Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Nasty Rootkit that won't go! Help

Started by Katelynn , Jun 23 2010 05:37 AM

  • Please log in to reply

#1
Katelynn
Posted 23 June 2010 - 05:37 AM

Katelynn

    Member

  • Member
  • PipPip
  • 17 posts
Hello Everyone,

I am at my wit's end trying to get rid of this virus my computer contracted. I believe it is the google re-direct virus in the form of a rootkit. I get re-directed while it says google5.results or google analytics. I have run every malware software (in safe modes) and hitman pro is the only one to identify it as rootkit file called mgmtapir.dll in the C:\users\katelynn\AppData\roaming which isn't a file in my system. However, hitman pro cannot delete the file upon reboot. I have tried to download every rootkit remover, but it tells me the web page cannot be found to download file, nor can I save as. I ran a combo fix and I have posted the results below. It seems to be getting worse and I need to get this fixed. I have asked elsewhere and no one seems to know what is wrong! I am a web designer by trade and I really need the use of my computer back asap! Thank you so much for your help!

Katelynn

ComboFix 10-06-22.02 - Katelynn 06/22/2010 22:27:52.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.918 [GMT 1:00]
Running from: c:\users\Katelynn\AppData\Local\Temp\Temporary Internet Files\Content.IE5\OU6JFDA1\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Katelynn\AppData\Roaming\chrtmp
c:\users\Katelynn\GoToAssistDownloadHelper.exe
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.

2010-06-22 21:40 . 2010-06-22 21:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-22 15:38 . 2010-06-22 15:41 -------- d-----w- c:\users\Katelynn\AppData\Local\NPE
2010-06-22 15:27 . 2010-06-22 15:28 -------- d-----w- c:\programdata\Symantec
2010-06-22 14:34 . 2010-06-22 14:35 -------- d-----w- c:\users\Katelynn\AppData\Local\CrashDumps
2010-06-22 14:12 . 2010-06-22 14:12 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-22 14:12 . 2010-06-22 14:12 -------- d-----w- c:\program files\Symantec
2010-06-22 14:11 . 2010-06-22 21:18 -------- d-----w- c:\windows\system32\drivers\NAV
2010-06-22 14:09 . 2010-06-22 14:09 -------- d-----w- c:\program files\NortonInstaller
2010-06-22 13:19 . 2010-06-22 13:19 -------- d--h--w- c:\users\releaseengineer.macrovision\PrivacIE
2010-06-22 13:19 . 2010-06-22 13:19 -------- d--h--w- c:\users\releaseengineer.macrovision\IETldCache
2010-06-22 13:19 . 2010-06-22 13:19 -------- d--h--w- c:\users\releaseengineer.macrovision\IECompatCache
2010-06-22 12:55 . 2010-06-22 20:51 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-22 12:51 . 2010-06-22 13:03 -------- d-----w- c:\programdata\Hitman Pro
2010-06-22 12:51 . 2010-06-22 12:51 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-22 10:50 . 2010-06-22 10:50 132608 --sha-r- c:\users\Katelynn\AppData\Roaming\mgmtapir.dll
2010-06-21 14:30 . 2010-06-21 14:30 49152 ---ha-w- C:\SZKGFS.dat
2010-06-21 14:20 . 2010-06-21 14:20 -------- d-----w- c:\programdata\SITEguard
2010-06-21 13:56 . 2010-06-21 13:56 -------- d-----w- c:\program files\Common Files\iS3
2010-06-21 13:56 . 2010-06-22 13:19 -------- d-----w- c:\programdata\STOPzilla!
2010-06-21 13:22 . 2010-06-21 13:23 -------- d-----w- C:\88d65431821df33030
2010-06-21 09:50 . 2010-06-21 12:59 598048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-20 23:33 . 2010-06-20 23:33 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-06-20 23:16 . 2010-06-22 13:16 -------- d-----w- c:\programdata\PC Tools
2010-06-20 23:10 . 2010-06-21 16:19 -------- d-----w- c:\users\Katelynn\AppData\Roaming\GetRightToGo
2010-06-20 21:59 . 2010-06-21 10:19 -------- d-----w- c:\programdata\ParetoLogic
2010-06-20 21:59 . 2010-06-21 10:19 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-06-20 21:57 . 2010-06-20 21:57 -------- d-----w- c:\users\Katelynn\AppData\Local\Downloaded Installations
2010-06-20 11:09 . 2010-06-20 11:09 -------- d-----w- c:\program files\MSXML 4.0
2010-06-18 21:56 . 2010-06-18 21:56 -------- d-----w- c:\users\Katelynn\aud_data
2010-06-14 16:54 . 2010-06-14 16:54 -------- d-----w- c:\users\Katelynn\AppData\Roaming\SmartFTP
2010-06-14 16:17 . 2010-06-16 15:14 -------- d-----w- c:\users\Katelynn\AppData\Roaming\FileZilla
2010-06-14 16:17 . 2010-06-16 14:44 -------- d-----w- c:\program files\FileZilla FTP Client
2010-06-11 13:27 . 2010-06-11 13:27 -------- d-----w- c:\users\Katelynn\AppData\Local\SourceTec
2010-06-11 13:27 . 2010-06-11 13:27 -------- d-----w- c:\program files\Common Files\SourceTec
2010-06-11 12:41 . 2010-06-11 12:41 -------- d-----w- c:\program files\DiskInternals
2010-06-11 12:03 . 2010-06-11 12:03 -------- d-----w- c:\users\Katelynn\AppData\Roaming\PandoraRecovery
2010-06-11 12:03 . 2010-06-11 12:03 -------- d-----w- c:\program files\AskBarDis
2010-06-11 12:03 . 2010-06-11 12:07 -------- d-----w- c:\program files\Pandora Recovery
2010-06-06 09:30 . 2010-06-06 09:30 -------- d-----w- c:\program files\Safari
2010-06-06 09:28 . 2010-06-06 09:28 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-06-04 19:06 . 2010-06-04 19:06 -------- d-----w- c:\programdata\WindowsSearch
2010-06-01 22:48 . 2010-06-01 22:48 -------- d-----w- c:\program files\SiteGrinder 3
2010-06-01 22:20 . 2010-06-02 14:58 -------- d-----w- c:\users\Katelynn\SiteGrinderData
2010-06-01 22:09 . 2010-04-18 14:12 30415546 ----a-w- c:\program files\Install SiteGrinder 3.exe
2010-06-01 13:40 . 2010-06-01 13:41 -------- d-----w- c:\windows\system32\Adobe
2010-05-27 17:06 . 2010-05-27 17:06 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Malwarebytes
2010-05-27 17:06 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 17:06 . 2010-05-27 17:06 -------- d-----w- c:\programdata\Malwarebytes
2010-05-27 17:06 . 2010-06-22 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 17:06 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 14:26 . 2010-05-26 14:45 -------- d-----w- c:\program files\Lexmark Toolbar
2010-05-26 14:25 . 2010-06-03 14:06 -------- d-----w- c:\program files\lx_cats
2010-05-26 14:25 . 2006-11-27 02:50 117760 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxcrpp5c.dll
2010-05-26 14:17 . 2010-05-26 14:17 -------- d-----w- C:\lexmark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-22 21:07 . 2008-06-24 04:37 -------- d-----w- c:\users\Katelynn\AppData\Roaming\LimeWire
2010-06-22 19:07 . 2010-04-15 19:10 -------- d-----w- c:\programdata\NOS
2010-06-22 15:38 . 2009-03-10 14:00 -------- d-----w- c:\programdata\Norton
2010-06-22 15:28 . 2008-03-18 23:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-22 14:12 . 2010-06-22 14:12 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-22 14:12 . 2010-06-22 14:12 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-22 14:11 . 2009-03-11 14:03 -------- d-----w- c:\program files\Norton AntiVirus
2010-06-22 14:10 . 2008-08-29 04:40 -------- d-----w- c:\programdata\McAfee
2010-06-22 14:10 . 2008-08-29 04:39 -------- d-----w- c:\program files\McAfee
2010-06-22 14:09 . 2009-03-09 22:50 -------- d-----w- c:\programdata\NortonInstaller
2010-06-22 13:12 . 2010-06-22 13:12 248 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-21 12:59 . 2010-06-21 09:50 9128 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-21 12:54 . 2008-03-18 23:51 -------- d-----w- c:\program files\Dell
2010-06-20 23:08 . 2010-04-19 19:10 -------- d-----w- c:\users\Katelynn\AppData\Roaming\FreeBurner
2010-06-20 19:20 . 2008-05-01 14:01 69016 ----a-w- c:\users\Katelynn\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-20 12:52 . 2010-04-15 12:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-20 12:52 . 2010-03-26 12:42 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Audacity
2010-06-20 12:52 . 2009-11-02 00:19 -------- d-----w- c:\programdata\McAfee Security Scan
2010-06-19 11:25 . 2010-03-20 21:21 -------- d-----w- c:\programdata\DivX
2010-06-15 10:31 . 2010-05-02 14:51 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2010-06-11 15:54 . 2010-03-24 22:50 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-11 15:54 . 2010-03-24 22:48 -------- d-----w- c:\program files\Microsoft Expression
2010-06-11 15:53 . 2008-05-20 04:51 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-11 14:45 . 2008-03-18 23:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-11 14:45 . 2008-03-18 23:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-11 13:27 . 2010-05-12 14:44 -------- d-----w- c:\program files\SourceTec
2010-06-06 19:39 . 2010-05-03 21:43 121200 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-06 19:39 . 2009-06-24 23:36 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Apple Computer
2010-06-06 09:37 . 2008-06-14 02:38 -------- d-----w- c:\program files\QuickTime
2010-06-06 09:29 . 2009-06-24 23:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-26 14:19 . 2010-05-26 14:18 -------- d-----w- c:\program files\Lexmark 2400 Series
2010-05-21 13:14 . 2009-10-22 17:49 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 23:04 . 2008-06-24 04:36 -------- d-----w- c:\program files\LimeWire
2010-05-20 12:17 . 2008-03-18 23:48 -------- d-----w- c:\program files\Common Files\Java
2010-05-20 12:15 . 2010-05-20 12:16 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-20 12:15 . 2008-03-18 23:48 -------- d-----w- c:\program files\Java
2010-05-13 13:47 . 2010-05-13 13:47 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Adobe Mini Bridge CS5
2010-05-13 13:47 . 2010-05-13 13:47 -------- d-----w- c:\users\Katelynn\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-05-13 11:05 . 2010-05-02 14:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-13 11:05 . 2010-05-03 21:43 38784 ----a-w- c:\users\Katelynn\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-13 11:05 . 2010-05-02 14:41 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-09 13:05 . 2010-05-09 13:05 310 ----a-w- c:\windows\system32\UnifiedToolbarCleanup.bat
2010-05-04 13:38 . 2010-05-04 13:38 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-05-03 21:42 . 2010-05-03 21:42 -------- d-----w- c:\users\Katelynn\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-02 14:45 . 2010-05-02 14:45 -------- d-----w- c:\program files\Adobe Media Player
2010-05-01 21:32 . 2010-05-01 21:31 -------- d-----w- c:\programdata\WinZip
2010-05-01 11:36 . 2010-03-26 15:04 -------- d-----w- c:\program files\Winamp
2010-04-30 23:26 . 2010-04-30 23:23 -------- d-----w- c:\program files\MagicDisc
2010-04-30 22:58 . 2010-04-30 22:58 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-30 22:57 . 2010-04-30 22:56 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-04-30 22:57 . 2010-04-30 22:57 -------- d-----w- c:\users\Katelynn\AppData\Roaming\DAEMON Tools Lite
2010-04-29 18:41 . 2010-04-29 18:41 -------- d-----w- c:\users\Katelynn\AppData\Roaming\uk.co.planetside
2010-04-29 18:41 . 2010-04-29 18:41 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Planetside Software
2010-04-29 18:36 . 2010-04-29 18:36 13094 ----a-r- c:\users\Katelynn\AppData\Roaming\Microsoft\Installer\{CCCC1B61-1E92-4388-9AFC-5C883071833D}\_f3e99.exe
2010-04-29 18:36 . 2010-04-29 18:36 13094 ----a-r- c:\users\Katelynn\AppData\Roaming\Microsoft\Installer\{CCCC1B61-1E92-4388-9AFC-5C883071833D}\_12db153c.exe
2010-04-29 18:36 . 2010-04-29 18:36 1078 ----a-r- c:\users\Katelynn\AppData\Roaming\Microsoft\Installer\{CCCC1B61-1E92-4388-9AFC-5C883071833D}\_7e87390c.exe
2010-04-29 18:36 . 2010-04-29 18:36 -------- d-----w- c:\program files\Planetside Software
2010-04-28 11:54 . 2010-04-28 11:54 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Blender Foundation
2010-04-28 11:54 . 2010-04-28 11:54 -------- d-----w- c:\program files\Blender Foundation
2010-04-27 20:53 . 2008-03-19 00:01 -------- d-----w- c:\program files\Google
2010-04-27 19:27 . 2010-04-27 19:27 -------- d-----w- c:\users\Katelynn\AppData\Roaming\AccurateRip
2010-04-27 19:27 . 2010-04-27 19:27 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2010-04-27 19:27 . 2010-04-27 19:27 -------- d-----w- c:\program files\Illustrate
2010-04-27 19:27 . 2010-04-27 19:27 5652144 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-04-27 19:00 . 2010-04-27 19:00 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Roxio
2010-04-27 19:00 . 2010-04-27 19:00 -------- d-----w- c:\programdata\Roxio
2010-04-25 13:34 . 2010-04-25 13:34 -------- d-----w- c:\program files\Citrix
2010-04-25 11:02 . 2008-07-20 21:35 -------- d-----w- c:\program files\Common Files\EarthLink
2010-04-24 22:52 . 2009-05-02 00:56 -------- d-----w- c:\program files\EarthLink
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-19 68856]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2006-07-27 1389568]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-08 4363504]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2005-03-05 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-03 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-03 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-04 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-07-04 2072576]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2009-05-01 291496]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2009-05-01 82600]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Katelynn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-5-1 576000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-19 50688]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-04-25 13:34 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-04 30192]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\DRIVERS\gtuhsbus.sys [2008-06-04 58880]
R3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\DRIVERS\gtuhs51.sys [2008-06-04 106112]
R3 GTUHSOMS;GT UHS OMS;c:\windows\system32\DRIVERS\gtuhsoms.sys [2008-06-06 18816]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\DRIVERS\gtuhsser.sys [2008-06-04 8064]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-04-30 691696]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS [2009-08-30 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100522.001\BHDrvx86.sys [2010-05-22 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100617.005\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
S2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-07-04 14336]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-22 102448]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]
S3 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NAV\1100000.088\SYMTDIV.SYS [2009-08-30 338480]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-22 c:\windows\Tasks\User_Feed_Synchronization-{606079C9-7AC3-44F8-A065-BC53D20C386C}.job
- c:\windows\system32\msfeedssync.exe [2010-05-12 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.earthlink.net/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-SpySweeper - (no file)
HKCU-Run-BitComet - c:\program files\BitComet\BitComet.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 22:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-06-22 22:47:01
ComboFix-quarantined-files.txt 2010-06-22 21:46

Pre-Run: 60,924,907,520 bytes free
Post-Run: 63,456,468,992 bytes free

- - End Of File - - DF0CC5C53F42B2C952C3F1117630BC12
  • 0

Advertisements

#2
kahdah
Posted 23 June 2010 - 05:56 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Katelynn

Welcome to G2Go. :)
=====================
Please delete your version of Combofix and redownload it from one of these locations:

Link 1
Link 2

Save Combofix to your desktop before doing the following.
==========

1. Open notepad and copy/paste the text in the codebox below into it:



http://www.geekstogo.com/forum/Nasty-Rootkit-won-t-go-Help-t280307.html

Collect::
c:\users\Katelynn\AppData\Roaming\mgmtapir.dll
Save this as CFScript.txt


Drag CFScript.txt into ComboFix.exe

2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

4. During this run Combofix will collect and automatically upload some sample files.
You will see it say Combofix needs to upload some samples.
If it fails to do that do the requested steps at the bottom of this post to manually upload the samples.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start (Vista Orb) > Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.
  • 0

#3
Katelynn
Posted 23 June 2010 - 06:08 AM

Katelynn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I tried to download Combofix and it won't even let me do that now. It says that the website does not exist and I need to try again later. Is that the virus? I hate this virus!

Katelynn
  • 0

#4
kahdah
Posted 23 June 2010 - 06:11 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Do you still have the copy you did prior to me asking you to delete it?
If so we will just use it for now.
If it is deleted then open the recycle bin and move it to the desktop.

Let me know if you cannot find it and we will move to something else.
  • 0

#5
Katelynn
Posted 23 June 2010 - 06:16 AM

Katelynn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
No I had erased it from the computer last night and emptied the recycling bin. :) Around 10pm last night my computer stopped letting me upload anit-virus tools. It just says error: Internet explorer could not find the website for (download name) please try again later... This doesn't bode well does it? Thanks for helping me!

Katelynn
  • 0

#6
kahdah
Posted 23 June 2010 - 06:23 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\users\Katelynn\AppData\Roaming\mgmtapir.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
  • 0

#7
Katelynn
Posted 23 June 2010 - 06:30 AM

Katelynn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok now this is getting bad *grrr*. I tried to download that and the same response. Internet explorer cannot open (file name) because the website cannot be found or does not exist. Is the virus or did I do something else to my computer?

Katelynn
  • 0

#8
kahdah
Posted 23 June 2010 - 06:43 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It is the infection since you seem to be able to access this thread I will attach it here.
[attachment=42842:avenger.zip]
Download the attached file and right click on it to extract all then follow the previous instructions.
  • 0

#9
Katelynn
Posted 23 June 2010 - 06:54 AM

Katelynn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Tried that and same message. Here is the exact message. Internet explorer was not able to open this internet site. The requested site is either unavailable or cannot be found. Please try again later.

What do I do? Would system restore help? Or am I doomed?
  • 0

#10
kahdah
Posted 23 June 2010 - 07:06 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Try it from another computer (if you have access to one)
Download it to a clean computer then transfer it to this one and run it.
  • 0

Advertisements

#11
Katelynn
Posted 23 June 2010 - 07:09 AM

Katelynn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I will try. My partner has a laptop also with another infection but his lets him download. He is currently running a system scan, so as soon as his is done I will try to download it to his and then use a jump drive to transfer. What happens if that doesn't work?
  • 0

#12
kahdah
Posted 23 June 2010 - 07:16 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Then I suggest getting a can of gas and a lighter and doing the deed. :)
Just kidding there are other ways to remove it see if this works first then we will go from there.
  • 0

#13
Katelynn
Posted 23 June 2010 - 05:06 PM

Katelynn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi,
Sorry it took me so long, but I couldn't get a clean computer until now. I finally could run combo fix and I did. The virus still exists but not all of it. Searches are clean now and don't redirect, now I only get a google pop-up window when I click on a link to somewhere, but the page still loads correctly. The combofix.txt is below. We are almost there. No need to set the computer on fire yet! :)

Katelynn

ComboFix 10-06-22.02 - Katelynn 06/23/2010 23:33:39.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.830 [GMT 1:00]
Running from: F:\ComboFix.exe
Command switches used :: c:\users\Katelynn\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\users\Katelynn\AppData\Roaming\mgmtapir.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Katelynn\AppData\Roaming\mgmtapir.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.

2010-06-23 22:47 . 2010-06-23 22:47 -------- d-----w- c:\users\releaseengineer.macrovision\AppData\Local\temp
2010-06-23 22:47 . 2010-06-23 22:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-23 22:47 . 2010-06-23 22:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-22 15:38 . 2010-06-22 15:41 -------- d-----w- c:\users\Katelynn\AppData\Local\NPE
2010-06-22 15:27 . 2010-06-22 15:28 -------- d-----w- c:\programdata\Symantec
2010-06-22 14:34 . 2010-06-22 14:35 -------- d-----w- c:\users\Katelynn\AppData\Local\CrashDumps
2010-06-22 14:12 . 2010-06-22 14:12 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-22 14:12 . 2010-06-22 14:12 -------- d-----w- c:\program files\Symantec
2010-06-22 14:11 . 2010-06-22 21:51 -------- d-----w- c:\windows\system32\drivers\NAV
2010-06-22 14:09 . 2010-06-22 14:09 -------- d-----w- c:\program files\NortonInstaller
2010-06-22 13:19 . 2010-06-22 13:19 -------- d--h--w- c:\users\releaseengineer.macrovision\PrivacIE
2010-06-22 13:19 . 2010-06-22 13:19 -------- d--h--w- c:\users\releaseengineer.macrovision\IETldCache
2010-06-22 13:19 . 2010-06-22 13:19 -------- d--h--w- c:\users\releaseengineer.macrovision\IECompatCache
2010-06-22 12:55 . 2010-06-23 01:09 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-22 12:51 . 2010-06-22 13:03 -------- d-----w- c:\programdata\Hitman Pro
2010-06-22 12:51 . 2010-06-22 12:51 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-21 14:30 . 2010-06-21 14:30 49152 ---ha-w- C:\SZKGFS.dat
2010-06-21 14:20 . 2010-06-21 14:20 -------- d-----w- c:\programdata\SITEguard
2010-06-21 13:56 . 2010-06-21 13:56 -------- d-----w- c:\program files\Common Files\iS3
2010-06-21 13:56 . 2010-06-22 13:19 -------- d-----w- c:\programdata\STOPzilla!
2010-06-21 13:22 . 2010-06-21 13:23 -------- d-----w- C:\88d65431821df33030
2010-06-21 09:50 . 2010-06-21 12:59 598048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-06-20 23:33 . 2010-06-20 23:33 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
2010-06-20 23:16 . 2010-06-22 13:16 -------- d-----w- c:\programdata\PC Tools
2010-06-20 23:10 . 2010-06-21 16:19 -------- d-----w- c:\users\Katelynn\AppData\Roaming\GetRightToGo
2010-06-20 21:59 . 2010-06-21 10:19 -------- d-----w- c:\programdata\ParetoLogic
2010-06-20 21:59 . 2010-06-21 10:19 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-06-20 21:57 . 2010-06-20 21:57 -------- d-----w- c:\users\Katelynn\AppData\Local\Downloaded Installations
2010-06-20 11:09 . 2010-06-20 11:09 -------- d-----w- c:\program files\MSXML 4.0
2010-06-18 21:56 . 2010-06-18 21:56 -------- d-----w- c:\users\Katelynn\aud_data
2010-06-14 16:54 . 2010-06-14 16:54 -------- d-----w- c:\users\Katelynn\AppData\Roaming\SmartFTP
2010-06-14 16:17 . 2010-06-16 15:14 -------- d-----w- c:\users\Katelynn\AppData\Roaming\FileZilla
2010-06-14 16:17 . 2010-06-16 14:44 -------- d-----w- c:\program files\FileZilla FTP Client
2010-06-11 13:27 . 2010-06-11 13:27 -------- d-----w- c:\users\Katelynn\AppData\Local\SourceTec
2010-06-11 13:27 . 2010-06-11 13:27 -------- d-----w- c:\program files\Common Files\SourceTec
2010-06-11 12:41 . 2010-06-11 12:41 -------- d-----w- c:\program files\DiskInternals
2010-06-11 12:03 . 2010-06-11 12:03 -------- d-----w- c:\users\Katelynn\AppData\Roaming\PandoraRecovery
2010-06-11 12:03 . 2010-06-11 12:03 -------- d-----w- c:\program files\AskBarDis
2010-06-11 12:03 . 2010-06-11 12:07 -------- d-----w- c:\program files\Pandora Recovery
2010-06-06 09:30 . 2010-06-06 09:30 -------- d-----w- c:\program files\Safari
2010-06-06 09:28 . 2010-06-06 09:28 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-06-04 19:06 . 2010-06-04 19:06 -------- d-----w- c:\programdata\WindowsSearch
2010-06-01 22:48 . 2010-06-01 22:48 -------- d-----w- c:\program files\SiteGrinder 3
2010-06-01 22:20 . 2010-06-02 14:58 -------- d-----w- c:\users\Katelynn\SiteGrinderData
2010-06-01 22:09 . 2010-04-18 14:12 30415546 ----a-w- c:\program files\Install SiteGrinder 3.exe
2010-06-01 13:40 . 2010-06-01 13:41 -------- d-----w- c:\windows\system32\Adobe
2010-05-27 17:06 . 2010-05-27 17:06 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Malwarebytes
2010-05-27 17:06 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 17:06 . 2010-05-27 17:06 -------- d-----w- c:\programdata\Malwarebytes
2010-05-27 17:06 . 2010-06-22 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 17:06 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 14:26 . 2010-05-26 14:45 -------- d-----w- c:\program files\Lexmark Toolbar
2010-05-26 14:25 . 2010-06-03 14:06 -------- d-----w- c:\program files\lx_cats
2010-05-26 14:25 . 2006-11-27 02:50 117760 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxcrpp5c.dll
2010-05-26 14:17 . 2010-05-26 14:17 -------- d-----w- C:\lexmark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 22:23 . 2008-06-24 04:37 -------- d-----w- c:\users\Katelynn\AppData\Roaming\LimeWire
2010-06-22 19:07 . 2010-04-15 19:10 -------- d-----w- c:\programdata\NOS
2010-06-22 15:38 . 2009-03-10 14:00 -------- d-----w- c:\programdata\Norton
2010-06-22 15:28 . 2008-03-18 23:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-22 14:12 . 2010-06-22 14:12 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-22 14:12 . 2010-06-22 14:12 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-22 14:11 . 2009-03-11 14:03 -------- d-----w- c:\program files\Norton AntiVirus
2010-06-22 14:10 . 2008-08-29 04:40 -------- d-----w- c:\programdata\McAfee
2010-06-22 14:10 . 2008-08-29 04:39 -------- d-----w- c:\program files\McAfee
2010-06-22 14:09 . 2009-03-09 22:50 -------- d-----w- c:\programdata\NortonInstaller
2010-06-22 13:12 . 2010-06-22 13:12 248 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-21 12:59 . 2010-06-21 09:50 9128 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-06-21 12:54 . 2008-03-18 23:51 -------- d-----w- c:\program files\Dell
2010-06-20 23:08 . 2010-04-19 19:10 -------- d-----w- c:\users\Katelynn\AppData\Roaming\FreeBurner
2010-06-20 19:20 . 2008-05-01 14:01 69016 ----a-w- c:\users\Katelynn\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-20 12:52 . 2010-04-15 12:12 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-20 12:52 . 2010-03-26 12:42 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Audacity
2010-06-20 12:52 . 2009-11-02 00:19 -------- d-----w- c:\programdata\McAfee Security Scan
2010-06-19 11:25 . 2010-03-20 21:21 -------- d-----w- c:\programdata\DivX
2010-06-15 10:31 . 2010-05-02 14:51 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2010-06-11 15:54 . 2010-03-24 22:50 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-11 15:54 . 2010-03-24 22:48 -------- d-----w- c:\program files\Microsoft Expression
2010-06-11 15:53 . 2008-05-20 04:51 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-11 14:45 . 2008-03-18 23:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-11 14:45 . 2008-03-18 23:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-11 13:27 . 2010-05-12 14:44 -------- d-----w- c:\program files\SourceTec
2010-06-06 19:39 . 2010-05-03 21:43 121200 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-06 19:39 . 2009-06-24 23:36 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Apple Computer
2010-06-06 09:37 . 2008-06-14 02:38 -------- d-----w- c:\program files\QuickTime
2010-06-06 09:29 . 2009-06-24 23:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-26 14:19 . 2010-05-26 14:18 -------- d-----w- c:\program files\Lexmark 2400 Series
2010-05-21 13:14 . 2009-10-22 17:49 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-20 23:04 . 2008-06-24 04:36 -------- d-----w- c:\program files\LimeWire
2010-05-20 12:17 . 2008-03-18 23:48 -------- d-----w- c:\program files\Common Files\Java
2010-05-20 12:15 . 2010-05-20 12:16 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-20 12:15 . 2008-03-18 23:48 -------- d-----w- c:\program files\Java
2010-05-13 13:47 . 2010-05-13 13:47 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Adobe Mini Bridge CS5
2010-05-13 13:47 . 2010-05-13 13:47 -------- d-----w- c:\users\Katelynn\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-05-13 11:05 . 2010-05-02 14:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-13 11:05 . 2010-05-03 21:43 38784 ----a-w- c:\users\Katelynn\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-13 11:05 . 2010-05-02 14:41 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-09 13:05 . 2010-05-09 13:05 310 ----a-w- c:\windows\system32\UnifiedToolbarCleanup.bat
2010-05-04 13:38 . 2010-05-04 13:38 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2010-05-03 21:42 . 2010-05-03 21:42 -------- d-----w- c:\users\Katelynn\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-02 14:45 . 2010-05-02 14:45 -------- d-----w- c:\program files\Adobe Media Player
2010-05-01 21:32 . 2010-05-01 21:31 -------- d-----w- c:\programdata\WinZip
2010-05-01 11:36 . 2010-03-26 15:04 -------- d-----w- c:\program files\Winamp
2010-04-30 23:26 . 2010-04-30 23:23 -------- d-----w- c:\program files\MagicDisc
2010-04-30 22:58 . 2010-04-30 22:58 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-04-30 22:57 . 2010-04-30 22:56 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-04-30 22:57 . 2010-04-30 22:57 -------- d-----w- c:\users\Katelynn\AppData\Roaming\DAEMON Tools Lite
2010-04-29 18:41 . 2010-04-29 18:41 -------- d-----w- c:\users\Katelynn\AppData\Roaming\uk.co.planetside
2010-04-29 18:41 . 2010-04-29 18:41 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Planetside Software
2010-04-29 18:36 . 2010-04-29 18:36 13094 ----a-r- c:\users\Katelynn\AppData\Roaming\Microsoft\Installer\{CCCC1B61-1E92-4388-9AFC-5C883071833D}\_f3e99.exe
2010-04-29 18:36 . 2010-04-29 18:36 13094 ----a-r- c:\users\Katelynn\AppData\Roaming\Microsoft\Installer\{CCCC1B61-1E92-4388-9AFC-5C883071833D}\_12db153c.exe
2010-04-29 18:36 . 2010-04-29 18:36 1078 ----a-r- c:\users\Katelynn\AppData\Roaming\Microsoft\Installer\{CCCC1B61-1E92-4388-9AFC-5C883071833D}\_7e87390c.exe
2010-04-29 18:36 . 2010-04-29 18:36 -------- d-----w- c:\program files\Planetside Software
2010-04-28 11:54 . 2010-04-28 11:54 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Blender Foundation
2010-04-28 11:54 . 2010-04-28 11:54 -------- d-----w- c:\program files\Blender Foundation
2010-04-27 20:53 . 2008-03-19 00:01 -------- d-----w- c:\program files\Google
2010-04-27 19:27 . 2010-04-27 19:27 -------- d-----w- c:\users\Katelynn\AppData\Roaming\AccurateRip
2010-04-27 19:27 . 2010-04-27 19:27 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2010-04-27 19:27 . 2010-04-27 19:27 -------- d-----w- c:\program files\Illustrate
2010-04-27 19:27 . 2010-04-27 19:27 5652144 ----a-w- c:\windows\system32\SpoonUninstall.exe
2010-04-27 19:00 . 2010-04-27 19:00 -------- d-----w- c:\users\Katelynn\AppData\Roaming\Roxio
2010-04-27 19:00 . 2010-04-27 19:00 -------- d-----w- c:\programdata\Roxio
2010-04-25 13:34 . 2010-04-25 13:34 -------- d-----w- c:\program files\Citrix
2010-04-25 11:02 . 2008-07-20 21:35 -------- d-----w- c:\program files\Common Files\EarthLink
2010-04-24 22:52 . 2009-05-02 00:56 -------- d-----w- c:\program files\EarthLink
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-19 68856]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2006-07-27 1389568]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-01-08 4363504]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2005-03-05 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-03 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-03 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-04 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2008-07-04 2072576]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2009-05-01 291496]
"EzPrint"="c:\program files\Lexmark 2400 Series\ezprint.exe" [2009-05-01 82600]
"LXCRCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-11-21 106496]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Katelynn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-9-30 503808]
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-5-1 576000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-19 50688]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-28 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-04-25 13:34 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiSpywareOverride"=dword:00000001

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
R3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [2004-11-01 17536]
R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-04 30192]
R3 GTUHSBUS;GT UHS BUS;c:\windows\system32\DRIVERS\gtuhsbus.sys [2008-06-04 58880]
R3 GTUHSNDISIPXP;GT UHS IP NDIS;c:\windows\system32\DRIVERS\gtuhs51.sys [2008-06-04 106112]
R3 GTUHSOMS;GT UHS OMS;c:\windows\system32\DRIVERS\gtuhsoms.sys [2008-06-06 18816]
R3 GTUHSSER;GT UHS SER;c:\windows\system32\DRIVERS\gtuhsser.sys [2008-06-04 8064]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-04-30 691696]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1107000.00C\SYMDS.SYS [2009-08-30 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1107000.00C\SYMEFA.SYS [2010-04-22 173104]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [2010-05-22 691248]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1107000.00C\ccHPx86.sys [2010-02-26 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20100622.001\IDSvix86.sys [2010-05-28 344112]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1107000.00C\Ironx86.SYS [2010-04-29 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NAV\1107000.00C\SYMTDIV.SYS [2010-05-06 339504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-11-12 73728]
S2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [2005-01-26 65604]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe [2010-02-26 126392]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-07-04 14336]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-06-22 102448]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-07 111616]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\User_Feed_Synchronization-{606079C9-7AC3-44F8-A065-BC53D20C386C}.job
- c:\windows\system32\msfeedssync.exe [2010-05-12 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.earthlink.net/
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 23:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\17.7.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(692)
c:\windows\system32\bmnet.dll
.
Completion time: 2010-06-23 23:52:18
ComboFix-quarantined-files.txt 2010-06-23 22:52
ComboFix2.txt 2010-06-22 21:47

Pre-Run: 63,001,194,496 bytes free
Post-Run: 62,974,660,608 bytes free

- - End Of File - - E0E549833D9CE0EB9D85CD90C607AEB5
Upload was successful
  • 0

#14
kahdah
Posted 23 June 2010 - 05:18 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi great can you elaborate on this a bit more.

now I only get a google pop-up window when I click on a link to somewhere


  • 0

#15
Katelynn
Posted 23 June 2010 - 05:23 PM

Katelynn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Whenever I click on a link in an email a window for google (called google analytics pops up). When I first did google searches after combofix ran everything was fine, now its back. I click on it and it says google5.results. But when I run a hitman search there are no rootkits anymore... what to do next?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP