Any help would be greatly appreciated.
Google redirect - TDSSKiller not finding a thing.
Started by
Happlo
, Aug 25 2010 11:46 PM
#1
Posted 25 August 2010 - 11:46 PM
Any help would be greatly appreciated.
#2
Posted 26 August 2010 - 07:50 AM
Download ComboFix here :
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them
Click me
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
#3
Posted 26 August 2010 - 10:33 AM
I have a slight update since I made the first post, after reading through these forums I used a program called HijackThis (before you made your reply) and discovered suspicious "hosts" entries that I deleted, now the google redirect seems to have stopped completely..for now. I'm still worried that simply deleting those hasn't gotten rid of the virus if there is one.
Also, when I ran combofix just now, it didn't actually ask me about a recovery point, it seemed to just start scanning by itself unexpectedly, so I might do a re-scan with the right prerequisites after this. Here is the log file for now anyway though. Thank you for the quick reply by the way.
---------------
ComboFix 10-08-25.01 - Happlo 08/26/2010 11:02:22.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2099 [GMT -5:00]
Running from: c:\users\Happlo\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Install.exe
c:\users\Happlo\AppData\Local\Windows Server
c:\users\Happlo\AppData\Local\Windows Server\flags.ini
c:\users\Happlo\AppData\Local\Windows Server\hlp.dat
c:\users\Happlo\AppData\Local\Windows Server\uses32.dat
c:\windows\system32\wininit.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.
2010-08-26 16:12 . 2010-08-26 16:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-26 15:59 . 2010-08-26 15:59 -------- d-----w- C:\32788R22FWJFW
2010-08-26 09:13 . 2010-08-26 09:13 -------- d-----w- c:\program files\Trend Micro
2010-08-26 05:51 . 2010-08-26 05:51 93056 ----a-w- C:\pxryrpoc.sys
2010-08-26 03:54 . 2010-08-26 03:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-26 03:09 . 2010-08-26 05:02 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-08-26 02:47 . 2010-08-26 02:57 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-26 02:46 . 2010-08-26 02:46 -------- d-----w- c:\programdata\Hitman Pro
2010-08-26 02:46 . 2010-08-26 02:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-24 18:22 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-24 06:26 . 2010-08-26 03:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-24 06:26 . 2010-08-26 03:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-24 06:06 . 2010-08-26 03:06 -------- d-----w- c:\program files\AA Antimalware
2010-08-24 01:04 . 2010-08-24 01:04 -------- d-----w- c:\users\Happlo\AppData\Roaming\Malwarebytes
2010-08-24 01:04 . 2010-08-24 01:04 -------- d-----w- c:\programdata\Malwarebytes
2010-08-23 23:46 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-23 23:46 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-23 23:46 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-23 23:46 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-23 23:46 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-08-23 23:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-23 23:44 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-23 23:44 . 2010-08-23 23:44 -------- d-----w- c:\program files\Alwil Software
2010-08-14 18:43 . 2010-08-14 18:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-08-10 17:42 . 2008-01-08 10:10 98304 ----a-w- c:\windows\RTKAUDIOSERVICE.EXE
2010-08-10 17:42 . 2010-08-10 17:42 -------- d-----w- c:\windows\system32\RTCOM
2010-08-09 22:53 . 2010-08-09 22:53 -------- d-----w- c:\users\Happlo\AppData\Local\CrashRpt
2010-08-09 20:53 . 2010-08-13 01:21 -------- d-----w- c:\programdata\WebcamMax
2010-08-09 20:53 . 2010-08-09 20:53 -------- d-----w- c:\users\Happlo\AppData\Roaming\WebcamMax
2010-08-09 20:53 . 2010-08-09 20:53 -------- d-----w- c:\program files\WebcamMax
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\ms-drivers
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\wc
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-----w- c:\users\Happlo\AppData\Local\Universe Sandbox
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\wyUpdate AU
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-----w- c:\program files\Universe Sandbox
2010-08-05 11:07 . 2010-08-05 11:07 -------- d-----w- c:\windows\system32\Adobe
2010-08-04 09:13 . 2010-08-04 09:14 -------- d--h--w- c:\program files\Temp
2010-08-03 09:20 . 2010-08-23 23:44 -------- d-----w- c:\programdata\Alwil Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 16:11 . 2010-04-04 01:12 -------- d-----w- c:\users\Happlo\AppData\Roaming\Skype
2010-08-26 15:47 . 2010-04-04 01:19 -------- d-----w- c:\users\Happlo\AppData\Roaming\skypePM
2010-08-26 09:47 . 2010-06-20 03:30 -------- d-----w- c:\program files\Messenger_Plus_Live_US
2010-08-26 09:47 . 2010-04-30 03:20 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-26 09:47 . 2010-04-04 05:09 -------- d-----w- c:\program files\Vuze_Remote
2010-08-26 09:47 . 2010-04-03 23:21 -------- d-----w- c:\program files\AIM Toolbar
2010-08-26 09:23 . 2010-04-12 09:16 -------- d-----w- c:\program files\kikin
2010-08-26 09:13 . 2010-08-26 09:13 388096 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-24 07:24 . 2010-04-17 09:25 -------- d-----w- c:\users\Happlo\AppData\Roaming\.bitblinder
2010-08-24 07:07 . 2010-04-06 08:40 -------- d-----w- c:\users\Happlo\AppData\Roaming\vlc
2010-08-24 02:54 . 2010-04-03 23:23 58336 ----a-w- c:\users\Happlo\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-24 02:19 . 2010-07-20 20:31 -------- d-----w- c:\program files\Pando Networks
2010-08-24 01:19 . 2010-06-02 11:17 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\lowsec
2010-08-23 23:23 . 2010-04-29 11:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-23 23:23 . 2010-07-20 20:50 -------- d-----w- c:\program files\Outspark
2010-08-23 23:18 . 2010-04-30 03:20 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-08-23 19:25 . 2010-04-12 09:16 -------- d-----w- c:\users\Happlo\AppData\Roaming\kikin
2010-08-20 16:20 . 2010-04-04 05:09 -------- d-----w- c:\users\Happlo\AppData\Roaming\Azureus
2010-08-14 18:45 . 2010-08-14 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01009.Wdf
2010-08-09 22:53 . 2010-07-04 21:24 -------- d-----w- c:\program files\Livestream Procaster
2010-08-08 10:49 . 2010-06-20 03:30 -------- d-----w- c:\program files\Messenger Plus! Live
2010-08-05 16:29 . 2010-04-04 05:39 -------- d-----w- c:\programdata\Norton
2010-08-04 10:50 . 2010-07-25 07:37 -------- d-----w- c:\program files\GGPO
2010-08-04 10:50 . 2010-04-03 20:43 -------- d-----w- c:\program files\Common Files\Steam
2010-08-04 10:50 . 2010-07-25 08:07 -------- d-----w- c:\program files\Ventrilo
2010-08-04 10:49 . 2010-07-25 08:08 -------- d-----w- c:\users\Happlo\AppData\Roaming\Ventrilo
2010-08-03 11:33 . 2010-04-25 00:48 -------- d-----w- c:\users\Happlo\AppData\Roaming\Abyxiw
2010-08-03 10:01 . 2010-05-29 22:01 -------- d-----w- c:\users\Happlo\AppData\Roaming\Hiohc
2010-07-29 06:30 . 2010-08-11 21:51 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 21:51 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-25 07:51 . 2010-07-25 07:51 -------- d-----w- c:\users\Happlo\AppData\Roaming\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2010-07-25 07:37 . 2010-07-25 07:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-25 07:36 . 2010-07-25 07:37 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-24 00:09 . 2010-04-03 20:43 -------- d-----w- c:\program files\Steam
2010-07-05 23:03 . 2010-07-05 23:03 -------- d-----w- c:\programdata\Hewlett-Packard
2010-07-05 10:29 . 2010-07-05 10:29 176 ----a-w- c:\users\Happlo\AppData\Roaming\Azureus\restart.bat
2010-07-05 10:26 . 2010-04-04 05:09 -------- d-----w- c:\program files\Vuze
2010-07-02 11:27 . 2010-07-02 11:27 120 ----a-w- c:\users\Happlo\AppData\Roaming\71c387e8.dat
2010-06-30 06:25 . 2010-08-11 21:51 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 02:47 . 2010-08-11 21:51 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 21:51 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 21:51 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-11 21:51 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 21:51 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 21:51 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 21:51 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 21:51 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 21:51 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-08 06:02 . 2010-08-11 21:51 1233920 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 07:55 . 2010-06-03 07:55 8854 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-06-03 07:55 . 2010-06-03 07:55 40960 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-06-03 07:55 . 2010-06-03 07:55 40960 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-06-02 16:02 . 2010-06-02 11:15 190 --s-a-w- c:\users\Happlo\AppData\Local\2678616684.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WeGame.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WeGame.lnk
backup=c:\windows\pss\WeGame.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-04 01:05 136176 ----atw- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestream Procaster]
2010-07-19 11:12 3577120 ----a-w- c:\program files\Livestream Procaster\Procaster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-10-03 16:40 13826664 ----a-w- c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 08:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 22:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-10 22:50 1238352 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 16:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxAutoRun]
2010-07-08 01:06 6043888 ----a-w- c:\program files\WebcamMax\WebcamMax.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
2009-09-30 22:57 718688 ----a-w- c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-04 1343400]
R3 XDva344;XDva344;c:\windows\system32\XDva344.sys [x]
S1 aswSP;aswSP; [x]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2010-07-28 1935656]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-10 18944]
S3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2010-06-28 71008]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
Contents of the 'Scheduled Tasks' folder
2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3396681394-3423609913-100917528-1001Core.job
- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-04 01:05]
2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3396681394-3423609913-100917528-1001UA.job
- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-04 01:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plusnetwork.com
IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} -
FF - ProfilePath - c:\users\Happlo\AppData\Roaming\Mozilla\Firefox\Profiles\x3t6k72g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Happlo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
Toolbar-{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - (no file)
Toolbar-{de404f4c-3cde-4d74-a6fb-052d099c104c} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - (no file)
WebBrowser-{DE404F4C-3CDE-4D74-A6FB-052D099C104C} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
SafeBoot-klmdb.sys
MSConfigStartUp-d5d45fc0-78a3-49c6-9302-ac860f8bf36e_46 - c:\users\Happlo\AppData\Roaming\d5d45fc0-78a3-49c6-9302-ac860f8bf36e_46.avi
MSConfigStartUp-d5d45fc0-78a3-49c6-9302-ac860f8bf36e_47 - c:\users\Happlo\AppData\Roaming\d5d45fc0-78a3-49c6-9302-ac860f8bf36e_47.avi
MSConfigStartUp-userinit - c:\users\Happlo\AppData\Roaming\sdra64.exe
MSConfigStartUp-{D9B3D3A2-CB93-65F9-10CA-59E1D03E287E} - c:\users\Happlo\AppData\Roaming\Abyxiw\vyla.exe
AddRemove-BitBlinder - c:\program files\BitBlinder\Uninstall.exe
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-08-26 11:20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 16:20
Pre-Run: 126,391,468,032 bytes free
Post-Run: 128,634,707,968 bytes free
- - End Of File - - F14362319E9F3DDB9355A2E2EECF98EA
Also, when I ran combofix just now, it didn't actually ask me about a recovery point, it seemed to just start scanning by itself unexpectedly, so I might do a re-scan with the right prerequisites after this. Here is the log file for now anyway though. Thank you for the quick reply by the way.
---------------
ComboFix 10-08-25.01 - Happlo 08/26/2010 11:02:22.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2099 [GMT -5:00]
Running from: c:\users\Happlo\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Install.exe
c:\users\Happlo\AppData\Local\Windows Server
c:\users\Happlo\AppData\Local\Windows Server\flags.ini
c:\users\Happlo\AppData\Local\Windows Server\hlp.dat
c:\users\Happlo\AppData\Local\Windows Server\uses32.dat
c:\windows\system32\wininit.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.
2010-08-26 16:12 . 2010-08-26 16:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-26 15:59 . 2010-08-26 15:59 -------- d-----w- C:\32788R22FWJFW
2010-08-26 09:13 . 2010-08-26 09:13 -------- d-----w- c:\program files\Trend Micro
2010-08-26 05:51 . 2010-08-26 05:51 93056 ----a-w- C:\pxryrpoc.sys
2010-08-26 03:54 . 2010-08-26 03:54 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-08-26 03:09 . 2010-08-26 05:02 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2010-08-26 02:47 . 2010-08-26 02:57 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-26 02:46 . 2010-08-26 02:46 -------- d-----w- c:\programdata\Hitman Pro
2010-08-26 02:46 . 2010-08-26 02:56 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-24 18:22 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-24 06:26 . 2010-08-26 03:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-24 06:26 . 2010-08-26 03:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-24 06:06 . 2010-08-26 03:06 -------- d-----w- c:\program files\AA Antimalware
2010-08-24 01:04 . 2010-08-24 01:04 -------- d-----w- c:\users\Happlo\AppData\Roaming\Malwarebytes
2010-08-24 01:04 . 2010-08-24 01:04 -------- d-----w- c:\programdata\Malwarebytes
2010-08-23 23:46 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-23 23:46 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-23 23:46 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-23 23:46 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-23 23:46 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-08-23 23:44 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-23 23:44 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-23 23:44 . 2010-08-23 23:44 -------- d-----w- c:\program files\Alwil Software
2010-08-14 18:43 . 2010-08-14 18:43 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-08-10 17:42 . 2008-01-08 10:10 98304 ----a-w- c:\windows\RTKAUDIOSERVICE.EXE
2010-08-10 17:42 . 2010-08-10 17:42 -------- d-----w- c:\windows\system32\RTCOM
2010-08-09 22:53 . 2010-08-09 22:53 -------- d-----w- c:\users\Happlo\AppData\Local\CrashRpt
2010-08-09 20:53 . 2010-08-13 01:21 -------- d-----w- c:\programdata\WebcamMax
2010-08-09 20:53 . 2010-08-09 20:53 -------- d-----w- c:\users\Happlo\AppData\Roaming\WebcamMax
2010-08-09 20:53 . 2010-08-09 20:53 -------- d-----w- c:\program files\WebcamMax
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\ms-drivers
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\wc
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-----w- c:\users\Happlo\AppData\Local\Universe Sandbox
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\wyUpdate AU
2010-08-06 18:06 . 2010-08-06 18:06 -------- d-----w- c:\program files\Universe Sandbox
2010-08-05 11:07 . 2010-08-05 11:07 -------- d-----w- c:\windows\system32\Adobe
2010-08-04 09:13 . 2010-08-04 09:14 -------- d--h--w- c:\program files\Temp
2010-08-03 09:20 . 2010-08-23 23:44 -------- d-----w- c:\programdata\Alwil Software
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-26 16:11 . 2010-04-04 01:12 -------- d-----w- c:\users\Happlo\AppData\Roaming\Skype
2010-08-26 15:47 . 2010-04-04 01:19 -------- d-----w- c:\users\Happlo\AppData\Roaming\skypePM
2010-08-26 09:47 . 2010-06-20 03:30 -------- d-----w- c:\program files\Messenger_Plus_Live_US
2010-08-26 09:47 . 2010-04-30 03:20 -------- d-----w- c:\program files\DVDVideoSoft
2010-08-26 09:47 . 2010-04-04 05:09 -------- d-----w- c:\program files\Vuze_Remote
2010-08-26 09:47 . 2010-04-03 23:21 -------- d-----w- c:\program files\AIM Toolbar
2010-08-26 09:23 . 2010-04-12 09:16 -------- d-----w- c:\program files\kikin
2010-08-26 09:13 . 2010-08-26 09:13 388096 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-24 07:24 . 2010-04-17 09:25 -------- d-----w- c:\users\Happlo\AppData\Roaming\.bitblinder
2010-08-24 07:07 . 2010-04-06 08:40 -------- d-----w- c:\users\Happlo\AppData\Roaming\vlc
2010-08-24 02:54 . 2010-04-03 23:23 58336 ----a-w- c:\users\Happlo\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-24 02:19 . 2010-07-20 20:31 -------- d-----w- c:\program files\Pando Networks
2010-08-24 01:19 . 2010-06-02 11:17 -------- d-sh--w- c:\users\Happlo\AppData\Roaming\lowsec
2010-08-23 23:23 . 2010-04-29 11:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-23 23:23 . 2010-07-20 20:50 -------- d-----w- c:\program files\Outspark
2010-08-23 23:18 . 2010-04-30 03:20 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-08-23 19:25 . 2010-04-12 09:16 -------- d-----w- c:\users\Happlo\AppData\Roaming\kikin
2010-08-20 16:20 . 2010-04-04 05:09 -------- d-----w- c:\users\Happlo\AppData\Roaming\Azureus
2010-08-14 18:45 . 2010-08-14 18:45 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01009.Wdf
2010-08-09 22:53 . 2010-07-04 21:24 -------- d-----w- c:\program files\Livestream Procaster
2010-08-08 10:49 . 2010-06-20 03:30 -------- d-----w- c:\program files\Messenger Plus! Live
2010-08-05 16:29 . 2010-04-04 05:39 -------- d-----w- c:\programdata\Norton
2010-08-04 10:50 . 2010-07-25 07:37 -------- d-----w- c:\program files\GGPO
2010-08-04 10:50 . 2010-04-03 20:43 -------- d-----w- c:\program files\Common Files\Steam
2010-08-04 10:50 . 2010-07-25 08:07 -------- d-----w- c:\program files\Ventrilo
2010-08-04 10:49 . 2010-07-25 08:08 -------- d-----w- c:\users\Happlo\AppData\Roaming\Ventrilo
2010-08-03 11:33 . 2010-04-25 00:48 -------- d-----w- c:\users\Happlo\AppData\Roaming\Abyxiw
2010-08-03 10:01 . 2010-05-29 22:01 -------- d-----w- c:\users\Happlo\AppData\Roaming\Hiohc
2010-07-29 06:30 . 2010-08-11 21:51 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 21:51 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-25 07:51 . 2010-07-25 07:51 -------- d-----w- c:\users\Happlo\AppData\Roaming\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2010-07-25 07:37 . 2010-07-25 07:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-25 07:36 . 2010-07-25 07:37 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-07-24 00:09 . 2010-04-03 20:43 -------- d-----w- c:\program files\Steam
2010-07-05 23:03 . 2010-07-05 23:03 -------- d-----w- c:\programdata\Hewlett-Packard
2010-07-05 10:29 . 2010-07-05 10:29 176 ----a-w- c:\users\Happlo\AppData\Roaming\Azureus\restart.bat
2010-07-05 10:26 . 2010-04-04 05:09 -------- d-----w- c:\program files\Vuze
2010-07-02 11:27 . 2010-07-02 11:27 120 ----a-w- c:\users\Happlo\AppData\Roaming\71c387e8.dat
2010-06-30 06:25 . 2010-08-11 21:51 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 02:47 . 2010-08-11 21:51 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 21:51 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 21:51 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-11 21:51 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 21:51 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 21:51 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 21:51 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 21:51 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 21:51 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-08 06:02 . 2010-08-11 21:51 1233920 ----a-w- c:\windows\system32\msxml3.dll
2010-06-03 07:55 . 2010-06-03 07:55 8854 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-06-03 07:55 . 2010-06-03 07:55 40960 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-06-03 07:55 . 2010-06-03 07:55 40960 ----a-r- c:\users\Happlo\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-06-02 16:02 . 2010-06-02 11:15 190 --s-a-w- c:\users\Happlo\AppData\Local\2678616684.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-06-28 2837864]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WeGame.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WeGame.lnk
backup=c:\windows\pss\WeGame.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-04 01:05 136176 ----atw- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Livestream Procaster]
2010-07-19 11:12 3577120 ----a-w- c:\program files\Livestream Procaster\Procaster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-10-03 16:40 13826664 ----a-w- c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 08:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 22:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-10 22:50 1238352 ----a-w- c:\program files\Steam\Steam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 16:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebcamMaxAutoRun]
2010-07-08 01:06 6043888 ----a-w- c:\program files\WebcamMax\WebcamMax.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XboxStat]
2009-09-30 22:57 718688 ----a-w- c:\program files\Microsoft Xbox 360 Accessories\XBoxStat.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 19:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-04 1343400]
R3 XDva344;XDva344;c:\windows\system32\XDva344.sys [x]
S1 aswSP;aswSP; [x]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2010-07-28 1935656]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-10 18944]
S3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2010-06-28 71008]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-10 33792]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
.
Contents of the 'Scheduled Tasks' folder
2010-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3396681394-3423609913-100917528-1001Core.job
- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-04 01:05]
2010-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3396681394-3423609913-100917528-1001UA.job
- c:\users\Happlo\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-04 01:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.plusnetwork.com
IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} -
FF - ProfilePath - c:\users\Happlo\AppData\Roaming\Mozilla\Firefox\Profiles\x3t6k72g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Happlo\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
Toolbar-{e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - (no file)
Toolbar-{de404f4c-3cde-4d74-a6fb-052d099c104c} - (no file)
WebBrowser-{BA14329E-9550-4989-B3F2-9732E92D17CC} - (no file)
WebBrowser-{E9911EC6-1BCC-40B0-9993-E0EEA7F6953F} - (no file)
WebBrowser-{DE404F4C-3CDE-4D74-A6FB-052D099C104C} - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
SafeBoot-klmdb.sys
MSConfigStartUp-d5d45fc0-78a3-49c6-9302-ac860f8bf36e_46 - c:\users\Happlo\AppData\Roaming\d5d45fc0-78a3-49c6-9302-ac860f8bf36e_46.avi
MSConfigStartUp-d5d45fc0-78a3-49c6-9302-ac860f8bf36e_47 - c:\users\Happlo\AppData\Roaming\d5d45fc0-78a3-49c6-9302-ac860f8bf36e_47.avi
MSConfigStartUp-userinit - c:\users\Happlo\AppData\Roaming\sdra64.exe
MSConfigStartUp-{D9B3D3A2-CB93-65F9-10CA-59E1D03E287E} - c:\users\Happlo\AppData\Roaming\Abyxiw\vyla.exe
AddRemove-BitBlinder - c:\program files\BitBlinder\Uninstall.exe
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-08-26 11:20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-26 16:20
Pre-Run: 126,391,468,032 bytes free
Post-Run: 128,634,707,968 bytes free
- - End Of File - - F14362319E9F3DDB9355A2E2EECF98EA
#4
Posted 26 August 2010 - 10:43 AM
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Restore::
c:\windows\system32\wininit.exe
File::
c:\users\Happlo\AppData\Local\2678616684.dat
Folder::
Registry::
Driver::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users