702.sys

SafeBoot-07301479.sys

SafeBoot-19991621.sys

SafeBoot-31480278.sys

SafeBoot-50004600.sys

SafeBoot-61567108.sys

SafeBoot-66038607.sys

SafeBoot-66172602.sys

SafeBoot-69248446.sys

SafeBoot-72903297.sys

SafeBoot-81184693.sys

SafeBoot-84991748.sys

SafeBoot-88454579.sys

SafeBoot-93194489.sys

SafeBoot-93593597.sys

SafeBoot-94928846.sys

SafeBoot-Symantec Antvirus

MSConfigStartUp-6ecd2d42caef4718bfa6692aeccb779d - c:\users\Thompson\DOWNLO~1\DELICI~1.EXE

MSConfigStartUp-isCfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe

MSConfigStartUp-lpc - c:\users\Thompson\AppData\Roaming\Remote\iyjg96.dll

MSConfigStartUp-winupd - c:\users\Thompson\AppData\Local\Temp\winupd.exe

AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-29 10:59

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.tdx]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.Teefer3]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DfsC]

"ImagePath"="system32\drivers\tsk9675.tmp"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdx]

"ImagePath"="system32\drivers\tsk8A8.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\DRIVERS\xaudio.exe

c:\windows\system32\WUDFHost.exe

c:\windows\System32\osk.exe

c:\windows\RtHDVCpl.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\System32\rundll32.exe

c:\windows\System32\rundll32.exe

c:\program files\Lexmark X1100 Series\lxbkbmon.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

.

**************************************************************************

.

Completion time: 2011-10-29 11:07:15 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-29 18:07

.

Pre-Run: 262,735,986,688 bytes free

Post-Run: 264,952,713,216 bytes free

.

- - End Of File - - 86D26050F445EADB47297E85E7FDB8F4

Link to post
Share on other sites

ComboFix 11-10-29.03 - Thompson 10/29/2011 15:47:56.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.349 [GMT -7:00]

Running from: c:\users\Thompson\Desktop\ComboFix.exe

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\ . . . . Failed to delete

c:\windows\system32\drivers\ . . . . Failed to delete

.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))

.

.

2011-10-29 22:59 . 2011-10-29 22:59 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{21DBFDF1-3145-4ED9-9A47-362EF838946D}\offreg.dll

2011-10-29 22:57 . 2011-10-29 22:57 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-10-29 22:57 . 2011-10-29 22:57 -------- d-----w- c:\users\Guest\AppData\Local\temp

2011-10-29 22:57 . 2011-10-29 22:57 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-10-29 17:50 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-29 17:27 . 2008-01-21 02:24 184320 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-10-22 21:49 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-22 02:59 . 2011-10-22 21:37 35840 ----a-w- c:\windows\system32\drivers\netbios.sys

2011-10-21 00:17 . 2011-10-21 00:17 -------- d-----w- c:\users\Thompson\AppData\Local\Symantec

2011-10-21 00:16 . 2011-10-21 00:15 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2011-10-21 00:13 . 2011-04-28 06:11 99744 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2011-10-20 23:55 . 2011-10-21 00:12 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-10-19 03:34 . 2011-09-21 16:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{21DBFDF1-3145-4ED9-9A47-362EF838946D}\mpengine.dll

2011-10-19 01:22 . 2011-10-22 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-19 00:52 . 2011-10-22 22:01 48016 --sha-w- c:\windows\system32\c_60074.nl_

2011-10-18 23:40 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\cCelIBrzPyAuSoF

2011-10-18 23:40 . 2011-10-18 23:40 -------- d-----w- c:\users\Thompson\AppData\Roaming\x4pmG5sQJdKfZhX

2011-10-18 22:59 . 2011-10-18 22:59 -------- d-----w- c:\users\Thompson\AppData\Roaming\v66ddWKK8f

2011-10-18 22:52 . 2011-10-18 22:52 -------- d-----w- c:\users\Thompson\AppData\Roaming\ZgggRZZqhYXw

2011-10-18 22:52 . 2011-10-18 22:52 -------- d-----w- c:\users\Thompson\AppData\Roaming\W6ssWWJ7fEL8

2011-10-18 22:30 . 2011-10-18 22:30 -------- d-----w- c:\users\Thompson\AppData\Roaming\GD2onF4pm5Q7E

2011-10-18 22:30 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\z9gTXqjYCk

2011-10-18 22:30 . 2011-10-18 22:30 -------- d-----w- c:\users\Thompson\AppData\Roaming\EibF3pnG5Q6WR

2011-10-17 23:27 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\CfEL9gTZqYwIrOt

2011-10-17 23:27 . 2011-10-17 23:27 -------- d-----w- c:\users\Thompson\AppData\Roaming\QYCekIVrzNx0c2b

2011-10-17 23:21 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\ynG5aQH6dW7R9Tq

2011-10-17 23:21 . 2011-10-17 23:21 -------- d-----w- c:\users\Thompson\AppData\Roaming\hIBrzONyxA0v2b3

2011-10-17 23:17 . 2011-10-17 23:17 -------- d-----w- c:\windows\PIF

2011-10-17 23:07 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\v9lyDpJfXl

2011-10-17 23:07 . 2011-10-17 23:07 -------- d-----w- c:\users\Thompson\AppData\Roaming\KaECtvH8k0

2011-10-17 22:44 . 2011-10-17 22:44 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar

2011-10-17 22:23 . 2011-10-17 22:23 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-10-17 22:15 . 2011-10-29 17:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\AppData\Local\b990dc6f

2011-10-17 21:18 . 2011-10-17 21:18 -------- d-----w- c:\windows\Sun

2011-10-17 18:57 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\dccSS1iibD3n

2011-10-17 18:57 . 2011-10-17 18:57 -------- d-----w- c:\users\Thompson\AppData\Roaming\BCCCwkkIVrlNtx0

2011-10-17 04:47 . 2011-10-17 04:47 -------- d-----w- c:\users\Thompson\AppData\Roaming\Y444ammH5s

2011-10-17 04:47 . 2011-10-17 04:47 -------- d-----w- c:\users\Thompson\AppData\Roaming\XjjUUeelIBrPN

2011-10-17 04:47 . 2011-10-19 02:08 -------- d-----w- c:\users\Thompson\AppData\Roaming\KYYXXwjjUVeIBzP

2011-10-17 04:47 . 2011-10-17 04:47 -------- d-----w- c:\users\Thompson\AppData\Roaming\O000yccA1iv2o

2011-10-17 04:41 . 2011-10-18 23:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\kxxxA0uuvSibFp

2011-10-17 04:41 . 2011-10-17 04:41 -------- d-----w- c:\users\Thompson\AppData\Roaming\HuuvvS2ooF3pm5Q

2011-10-17 04:41 . 2011-10-17 04:41 -------- d-----w- c:\users\Thompson\AppData\Roaming\u8TqYkVOx

2011-10-17 04:41 . 2011-10-19 02:08 -------- d-----w- c:\users\Thompson\AppData\Roaming\gYYXXwjjUVlIBzP

2011-10-17 04:41 . 2011-10-17 04:41 -------- d-----w- c:\users\Thompson\AppData\Roaming\kUUUVeelOBtz0yA

2011-10-14 07:18 . 2011-10-14 07:18 -------- d-----w- c:\users\Thompson\AppData\Roaming\acccore

2011-10-14 06:58 . 2011-10-14 06:58 -------- d-----w- c:\program files\PlayLinc

2011-10-14 06:07 . 2008-10-10 11:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2011-10-14 06:07 . 2008-10-10 11:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2011-10-14 05:46 . 2011-10-14 05:46 -------- d-----w- c:\program files\Ubisoft

2011-10-12 23:10 . 2011-10-12 23:10 -------- d-----w- c:\programdata\SugarGames

2011-10-12 00:54 . 2011-10-12 00:54 -------- d-----w- c:\users\Thompson\AppData\Roaming\playmink

2011-10-11 02:27 . 2011-10-11 02:27 -------- d-----w- c:\program files\Hobby Farm

2011-10-11 02:12 . 2011-10-11 02:12 -------- d-----w- c:\programdata\Big Fish Games

2011-10-11 02:12 . 2011-10-11 02:13 -------- d-----w- c:\program files\bfgclient

2011-10-11 02:10 . 2011-10-12 00:53 -------- d-----w- C:\BigFishGamesCache

2011-10-11 00:46 . 2011-10-11 00:46 -------- d-----w- c:\program files\TidyView

2011-10-11 00:45 . 2011-10-29 17:48 -------- d-----w- c:\program files\EpicPlay

2011-10-09 03:32 . 2011-10-09 03:32 -------- d-----w- c:\users\Thompson\AppData\Roaming\GamesCafe

2011-10-08 18:07 . 2011-10-10 07:01 -------- d-----w- c:\users\Thompson\AppData\Roaming\PeaceCraft3

2011-10-06 03:50 . 2011-10-06 03:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\aliasworlds

2011-10-03 16:02 . 1999-12-17 17:13 86016 ----a-w- c:\windows\unvise32.exe

2011-10-03 16:02 . 2011-10-03 17:12 -------- d-----w- C:\Adams Divorce CD

2011-10-01 19:32 . 2011-10-16 21:08 -------- d-----w- c:\program files\WildGames

2011-10-01 19:17 . 2011-10-01 19:18 -------- d-----w- c:\program files\WildTangent Games

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-29 17:52 . 2008-02-21 15:30 386560 ----a-w- c:\windows\system32\drivers\xaudio.exe

2011-10-22 21:43 . 2008-01-21 02:23 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-10-22 21:41 . 2008-01-21 02:23 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2011-10-22 03:11 . 2011-01-13 17:34 43936 ----a-w- c:\windows\system32\drivers\Teefer3.sys

2011-10-21 00:56 . 2008-01-21 02:24 71680 ----a-w- c:\windows\system32\drivers\tdx.sys

2011-10-20 23:30 . 2011-06-24 04:12 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-10-19 00:51 . 2008-01-21 02:23 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-10-16 21:06 . 2011-07-05 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}]

2011-07-14 06:53 351448 ----a-w- c:\progra~1\SITERA~1\SiteRank.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039}]

2011-09-12 15:46 832680 ----a-w- c:\progra~1\REBATE~1\RebateI.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]

"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-01 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-01 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-01 133656]

"EmbarqVALite_McciTrayApp"="c:\program files\EmbarqVALite\EMBARQHelpHelper.exe" [2010-01-04 1575760]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]

"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-03-31 115624]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjkzNzAwNTg4LUZMMTArMS1ERFQrMjU3MTAtTFNEKzItVFVHKzMtRk9JKzExLUREMTBGKzEtU1QxMEZBUFArMS1GMTBNMTJBVCszLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQisx∏=90&ver=10.0.1410" [?]

.

c:\users\Thompson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

0.lnk - \\globalroot\Device\HarddiskVolume1\Users\Thompson\AppData\Local\Temp\0.48432462896758exe [N/A]

winupd.lnk - c:\users\Thompson\AppData\Local\Temp\winupd.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0]

\\.\globalroot\Device\HarddiskVolume1\Users\Thompson\AppData\Local\Temp\0.48432462896758exe [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44e248a1fc1683b1d48f21e78627accc]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R0 72903297;72903297;c:\windows\system32\drivers\08537302.sys [x]

R0 81184693;81184693;c:\windows\system32\drivers\42451995.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe [x]

R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\DRIVERS\Teefer3.sys [2011-10-22 43936]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-10-29 64952]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-04-18 102448]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop

TCP: DhcpNameServer = 10.0.0.1

Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\REBATE~1\RebateI.dll

DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://aolsvc.aol.com/onlinegames/free-trial-doggie-dash/DoggieDash.1.0.0.6.cab

DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab

FF - ProfilePath - c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-games-chromesbox-en-us&tb_uuid=20110903072650199&tb_oid=08-09-2011&tb_mrud=08-09-2011

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e4633e2&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Games.com Toolbar: {493b4069-8c4f-4b4a-8f8c-506200c9887a} - %profile%\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}

FF - Ext: EpicPlay Games : textlinks@epicplay.com - %profile%\extensions\textlinks@epicplay.com

FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-29 16:02

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.tdx]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.Teefer3]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DfsC]

"ImagePath"="system32\drivers\tsk9675.tmp"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdx]

"ImagePath"="system32\drivers\tsk8A8.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\DRIVERS\xaudio.exe

c:\windows\RtHDVCpl.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Lexmark X1100 Series\lxbkbmon.exe

c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\windows\system32\WUDFHost.exe

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2011-10-29 16:10:13 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-29 23:10

ComboFix2.txt 2011-10-29 18:07

.

Pre-Run: 264,547,205,120 bytes free

Post-Run: 264,413,089,792 bytes free

.

- - End Of File - - D3FF7B3289B2B540A0D1B262700C00ED

Link to post
Share on other sites

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\c_60074.nl_
c:\users\Thompson\AppData\Local\Temp\winupd.exe
c:\windows\system32\drivers\08537302.sys
c:\windows\system32\drivers\42451995.sys
c:\windows\system32\drivers\tsk9675.tmp
c:\windows\system32\drivers\tsk8A8.tmp

Folder::
c:\users\Thompson\AppData\Roaming\cCelIBrzPyAuSoF
c:\users\Thompson\AppData\Roaming\x4pmG5sQJdKfZhX
c:\users\Thompson\AppData\Roaming\v66ddWKK8f
c:\users\Thompson\AppData\Roaming\ZgggRZZqhYXw
c:\users\Thompson\AppData\Roaming\W6ssWWJ7fEL8
c:\users\Thompson\AppData\Roaming\GD2onF4pm5Q7E
c:\users\Thompson\AppData\Roaming\z9gTXqjYCk
c:\users\Thompson\AppData\Roaming\EibF3pnG5Q6WR
c:\users\Thompson\AppData\Roaming\CfEL9gTZqYwIrOt
c:\users\Thompson\AppData\Roaming\QYCekIVrzNx0c2b
c:\users\Thompson\AppData\Roaming\ynG5aQH6dW7R9Tq
c:\users\Thompson\AppData\Roaming\hIBrzONyxA0v2b3
c:\users\Thompson\AppData\Roaming\v9lyDpJfXl
c:\users\Thompson\AppData\Roaming\KaECtvH8k0
c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar
c:\windows\system32\config\systemprofile\AppData\Local\b990dc6f
c:\users\Thompson\AppData\Roaming\dccSS1iibD3n
c:\users\Thompson\AppData\Roaming\BCCCwkkIVrlNtx0
c:\users\Thompson\AppData\Roaming\Y444ammH5s
c:\users\Thompson\AppData\Roaming\XjjUUeelIBrPN
c:\users\Thompson\AppData\Roaming\KYYXXwjjUVeIBzP
c:\users\Thompson\AppData\Roaming\O000yccA1iv2o
c:\users\Thompson\AppData\Roaming\kxxxA0uuvSibFp
c:\users\Thompson\AppData\Roaming\HuuvvS2ooF3pm5Q
c:\users\Thompson\AppData\Roaming\u8TqYkVOx
c:\users\Thompson\AppData\Roaming\gYYXXwjjUVlIBzP
c:\users\Thompson\AppData\Roaming\kUUUVeelOBtz0yA

Driver::
72903297
81184693

DDS::
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - c:\progra~1\REBATE~1\RebateI.dll
DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://aolsvc.aol.com/onlinegames/free-trial-doggie-dash/DoggieDash.1.0.0.6.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab

FireFox::
FF - ProfilePath - c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-games-chromesbox-en-us&tb_uuid=20110903072650199&tb_oid=08-09-2011&tb_mrud=08-09-2011
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4e4633e2&v=7.007.026.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Games.com Toolbar: {493b4069-8c4f-4b4a-8f8c-506200c9887a} - %profile%\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}
FF - Ext: EpicPlay Games : textlinks@epicplay.com - %profile%\extensions\textlinks@epicplay.com
FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\44e248a1fc1683b1d48f21e78627accc]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Keyboard still disables during os launch. At explorer startup symantec endpoint protection tries to install. I've always cancelled this installation. The audio driver seems to now be missing and the dhcp process is still missing for internet connection. Everything else seems fine.

ComboFix 11-10-29.03 - Thompson 10/30/2011 17:50:34.3.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.429 [GMT -7:00]

Running from: c:\users\Thompson\Desktop\ComboFix.exe

Command switches used :: c:\users\Thompson\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\users\Thompson\AppData\Local\Temp\winupd.exe"

"c:\windows\system32\c_60074.nl_"

"c:\windows\system32\drivers\08537302.sys"

"c:\windows\system32\drivers\42451995.sys"

"c:\windows\system32\drivers\tsk8A8.tmp"

"c:\windows\system32\drivers\tsk9675.tmp"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png

c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf

c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\preview.png

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome.manifest

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.js

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\content\ffjcext\ffjcext.xul

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext\ffjcext.dtd

c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}\install.rdf

c:\users\Thompson\AppData\Roaming\BCCCwkkIVrlNtx0

c:\users\Thompson\AppData\Roaming\cCelIBrzPyAuSoF

c:\users\Thompson\AppData\Roaming\CfEL9gTZqYwIrOt

c:\users\Thompson\AppData\Roaming\dccSS1iibD3n

c:\users\Thompson\AppData\Roaming\EibF3pnG5Q6WR

c:\users\Thompson\AppData\Roaming\GD2onF4pm5Q7E

c:\users\Thompson\AppData\Roaming\gYYXXwjjUVlIBzP

c:\users\Thompson\AppData\Roaming\hIBrzONyxA0v2b3

c:\users\Thompson\AppData\Roaming\HuuvvS2ooF3pm5Q

c:\users\Thompson\AppData\Roaming\KaECtvH8k0

c:\users\Thompson\AppData\Roaming\kUUUVeelOBtz0yA

c:\users\Thompson\AppData\Roaming\kxxxA0uuvSibFp

c:\users\Thompson\AppData\Roaming\KYYXXwjjUVeIBzP

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\chrome.manifest

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\chrome\gamescomtoolbar.jar

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\components\gamescomAddonObserver.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\components\gamescomUninstallObserver.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\components\IgamescomUninstallObserver.xpt

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\components\IMailUtil.xpt

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\components\mailcount.dll

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\components\MailUtil.dll

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\install.rdf

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\META-INF\manifest.mf

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\META-INF\zigbert.rsa

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{493b4069-8c4f-4b4a-8f8c-506200c9887a}\META-INF\zigbert.sf

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome.manifest

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\bar.xul

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\buttons.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\constants.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\events.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\globals.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldialog.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldialog.xul

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\htmldropdown.xul

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\init.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_images.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_maps.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_news.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_videos.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\engine_web.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_amazon.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_ebay.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_facebook.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_games.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_msn.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_shopping.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_travel.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\icon_twitter.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\images\startnow_logo.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\installer.xml

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\index.html

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\NotIE6.css

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\OnlyIE6.css

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\SearchProtectIcon.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\Web.config

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\window.css

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\protect\window.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\index.html

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\LeftImage.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\NotIE6.css

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\OnlyIE6.css

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\window.css

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\reactivate\window.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\chevron_button.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_hover.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_button_normal.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_dropdown_button_normal.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_background.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_left.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\searchbox_input_middle.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\separator.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\splitter.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ff_hover_c.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_c.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_l.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_hover_r.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_c.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_l.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\skin\toolbarbutton_ie_normal_r.png

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\content\resources\toolbar.xml

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\locale\en-US\{5911488E-9D1E-40ec-8CBB-06B231CC153F}.dtd

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\chrome\skin\overlay.css

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}\install.rdf

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\textlinks@epicplay.com

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\textlinks@epicplay.com\chrome.manifest

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\textlinks@epicplay.com\chrome\eptextlinks.jar

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\textlinks@epicplay.com\components\epicplay.js

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\textlinks@epicplay.com\components\epicPlayGames.dll

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\textlinks@epicplay.com\components\epicPlayGames.xpt

c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\extensions\textlinks@epicplay.com\install.rdf

c:\users\Thompson\AppData\Roaming\O000yccA1iv2o

c:\users\Thompson\AppData\Roaming\QYCekIVrzNx0c2b

c:\users\Thompson\AppData\Roaming\u8TqYkVOx

c:\users\Thompson\AppData\Roaming\v66ddWKK8f

c:\users\Thompson\AppData\Roaming\v9lyDpJfXl

c:\users\Thompson\AppData\Roaming\W6ssWWJ7fEL8

c:\users\Thompson\AppData\Roaming\x4pmG5sQJdKfZhX

c:\users\Thompson\AppData\Roaming\XjjUUeelIBrPN

c:\users\Thompson\AppData\Roaming\Y444ammH5s

c:\users\Thompson\AppData\Roaming\ynG5aQH6dW7R9Tq

c:\users\Thompson\AppData\Roaming\z9gTXqjYCk

c:\users\Thompson\AppData\Roaming\ZgggRZZqhYXw

c:\windows\system32\config\systemprofile\AppData\Local\b990dc6f

c:\windows\system32\config\systemprofile\AppData\Local\b990dc6f\@

c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar

c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar\ieToolbar\en-US\buttons.xml

c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar\ieToolbar\en-US\default_gamescom.xml

c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar\ieToolbar\en-US\domains.xml

c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar\ieToolbar\en-US\ietbconfig.xml

c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar\ieToolbar\en-US\pagealerts.xml

c:\windows\system32\config\systemprofile\AppData\Local\Games.com Toolbar\ieToolbar\en-US\publish.xml

c:\windows\system32\ . . . . Failed to delete

c:\windows\system32\drivers\ . . . . Failed to delete

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_72903297

-------\Service_81184693

.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-31 )))))))))))))))))))))))))))))))

.

.

2011-10-31 01:01 . 2011-10-31 01:08 -------- d-----w- c:\users\Thompson\AppData\Local\temp

2011-10-31 01:01 . 2011-10-31 01:01 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-10-31 01:01 . 2011-10-31 01:01 -------- d-----w- c:\users\Guest\AppData\Local\temp

2011-10-31 01:01 . 2011-10-31 01:01 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-10-29 22:59 . 2011-10-31 01:03 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{21DBFDF1-3145-4ED9-9A47-362EF838946D}\offreg.dll

2011-10-29 17:50 . 2009-04-11 04:39 67072 ----a-w- c:\windows\system32\drivers\cdrom.sys

2011-10-29 17:27 . 2008-01-21 02:24 184320 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-10-22 21:49 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-22 02:59 . 2011-10-22 21:37 35840 ----a-w- c:\windows\system32\drivers\netbios.sys

2011-10-21 00:17 . 2011-10-21 00:17 -------- d-----w- c:\users\Thompson\AppData\Local\Symantec

2011-10-21 00:16 . 2011-10-21 00:15 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys

2011-10-21 00:13 . 2011-04-28 06:11 99744 ----a-w- c:\windows\system32\drivers\SysPlant.sys

2011-10-20 23:56 . 2011-04-28 06:09 357792 ----a-w- c:\windows\system32\Sysfer.dll

2011-10-20 23:55 . 2011-10-21 00:12 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2011-10-19 03:34 . 2011-09-21 16:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{21DBFDF1-3145-4ED9-9A47-362EF838946D}\mpengine.dll

2011-10-19 01:22 . 2011-10-22 21:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-19 00:52 . 2011-10-22 22:01 48016 --sha-w- c:\windows\system32\c_60074.nl_

2011-10-17 23:17 . 2011-10-17 23:17 -------- d-----w- c:\windows\PIF

2011-10-17 22:23 . 2011-10-17 22:23 -------- d-sh--w- c:\windows\system32\%APPDATA%

2011-10-17 21:18 . 2011-10-17 21:18 -------- d-----w- c:\windows\Sun

2011-10-14 07:18 . 2011-10-14 07:18 -------- d-----w- c:\users\Thompson\AppData\Roaming\acccore

2011-10-14 06:58 . 2011-10-14 06:58 -------- d-----w- c:\program files\PlayLinc

2011-10-14 06:07 . 2008-10-10 11:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll

2011-10-14 06:07 . 2008-10-10 11:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll

2011-10-14 05:46 . 2011-10-14 05:46 -------- d-----w- c:\program files\Ubisoft

2011-10-13 09:23 . 2011-05-25 02:14 222080 ------w- c:\windows\system32\MpSigStub.exe

2011-10-12 23:10 . 2011-10-12 23:10 -------- d-----w- c:\programdata\SugarGames

2011-10-12 00:54 . 2011-10-12 00:54 -------- d-----w- c:\users\Thompson\AppData\Roaming\playmink

2011-10-11 02:27 . 2011-10-11 02:27 -------- d-----w- c:\program files\Hobby Farm

2011-10-11 02:12 . 2011-10-11 02:12 -------- d-----w- c:\programdata\Big Fish Games

2011-10-11 02:12 . 2011-10-11 02:13 -------- d-----w- c:\program files\bfgclient

2011-10-11 02:10 . 2011-10-12 00:53 -------- d-----w- C:\BigFishGamesCache

2011-10-11 00:46 . 2011-10-11 00:46 -------- d-----w- c:\program files\TidyView

2011-10-11 00:45 . 2011-10-29 17:48 -------- d-----w- c:\program files\EpicPlay

2011-10-09 03:32 . 2011-10-09 03:32 -------- d-----w- c:\users\Thompson\AppData\Roaming\GamesCafe

2011-10-08 18:07 . 2011-10-10 07:01 -------- d-----w- c:\users\Thompson\AppData\Roaming\PeaceCraft3

2011-10-06 03:50 . 2011-10-06 03:50 -------- d-----w- c:\users\Thompson\AppData\Roaming\aliasworlds

2011-10-03 16:02 . 1999-12-17 17:13 86016 ----a-w- c:\windows\unvise32.exe

2011-10-03 16:02 . 2011-10-03 17:12 -------- d-----w- C:\Adams Divorce CD

2011-10-01 19:32 . 2011-10-16 21:08 -------- d-----w- c:\program files\WildGames

2011-10-01 19:17 . 2011-10-01 19:18 -------- d-----w- c:\program files\WildTangent Games

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-29 17:52 . 2008-02-21 15:30 386560 ----a-w- c:\windows\system32\drivers\xaudio.exe

2011-10-22 21:43 . 2008-01-21 02:23 54784 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-10-22 21:41 . 2008-01-21 02:23 35384 ----a-w- c:\windows\system32\drivers\kbdclass.sys

2011-10-22 03:11 . 2011-01-13 17:34 43936 ----a-w- c:\windows\system32\drivers\Teefer3.sys

2011-10-21 00:56 . 2008-01-21 02:24 71680 ----a-w- c:\windows\system32\drivers\tdx.sys

2011-10-20 23:30 . 2011-06-24 04:12 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys

2011-10-19 00:51 . 2008-01-21 02:23 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-10-16 21:06 . 2011-07-05 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}]

2011-07-14 06:53 351448 ----a-w- c:\progra~1\SITERA~1\SiteRank.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039}]

2011-09-12 15:46 832680 ----a-w- c:\progra~1\REBATE~1\RebateI.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]

"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-01 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-01 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-01 133656]

"EmbarqVALite_McciTrayApp"="c:\program files\EmbarqVALite\EMBARQHelpHelper.exe" [2010-01-04 1575760]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]

"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]

"lxbkbmgr.exe"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2008-02-28 74408]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-03-31 115624]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-09-01 1047208]

.

c:\users\Thompson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

0.lnk - \\globalroot\Device\HarddiskVolume1\Users\Thompson\AppData\Local\Temp\0.48432462896758exe [N/A]

winupd.lnk - c:\users\Thompson\AppData\Local\Temp\winupd.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe [x]

R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\DRIVERS\Teefer3.sys [2011-10-22 43936]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-10-29 64952]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-04-18 102448]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

TCP: DhcpNameServer = 10.0.0.1

FF - ProfilePath - c:\users\Thompson\AppData\Roaming\Mozilla\Firefox\Profiles\b72e9ya5.default\

FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-30 18:07

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.kbdclass]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.tdx]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.Teefer3]

"ImagePath"="\*"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DfsC]

"ImagePath"="system32\drivers\tsk9675.tmp"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdx]

"ImagePath"="system32\drivers\tsk8A8.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSvcHst.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Motive\McciCMService.exe

Link to post
Share on other sites

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter.
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites

OK. Lets skip that then.

Please download Dr.Web CureIt . Save it to your desktop:

  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
  • This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow drweb.jpg at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Please post the Dr.Web.txt report in your next reply
  • Close Dr.Web Cureit.
    Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.