Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

web redirect - fake antivirus pop ups - super slow

Started by Big O , Dec 28 2010 05:23 PM

Please log in to reply

#106
RKinner

Posted 08 January 2011 - 10:34 PM

Malware Expert

Expert
24,625 posts

The Avira find looks like something in your System Restore archives. Did it give the path to the file?

Have we done a BitDefender Quickscan yet?

Go to
http://quickscan.bitdefender.com/

and click on Free Scan Now and follow the instructions. When it finishes there is a report option. Copy the report (even if it says you are clean) and paste it into a reply.

Also get tcpview

http://live.sysinter...com/Tcpview.exe

Save it and run it. Then File, Save As, Browse Folders (select your Desktop) then type in tcp for a name and OK. Close tcpview and
then find tcp.txt on your desktop and open it. Copy and Paste the text into a reply.

When Combofix runs it usually tells you what it is doing. See
http://www.bleepingc...to-use-combofix

When does it hang for you? Do you see any of the Completed Stage messages?

Ron

#107
Big O

Posted 09 January 2011 - 10:52 AM

Member

Topic Starter
Member
104 posts

QuickScan Beta 32-bit v0.9.9.62
-------------------------------
Scan date: Sun Jan 09 09:50:35 2011
Machine ID: 70294374

No infection found.
-------------------

Processes
---------
(unsigned) Apple Mobile Device Service 1844 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
(unsigned) hp digital imaging 3924 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
(unsigned) HP PML 2764 C:\WINDOWS\system32\HPZipm12.exe
(unsigned) Linksys EasyLink Advisor 3128 C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
(unsigned) QuickBooks for Windows 212 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(unsigned) User Profile Hive Cleanup Service 960 C:\Program Files\UPHClean\uphclean.exe

(verified) AntiVir Desktop 2756 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(verified) AntiVir Desktop 1808 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(verified) AntiVir Desktop 112 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(verified) AntiVir Desktop 1712 C:\Program Files\Avira\AntiVir Desktop\sched.exe
(verified) Emsisoft Online Armor 1168 C:\Program Files\Online Armor\oacat.exe
(verified) Emsisoft Online Armor 3244 C:\Program Files\Online Armor\oahlp.exe
(verified) Emsisoft Online Armor 1292 C:\Program Files\Online Armor\oasrv.exe
(verified) Emsisoft Online Armor 3004 C:\Program Files\Online Armor\oaui.exe
(verified) hp digital imaging 2548 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(verified) hp digital imaging 3660 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(verified) Messenger 3188 C:\Program Files\Messenger\msmsgs.exe
(verified) Microsoft ActiveSync 3216 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
(verified) Microsoft ActiveSync 3580 C:\PROGRA~1\MICROS~4\rapimgr.exe
(verified) Microsoft Distributed Transaction Coord 3152 C:\WINDOWS\system32\msdtc.exe
(verified) Microsoft® Visual Studio .NET 1944 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(verified) Microsoft® Windows® Operating System 1384 C:\WINDOWS\explorer.exe
(verified) Microsoft® Windows® Operating System 2240 C:\WINDOWS\system32\alg.exe
(verified) Microsoft® Windows® Operating System 584 C:\WINDOWS\system32\csrss.exe
(verified) Microsoft® Windows® Operating System 3032 C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System 2688 C:\WINDOWS\system32\dllhost.exe
(verified) Microsoft® Windows® Operating System 664 C:\WINDOWS\system32\lsass.exe
(verified) Microsoft® Windows® Operating System 652 C:\WINDOWS\system32\services.exe
(verified) Microsoft® Windows® Operating System 536 C:\WINDOWS\system32\smss.exe
(verified) Microsoft® Windows® Operating System 1664 C:\WINDOWS\system32\spoolsv.exe
(verified) Microsoft® Windows® Operating System 380 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 2248 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 852 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 900 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1024 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1068 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1748 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 940 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 608 C:\WINDOWS\system32\winlogon.exe
(verified) Windows Live Messenger 3076 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
(verified) Windows® Internet Explorer 3484 C:\Program Files\Internet Explorer\iexplore.exe
(verified) Windows® Internet Explorer 4304 C:\Program Files\Internet Explorer\iexplore.exe
(verified) Windows® Internet Explorer 6096 C:\Program Files\Internet Explorer\iexplore.exe

Network activity
----------------
Process iexplore.exe (3484) connected on port 80 (HTTP) --> 207.46.140.150
Process iexplore.exe (3484) connected on port 80 (HTTP) --> 174.129.39.26
Process iexplore.exe (4304) connected on port 80 (HTTP) --> 199.7.51.190
Process iexplore.exe (4304) connected on port 80 (HTTP) --> 69.144.189.153
Process iexplore.exe (4304) connected on port 80 (HTTP) --> 91.199.104.31
Process iexplore.exe (4304) connected on port 80 (HTTP) --> 74.125.155.138

Process QBCFMonitorService.exe (212) listens on ports: 8019
Process svchost.exe (900) listens on ports: 135 (RPC)
Process svchost.exe (1068) listens on ports: 2869 (SSDP event notification, UPNP)
Process rapimgr.exe (3580) listens on ports: 990 (FTP over SSL)

Autoruns and critical files
---------------------------
(unsigned) Adobe Acrobat C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
(unsigned) hp digital imaging C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
(unsigned) Linksys EasyLink Advisor C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe

(verified) AntiVir Desktop C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(verified) Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
(verified) Emsisoft Online Armor c:\program files\online armor\oaevent.dll
(verified) Emsisoft Online Armor C:\Program Files\Online Armor\oaui.exe
(verified) Google Update C:\Program Files\Google\Update\GoogleUpdate.exe
(verified) hp digital imaging C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(verified) Intel® Common User Interface C:\WINDOWS\system32\igfxdev.dll
(verified) Messenger C:\Program Files\Messenger\msmsgs.exe
(verified) Microsoft ActiveSync C:\Program Files\Microsoft ActiveSync\wcescomm.exe
(verified) Microsoft Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\upnpui.dll
(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
(verified) OGAEXEC.exe C:\WINDOWS\system32\OGAEXEC.exe
(verified) QuickBooks Automatic Update C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(verified) Windows Live Messenger C:\Program Files\Windows Live\Messenger\msnmsgr.exe
(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll

Browser plugins
---------------
(unsigned) Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
(unsigned) Akamai Download Manager ActiveX Control C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx
(unsigned) DivX Player Netscape Plugin C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
(unsigned) DivX® Content Upload Plugin C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
(unsigned) DivX® Web Player C:\Program Files\DivX\DivX Web Player\npdivx32.dll
(unsigned) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
(unsigned) Microsoft® Windows® Operating System C:\WINDOWS\Downloaded Program Files\msrdp.ocx
(unsigned) npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
(unsigned) QuickTime Plug-in 7.4.5 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(unsigned) QuickTime Plug-in 7.4.5 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) QuickTime Plug-in 7.4.5 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) QuickTime Plug-in 7.4.5 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) QuickTime Plug-in 7.4.5 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) QuickTime Plug-in 7.4.5 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) QuickTime Plug-in 7.4.5 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
(unsigned) Shockwave for Director C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
(unsigned) Snapfish Activia C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx

(verified) BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll
(verified) BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.dll (new)
(verified) Facebook Photo Uploader 5 C:\WINDOWS\Downloaded Program Files\PhotoUploader5.ocx
(verified) Google Update C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
(verified) ICQ C:\Program Files\ICQ7.2\ICQ.exe
(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
(verified) Messenger C:\Program Files\Messenger\msmsgs.exe
(verified) Microsoft® Windows Live Login Helper C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
(verified) NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
(verified) Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
(verified) Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll

Missing files
-------------
File not found: C:\DOCUME~1\TIMOAK~1\LOCALS~1\Temp\catchme.sys
--> HKLM\System\ControlSet001\services\catchme\"ImagePath"

File not found: C:\WINDOWS\PRAGMApcvbyputob\PRAGMAd.sys
--> HKLM\System\ControlSet001\services\PRAGMApcvbyputob\"ImagePath"

Scan
----
(unsigned) MD5: dfcb9ade94a4f8a7c42eef41101a30ad C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
(unsigned) MD5: 1acad13923e467e473c3ec503223f983 C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
(unsigned) MD5: 6fa9b5c81a2144ff816d19c8a0c0e67e C:\Program Files\Avira\AntiVir Desktop\aecore.dll
(unsigned) MD5: ee0477f95aaf614c5cb14f324ca48c3d C:\Program Files\Avira\AntiVir Desktop\aeemu.dll
(unsigned) MD5: 5d183db2eff3571cd1808922c91ac17f C:\Program Files\Avira\AntiVir Desktop\aegen.dll
(unsigned) MD5: ea75b506f1f9b76f86f7dc5a986a9fd2 C:\Program Files\Avira\AntiVir Desktop\aehelp.dll
(unsigned) MD5: 0d8b5138a316cadbb81b6244be6b9e6b C:\Program Files\Avira\AntiVir Desktop\aeheur.dll
(unsigned) MD5: a8dc0daebc3d50aacfa4d0388bed1f21 C:\Program Files\Avira\AntiVir Desktop\aeoffice.dll
(unsigned) MD5: a3d993119945f0b153005caefa44fe1a C:\Program Files\Avira\AntiVir Desktop\aepack.dll
(unsigned) MD5: d3e64adeecdd041171d9bd09f54cff04 C:\Program Files\Avira\AntiVir Desktop\aerdl.dll
(unsigned) MD5: bd8e5b4b16db2a53709ea74df7b22282 C:\Program Files\Avira\AntiVir Desktop\aesbx.dll
(unsigned) MD5: 864e4cec9f60c25a8a93ad3784da2e64 C:\Program Files\Avira\AntiVir Desktop\aescn.dll
(unsigned) MD5: ae2126066f5042510deaf45540ea4580 C:\Program Files\Avira\AntiVir Desktop\aescript.dll
(unsigned) MD5: 100caaf3542fb51feca9c09db1cb940d C:\Program Files\Avira\AntiVir Desktop\aevdf.dll
(unsigned) MD5: ddf0d660e994d0bb912f37dca7afe8f7 C:\Program Files\Avira\AntiVir Desktop\avevtlog.dll
(unsigned) MD5: dc4075c135ef78f6bc8674bb4c87e0b5 C:\Program Files\Avira\AntiVir Desktop\avgio.dll
(unsigned) MD5: 92ea86876dfde3b9f6b4b6443c8b11fb C:\Program Files\Avira\AntiVir Desktop\avpref.dll
(unsigned) MD5: 7488bce9f9c852f0931d29b0d76292bd C:\Program Files\Avira\AntiVir Desktop\ccgen.dll
(unsigned) MD5: e65e277c50bd5967b5e92c7744dba7bc C:\Program Files\Avira\AntiVir Desktop\ccguard.dll
(unsigned) MD5: 54ceee9d7aa46f3311d247bf57bbee36 C:\Program Files\Avira\AntiVir Desktop\cclic.dll
(unsigned) MD5: 400ab97179f05ba68b755d8971f262f2 C:\Program Files\Avira\AntiVir Desktop\ccmsg.dll
(unsigned) MD5: 7d541c5e5cdfb46d68ac60012c5d7acd C:\Program Files\Avira\AntiVir Desktop\ccupdate.dll
(unsigned) MD5: 47766f6b79a25af04ed3f6f2b02aa4cb C:\Program Files\Avira\AntiVir Desktop\ccwkrlib.dll
(unsigned) MD5: 92d9eb35797530fedc07b1d75533f68e C:\Program Files\Avira\AntiVir Desktop\guardmsg.dll
(unsigned) MD5: 7464c6694036b42ba237eb723a34d0f4 C:\Program Files\Avira\AntiVir Desktop\rcimage.dll
(unsigned) MD5: 13a86ff71b5e57da8c9a6e2316ce1eaa C:\Program Files\Avira\AntiVir Desktop\schedr.dll
(unsigned) MD5: c1eb9968ec89fba5f3a264e2e57923ab C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
(unsigned) MD5: 3a4982df893f198a2dfbccd4ce10f93a C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
(unsigned) MD5: 04c642bd6337263ffa95b8df48b46377 C:\Program Files\Common Files\Intuit\QuickBooks\CFScan.dll
(unsigned) MD5: 2241eaf40e472c471cb80cf6b97cca11 C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
(unsigned) MD5: 17996ca5c59259ae02ca95bd11d7beec C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(unsigned) MD5: fbef5c342107b8760e841e1f9d541e8b C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL
(unsigned) MD5: 108d9340a386974336d049a41db6d2b1 C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
(unsigned) MD5: c289cf2de3e7116fc21fcd0e683a485f C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll
(unsigned) MD5: 6ab651e1cdf4f62dee4ab61f4cea3691 C:\Program Files\DivX\DivX Web Player\npdivx32.dll
(unsigned) MD5: 4534b919b89b56655d3a2c22e34f933b C:\Program Files\HP\Digital Imaging\bin\crm\hpqcrmcm.dll
(unsigned) MD5: a7a0371c6c7f0a02b5668a0f504a23cb C:\Program Files\HP\Digital Imaging\bin\crm\xmlparse.dll
(unsigned) MD5: 6906658f82de4c3f9538b189d93597c2 C:\Program Files\HP\Digital Imaging\bin\crm\xmltok.dll
(unsigned) MD5: 3b5f0bf4125688a531fa21c823ea6193 C:\Program Files\HP\Digital Imaging\bin\dbghelp.dll
(unsigned) MD5: 99f5ef8b74b6a928358793342db3bcf8 C:\Program Files\HP\Digital Imaging\bin\hphtra09.dll
(unsigned) MD5: 9d37e5b9ed97eb0aea7a270d972917bd C:\Program Files\HP\Digital Imaging\bin\hpocxi08.dll
(unsigned) MD5: df8afd370a9937e82109a95ae5be5b3a C:\Program Files\HP\Digital Imaging\bin\hpoddcomm09.dll
(unsigned) MD5: 6729b7a0721464ee5cd6da22c5b36c0f C:\Program Files\HP\Digital Imaging\bin\hpodio08.dll
(unsigned) MD5: e866bf8b66384c65af0c4e63da40b386 C:\Program Files\HP\Digital Imaging\bin\hpodvd09.dll
(unsigned) MD5: cca3df71751fc1526660791cebdd4628 C:\Program Files\HP\Digital Imaging\bin\hpotradd.dll
(unsigned) MD5: e3dbbb00c9ceacbdd374efa2e9684e1f C:\Program Files\HP\Digital Imaging\bin\hpqcob08.dll
(unsigned) MD5: c4a2e21e829766ffba11b854502e81dd C:\Program Files\HP\Digital Imaging\bin\hpqcxm08.dll
(unsigned) MD5: db2e083814b065d83f623e9c394d0f3e C:\Program Files\HP\Digital Imaging\bin\hpqimgr.dll
(unsigned) MD5: 87bcf7a6a70060a48f9f5e6f80228a3f C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
(unsigned) MD5: 98aa5432be43cf02e6f3332adbda1dcc C:\Program Files\HP\Digital Imaging\bin\hpqmfc09.dll
(unsigned) MD5: 3172c615b91816013493169b3062e252 C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll
(unsigned) MD5: ffe7d9939f4139ef33125fdbaa929ff6 C:\Program Files\HP\Digital Imaging\bin\hpqmirsc.dll
(unsigned) MD5: 6d05606c17fba2dcc559816a2cb0ff0b C:\Program Files\HP\Digital Imaging\bin\hpqrif08.dll
(unsigned) MD5: 189fda7b75d167a6ceec6dfd77ed7a71 C:\Program Files\HP\Digital Imaging\bin\hpqsem08.rsc
(unsigned) MD5: f54e6a895cc1ddaffddfd45429d7774c C:\Program Files\HP\Digital Imaging\bin\hpqste08.rsc
(unsigned) MD5: 2207e5283450a56911239172665515b2 C:\Program Files\HP\Digital Imaging\bin\hpqsti08.dll
(unsigned) MD5: 63418eb433d986c728982446c6aa3cba C:\Program Files\HP\Digital Imaging\bin\hpqstp08.dll
(unsigned) MD5: 814e84685db4e9b6971d6247bf33209e C:\Program Files\HP\Digital Imaging\bin\hpqtao08.dll
(unsigned) MD5: de4517a364540ac9850c23d6d26866e3 C:\Program Files\HP\Digital Imaging\bin\hpqtap08.dll
(unsigned) MD5: 630f185a7a3cbabe2cf591bbb36985e1 C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
(unsigned) MD5: 75adf315d086042ef52e89551451430f C:\Program Files\HP\Digital Imaging\bin\hpqtra08.rsc
(unsigned) MD5: 64d6e922964d2f8f7665dcce6d13dd51 C:\Program Files\HP\Digital Imaging\bin\hpquio08.dll
(unsigned) MD5: a6d7da27d1da6337a2c7c97a65adc460 C:\Program Files\HP\Digital Imaging\bin\hpqusg.dll
(unsigned) MD5: b3087ea2aaacfa5e74e128c5ff65b9ad C:\Program Files\HP\Digital Imaging\bin\hpqvdcom.dll
(unsigned) MD5: 791166f60a6db32c079e813d7de43f47 C:\Program Files\HP\Digital Imaging\bin\ltfil13n.DLL
(unsigned) MD5: e2cd12a09aab75b19123e4ab807b2d25 C:\Program Files\HP\Digital Imaging\bin\ltkrn13n.dll
(unsigned) MD5: 8e89b72cb355ea260936b3a59b5071a9 C:\Program Files\HP\Digital Imaging\Unload\hpnkhTA.dll
(unsigned) MD5: 8ef356da145f60c3f11df7ef03b97449 C:\Program Files\Internet Explorer\plugins\nppdf32.dll
(unsigned) MD5: d0d99af123825a7809d98057d57f24d9 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(unsigned) MD5: d0d99af123825a7809d98057d57f24d9 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) MD5: d0d99af123825a7809d98057d57f24d9 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) MD5: d0d99af123825a7809d98057d57f24d9 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) MD5: d0d99af123825a7809d98057d57f24d9 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) MD5: d0d99af123825a7809d98057d57f24d9 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) MD5: d0d99af123825a7809d98057d57f24d9 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
(unsigned) MD5: e02f6f36a576f570cef7267082f18172 C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
(unsigned) MD5: 91ebafede47c885dd7c28f1a20aba6f3 C:\Program Files\Linksys EasyLink Advisor\actmgr.dll
(unsigned) MD5: 3502735a83d6f093a69881640620adab C:\Program Files\Linksys EasyLink Advisor\cfgdata.dll
(unsigned) MD5: 207ec2a7a2e6536b5cecae3ae164a692 C:\Program Files\Linksys EasyLink Advisor\gtagnt.dll
(unsigned) MD5: dd0bc0832429fb02392240a68c4750fa C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
(unsigned) MD5: ebbde3a865679fa67803aeda4ea1fb8d C:\Program Files\Linksys EasyLink Advisor\trgmgr.dll
(unsigned) MD5: fe8246252b4a958b22cc82088c77266e C:\Program Files\Neato\MediaFACE 4.0\MFExtRes.dll
(unsigned) MD5: 325fb38c323c63c7f57885b4dfb1b91e C:\Program Files\UPHClean\uphclean.exe
(unsigned) MD5: 94a85e956a065e23e0010a6a7826243b C:\Program Files\Windows Live\installer\WLSetupSvc.exe
(unsigned) MD5: ea8a82f0a08df503ee6f612f14d9500c C:\PROGRA~1\CYBERL~2\Power2Go\CLMP3Enc.ACM
(unsigned) MD5: c29ea2b5be54b7e165f4757c7f90f203 C:\PROGRA~1\LINKSY~1\gdql_lsa.dll
(unsigned) MD5: 44d986c908d83aa939990cd4042cbb61 C:\PROGRA~1\LINKSY~1\GTAction\handlers\DiscoverDevices.dll
(unsigned) MD5: 96d33c9deb62c05f9d8d9dbccb0807a7 C:\PROGRA~1\LINKSY~1\GTAction\handlers\grouph.dll
(unsigned) MD5: e07f40653cac71a260841a5a5c8f3479 C:\PROGRA~1\LINKSY~1\GTAction\handlers\qdiagh.dll
(unsigned) MD5: 75b87be4b1d7b2bbabf1a9fe53785036 C:\PROGRA~1\LINKSY~1\GTAction\handlers\trgloadh.dll
(unsigned) MD5: a0150b0ed9c1b6bdaf00350381a21ac1 C:\PROGRA~1\LINKSY~1\GTAction\handlers\trgregh.dll
(unsigned) MD5: 5636a7fe1721d7cf9347615e3b9cbd4d C:\PROGRA~1\LINKSY~1\GTAction\triggers\networkt.dll
(unsigned) MD5: a1b44c0a1ad71f86579a4521d5b1c024 C:\WINDOWS\assembly\GAC\Accessibility\1.0.5000.0__b03f5f7f11d50a3a\Accessibility.dll
(unsigned) MD5: 10aae1d5e87e38fe12ef48353d95d824 C:\WINDOWS\assembly\GAC\hpqasset\4.0.0.0__a53cf5803f4c3827\hpqasset.dll
(unsigned) MD5: 493c3e542983b8118727efee42905b34 C:\WINDOWS\assembly\GAC\hpqbakup\3.0.0.0__a53cf5803f4c3827\hpqbakup.dll
(unsigned) MD5: 51d35b6c3383b4aa8d68ca26ded1d125 C:\WINDOWS\assembly\GAC\hpqcc2\3.0.0.0__a53cf5803f4c3827\hpqcc2.dll
(unsigned) MD5: 0f76696e3cc15c961f91b6965b843890 C:\WINDOWS\assembly\GAC\hpqcprsc\3.0.0.0__a53cf5803f4c3827\hpqcprsc.dll
(unsigned) MD5: 92c82e1de8f4e0a2457596abb032799d C:\WINDOWS\assembly\GAC\hpqedit\3.0.0.0__a53cf5803f4c3827\hpqedit.dll
(unsigned) MD5: ccb8943dabefd22cf9fc93934d1ee06f C:\WINDOWS\assembly\GAC\hpqfmrsc\4.0.0.0__a53cf5803f4c3827\hpqfmrsc.dll
(unsigned) MD5: faba5f0bafba0d6268d32a9f277ac600 C:\WINDOWS\assembly\GAC\hpqglutl\4.0.0.0__a53cf5803f4c3827\hpqglutl.dll
(unsigned) MD5: 44fe769f516a0140207b773a15d1c661 C:\WINDOWS\assembly\GAC\hpqiface\4.0.0.0__a53cf5803f4c3827\hpqiface.dll
(unsigned) MD5: 988492049768322f4968c9c0fe1a44c3 C:\WINDOWS\assembly\GAC\hpqimgrc\4.0.0.0__a53cf5803f4c3827\hpqimgrc.dll
(unsigned) MD5: b43cfc68cee189e96dbb1f6c9de2a64a C:\WINDOWS\assembly\GAC\hpqimlib\3.0.0.0__a53cf5803f4c3827\hpqimlib.dll
(unsigned) MD5: c40cabc022e2183d6bb81fe984a68982 C:\WINDOWS\assembly\GAC\hpqimvlt\3.0.0.0__a53cf5803f4c3827\hpqimvlt.dll
(unsigned) MD5: 93e315d3ae8f7d64a33807d84e1ff477 C:\WINDOWS\assembly\GAC\hpqisrtb\4.0.0.0__a53cf5803f4c3827\hpqisrtb.dll
(unsigned) MD5: 6b224468cd4697bdb06d0b1b4d03cbdd C:\WINDOWS\assembly\GAC\hpqmdmr\4.0.0.0__a53cf5803f4c3827\hpqmdmr.dll
(unsigned) MD5: 86fd7adc29741b1d6bf376b6703da765 C:\WINDOWS\assembly\GAC\hpqntrop\4.0.0.0__a53cf5803f4c3827\hpqntrop.dll
(unsigned) MD5: f919c0c70c768ff6e9db66d1c33bf7be C:\WINDOWS\assembly\GAC\hpqovskn\3.0.0.0__a53cf5803f4c3827\hpqovskn.dll
(unsigned) MD5: 7649f0178cf1762f09f803bc4565d45f C:\WINDOWS\assembly\GAC\hpqprrsc\4.0.0.0__a53cf5803f4c3827\hpqprrsc.dll
(unsigned) MD5: 95638a6b405f1132499c8555382709a8 C:\WINDOWS\assembly\GAC\hpqthumb\3.0.0.0__a53cf5803f4c3827\hpqthumb.dll
(unsigned) MD5: ef1905eb64ae8fa60adf221ebb5ced0d C:\WINDOWS\assembly\GAC\hpqtray\4.0.0.0__a53cf5803f4c3827\hpqtray.dll
(unsigned) MD5: db58f7609f096f62a7f6a5ba12162da1 C:\WINDOWS\assembly\GAC\hpqutils\4.0.0.0__a53cf5803f4c3827\hpqutils.dll
(unsigned) MD5: 86b33fed643591940e922d2664099ea6 C:\WINDOWS\assembly\GAC\hpqvideo\3.0.0.0__a53cf5803f4c3827\hpqvideo.dll
(unsigned) MD5: a374b8064daf91b2a1cac1fdb1b919d0 C:\WINDOWS\assembly\GAC\Interop.hpqcxm08\3.0.0.0__a53cf5803f4c3827\Interop.hpqcxm08.dll
(unsigned) MD5: 76e55b5e1eb8fd93c9684f16036785d4 C:\WINDOWS\assembly\GAC\interop.hpqimgr\4.0.0.0__a53cf5803f4c3827\interop.hpqimgr.dll
(unsigned) MD5: 1229c236b3856aef4ee37ce4b0a4d67e C:\WINDOWS\assembly\GAC\interop.hpqvideo\4.0.0.0__a53cf5803f4c3827\Interop.hpqvideo.dll
(unsigned) MD5: f89bdd4110a8f493ab2e4637f52eb1f4 C:\WINDOWS\assembly\GAC\Interop.hprblog\3.0.0.0__a53cf5803f4c3827\Interop.hprblog.dll
(unsigned) MD5: c2808d9ec312e38a30b432daaa91ea62 C:\WINDOWS\assembly\GAC\LEAD.Drawing.Imaging.Codecs\13.0.0.113__9cf889f53ea9b907\LEAD.Drawing.Imaging.Codecs.dll
(unsigned) MD5: f5a621c69b659258e5164306a15c9caa C:\WINDOWS\assembly\GAC\LEAD.Drawing.Imaging.ImageProcessing\13.0.0.113__9cf889f53ea9b907\LEAD.Drawing.Imaging.ImageProcessing.dll
(unsigned) MD5: b8549829aabd31329cb20367f05630ea C:\WINDOWS\assembly\GAC\LEAD.Drawing\13.0.0.113__9cf889f53ea9b907\LEAD.Drawing.dll
(unsigned) MD5: d086d14ae3e163dd38230cbc804c6747 C:\WINDOWS\assembly\GAC\LEAD.Windows.Forms.DrawingContainer\13.0.0.113__9cf889f53ea9b907\LEAD.Windows.Forms.DrawingContainer.dll
(unsigned) MD5: 4bbf2f7e4f0f21fdcf30f540e7331bd7 C:\WINDOWS\assembly\GAC\LEAD.Windows.Forms\13.0.0.113__9cf889f53ea9b907\LEAD.Windows.Forms.dll
(unsigned) MD5: 335270904fed5f3629fe0d2fcab7bd4f C:\WINDOWS\assembly\GAC\LEAD.Wrapper\13.0.0.113__9cf889f53ea9b907\LEAD.Wrapper.dll
(unsigned) MD5: 648fe0d27734bb73ef04bc6789b20935 C:\WINDOWS\assembly\GAC\LEAD\13.0.0.113__9cf889f53ea9b907\LEAD.dll
(unsigned) MD5: bcf15390de7368639c593735bf938d7a C:\WINDOWS\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
(unsigned) MD5: 2814e9bdb75088c0b4cf6c1123f6ec8e C:\WINDOWS\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
(unsigned) MD5: a5205b3af85b1477ab2c2a1e12201598 C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
(unsigned) MD5: 9921697afaa1349535316a346d87bb78 C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
(unsigned) MD5: d7f49fe7c7da6900467b19e45a2a94a3 C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_e9559a53\mscorlib.dll
(unsigned) MD5: a7f5c8df434ef7d976a9ed64e3146ee5 C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_c3a490e0\System.Drawing.dll
(unsigned) MD5: bd1b4fbda716e1d812eee66d9571095b C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_0ad7e3e8\System.Windows.Forms.dll
(unsigned) MD5: beed695d561c699c62a081991d077ff1 C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_4142b368\System.Xml.dll
(unsigned) MD5: bd902ad9881291bb9692b92f901fab9e C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_0425878e\System.dll
(unsigned) MD5: 5780e648b6b4147d0435bbff49ec05a1 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\7bffd7ff2009f421fe5d229927588496\mscorlib.ni.dll
(unsigned) MD5: 5c75f8b5c637fe020eaecc87079276c3 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b000cc703c9d95593b516bf2c2ec316\System.ServiceProcess.ni.dll
(unsigned) MD5: 3f64539841a4e243c93f415d3044afcd C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\08ffa4d388d5f007869aa7651c458e7c\System.ni.dll
(unsigned) MD5: f27771e55d2520e0010886fa8284043e C:\WINDOWS\Downloaded Program Files\DownloadManagerV2.ocx
(unsigned) MD5: 3f4413dcd8d3bbabf08f68f25e6d60e1 C:\WINDOWS\Downloaded Program Files\isusweb.dll
(unsigned) MD5: 9622600f464ae6ae99b44bd0cf58a52f C:\WINDOWS\Downloaded Program Files\msrdp.ocx
(unsigned) MD5: f5c79c45f1adf877dc3afdff3565ae7b C:\WINDOWS\Downloaded Program Files\SnapfishActivia1000.ocx
(unsigned) MD5: 3c923e1911ced5802c3bdb9ce18f64da C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
(unsigned) MD5: 0a8d6fe9110a23a2e561dd570c3b0508 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
(unsigned) MD5: 2f67c092a56f2814be4c75ede8d1e176 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
(unsigned) MD5: 1a692dbdac7a578187e0a94a850a6240 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
(unsigned) MD5: 74d879f95a0249e7007f6d94bd069c32 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
(unsigned) MD5: e2318e8514abf50e3ecedab9465a90a1 C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
(unsigned) MD5: 4effd2b6946d8908a8bf6f8ba69808cc C:\WINDOWS\system32\divxdec.ax
(unsigned) MD5: 5ef8e2013efa4e650bd060aa334fff18 C:\WINDOWS\system32\DivXMedia.ax
(unsigned) MD5: ab01e9f46583e6f0ebf7659b21630407 C:\WINDOWS\system32\drivers\DCDISK.sys
(unsigned) MD5: 3620e669c5268247c05be74eb758df27 C:\WINDOWS\system32\drivers\FBAPI.sys
(unsigned) MD5: 9090970d29a5181fec0ebb32527b03a9 C:\WINDOWS\System32\Drivers\PhnxVcd.sys
(unsigned) MD5: 46b50c07abfda51d9b22212eaeb82d2b C:\WINDOWS\system32\drivers\SCDEMU.sys
(unsigned) MD5: f5d44f0810ec447affa7a3ee38ca9bb1 C:\WINDOWS\system32\DVobSub.ax
(unsigned) MD5: 4fab095aaa92bb040813a9619f5941be C:\WINDOWS\system32\HPZidr12.dll
(unsigned) MD5: 2d091a99624fb9e7eef0a86d872ec0c3 C:\WINDOWS\system32\HPZipm12.exe
(unsigned) MD5: 9c2e4b463daaa7a8508f6dbba3c3eb85 C:\WINDOWS\system32\HPZipr12.dll
(unsigned) MD5: fd65bef5ff8275711d9a56f0b8bb43f1 C:\WINDOWS\system32\Machnm32.sys
(unsigned) MD5: f35a584e947a5b401feb0fe01db4a0d7 C:\WINDOWS\system32\mfc71.dll
(unsigned) MD5: f1679e6cb5921f4a1d9474d46c810624 C:\WINDOWS\system32\xvid.ax

The following file(s) must be uploaded for server-side scanning:
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_c3a490e0\System.Drawing.dll

Upload started - 1 file(s)
System.Drawing.dll (835584)
Upload speed - 15 KB/s
Upload finished - 1 uploaded, 0 failed

The uploaded file(s) were found clean.

Scan finished - communication took 59 sec
Total traffic - 0.87 MB sent, 706.93 KB recvd
Scanned 1447 files and modules - 94 seconds

==============================================================================

#108
Big O

Posted 09 January 2011 - 10:54 AM

Member

Topic Starter
Member
104 posts

Combofix has hung up each team at this screen. Where it says this should take no longer than 10 minutes but may double for heavily infected machnines.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

ComboFix is scanning the computer for infections

#109
Big O

Posted 09 January 2011 - 10:57 AM

Member

Topic Starter
Member
104 posts

alg.exe 2240 TCP Systemax 1026 Systemax 0 LISTENING
AppleMobileDeviceService.exe 1844 TCP Systemax 27015 Systemax 0 LISTENING
explorer.exe 1384 UDP Systemax 1597 * *
iexplore.exe 3484 TCP systemax.bresnan.net 1499 ec2-174-129-39-26.compute-1.amazonaws.com http ESTABLISHED
iexplore.exe 3484 TCP systemax.bresnan.net 1614 www-13-01-ash4.facebook.com http ESTABLISHED
iexplore.exe 3484 TCP systemax.bresnan.net 1492 px-in-f138.1e100.net http ESTABLISHED
iexplore.exe 3484 TCP systemax.bresnan.net 1615 www-13-01-ash4.facebook.com http ESTABLISHED
iexplore.exe 3484 TCP systemax.bresnan.net 1611 denco002hb8.int.bresnan.net http ESTABLISHED
iexplore.exe 3484 UDP Systemax 1235 * * 1 1 1 1
lsass.exe 664 UDP Systemax isakmp * *
lsass.exe 664 UDP Systemax 4500 * *
QBCFMonitorService.exe 212 TCP Systemax 8019 Systemax 0 LISTENING
rapimgr.exe 3580 TCP Systemax 990 Systemax 0 LISTENING
svchost.exe 900 TCP Systemax epmap Systemax 0 LISTENING
svchost.exe 1068 TCP Systemax 2869 Systemax 0 LISTENING
svchost.exe 1068 UDP systemax.bresnan.net 1900 * *
svchost.exe 940 UDP Systemax 1595 * *
svchost.exe 940 UDP Systemax ntp * *
svchost.exe 940 UDP systemax.bresnan.net ntp * *
svchost.exe 1068 UDP Systemax 1900 * *
System 4 TCP systemax.bresnan.net netbios-ssn Systemax 0 LISTENING
System 4 TCP Systemax microsoft-ds Systemax 0 LISTENING
System 4 UDP systemax.bresnan.net netbios-ns * * 1 50 1
System 4 UDP systemax.bresnan.net netbios-dgm * *
System 4 UDP Systemax microsoft-ds * *
wcescomm.exe 3216 TCP Systemax 7438 Systemax 0 LISTENING
wcescomm.exe 3216 TCP Systemax 5679 Systemax 0 LISTENING

#110
Big O

Posted 09 January 2011 - 10:59 AM

Member

Topic Starter
Member
104 posts

about 3 seconds after I saved the first tcp txt file ... i noticed all the iexplorer dropped off. I saved another txt file for what it looked like right after I saved the first one. The only ie i had open was geeks2go, nothing else ever since we started this journey at the beginning.

alg.exe 2240 TCP Systemax 1026 Systemax 0 LISTENING
AppleMobileDeviceService.exe 1844 TCP Systemax 27015 Systemax 0 LISTENING
explorer.exe 1384 UDP Systemax 1597 * *
iexplore.exe 3484 UDP Systemax 1235 * *
lsass.exe 664 UDP Systemax isakmp * *
lsass.exe 664 UDP Systemax 4500 * *
QBCFMonitorService.exe 212 TCP Systemax 8019 Systemax 0 LISTENING
rapimgr.exe 3580 TCP Systemax 990 Systemax 0 LISTENING
svchost.exe 940 TCP systemax.bresnan.net 1634 65.55.200.155 https ESTABLISHED
svchost.exe 900 TCP Systemax epmap Systemax 0 LISTENING
svchost.exe 1068 TCP Systemax 2869 Systemax 0 LISTENING
svchost.exe 1068 UDP systemax.bresnan.net 1900 * *
svchost.exe 940 UDP Systemax 1595 * *
svchost.exe 940 UDP Systemax ntp * *
svchost.exe 940 UDP systemax.bresnan.net ntp * *
svchost.exe 1068 UDP Systemax 1900 * *
System 4 TCP systemax.bresnan.net netbios-ssn Systemax 0 LISTENING
System 4 TCP Systemax microsoft-ds Systemax 0 LISTENING
System 4 UDP systemax.bresnan.net netbios-ns * * 2 100
System 4 UDP systemax.bresnan.net netbios-dgm * *
System 4 UDP Systemax microsoft-ds * *
wcescomm.exe 3216 TCP Systemax 7438 Systemax 0 LISTENING
wcescomm.exe 3216 TCP Systemax 5679 Systemax 0 LISTENING

#111
RKinner

Posted 09 January 2011 - 12:00 PM

Malware Expert

Expert
24,625 posts

BitDefender found some evidence of a rootkit:

File not found: C:\WINDOWS\PRAGMApcvbyputob\PRAGMAd.sys
--> HKLM\System\ControlSet001\services\PRAGMApcvbyputob\"ImagePath"

The file might be there but hidden. PRAGMAd.sys is a known TDSS driver and rootkit. Download protection_center_exe_fix.reg and save it to your desktop:

http://www.malwarehe...ter_exe_fix.reg

Double click the downloaded “protection_center_exe_fix.reg”. You will see a dialogue box pop-up with a message similar to “Are you sure you want to add the information in trojan_fakerean_exe_fix.reg to the registry”. Click “Yes” to merge the registry data.

Let's see if Avenger will get the driver.

Download The Avenger by Swandog46 from
http://swandog46.gee...r2/download.php
* Unzip/extract it to a folder on your desktop.
* Double click on avenger.exe to run The Avenger.
* Click OK.
* Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
* Copy all of the text between the stars to the clipboard by highlighting it and then pressing Ctrl+C.
*******************************************************

Files to replace with dummy:
C:\WINDOWS\PRAGMApcvbyputob\PRAGMAd.sys

Drivers to delete:
PRAGMAd

******************************************************
* In the avenger window, click the Paste Script from Clipboard icon, Image button.
* :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
* Click the Execute button.
* You will be asked Are you sure you want to execute the current script?.
* Click Yes.
* You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
* Click Yes.
* Your PC will now be rebooted.
* Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
* If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
* After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). I would like to see the log in your next post.

copy the next line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAd.sys > \junk.txt

Now open a command window: Start, Run, cmd, OK

Right click and Paste or Edit, Paste then hit Enter.

dir /a /s pragma*.* >> \junk.txt

notepad \junk.txt

Copy and Paste the text from notepad.

Ron

#112
Big O

Posted 09 January 2011 - 02:15 PM

Member

Topic Starter
Member
104 posts

The Avira find looks like something in your System Restore archives. Did it give the path to the file?

C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP1360\A0163376.exe
[DETECTION] Is the TR/Agent.15616.B Trojan
C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP1360\A0163389.exe
[DETECTION] Is the TR/Gendal.15616.G Trojan
C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP1360\A0163394.exe
[DETECTION] Is the TR/Agent.15616.E Trojan
C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP1360\A0163397.exe
[DETECTION] Is the TR/Gendal.15616.H Trojan
C:\System Volume Information\_restore{6742B4A6-3600-42DD-A01B-B908D2B25349}\RP1360\A0163499.EXE
[DETECTION] Is the TR/Drop.Agent.qgq.2 Trojan

#113
Big O

Posted 09 January 2011 - 02:32 PM

Member

Topic Starter
Member
104 posts

*edit (i should have read a little further in the directions to expect the BSOD)

I forced a restart (as expected) and everything booted up fine and I pasted the txt from Avenger below. Online Armor pop up window said it blocked a program with the name

Machnm32.sys

and would like to know whether to trust, delete, or block. I will just leave it up and wait for your suggestion.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not open file "C:\WINDOWS\PRAGMApcvbyputob\PRAGMAd.sys"
Replacement with dummy of file "C:\WINDOWS\PRAGMApcvbyputob\PRAGMAd.sys" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\PRAGMAd" not found!
Deletion of driver "PRAGMAd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Edited by Big O, 09 January 2011 - 02:34 PM.

#114
Big O

Posted 09 January 2011 - 02:40 PM

Member

Topic Starter
Member
104 posts

copy the next line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAd.sys > \junk.txt

system could not find the path specified.

I then cd.. back to c: and tried again with no success, same message

dir /a /s pragma*.* >> \junk.txt

notepad \junk.txt

Volume in drive C has no label.
Volume Serial Number is 7029-4374

#115
RKinner

Posted 09 January 2011 - 06:00 PM

Malware Expert

Expert
24,625 posts

Machnm32.sys is part of Protection Plus:
http://www.softwarek..._windows_xp.htm

Some software you have probably needs it to use the web in order to work.

I left out a bit

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAd.sys > \junk.txt

should have been

reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAd.sys /s > \junk.txt

One sure way to determine if a hidden file or folder exists is to create a folder or file of the same name in the same place. Windows won't allow a file and folder of the same name in the same path.

Open a Command Prompt and type:

notepad
Type in a few words like Dummy File then Save As to C:\Windows with name: "PRAGMApcvbyputob" OK

You must use quotes around the file name or it will add a .txt
Ron

#116
Big O

Posted 09 January 2011 - 06:57 PM

Member

Topic Starter
Member
104 posts

reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PRAGMAd.sys /s > \junk.txt

tells me Error: The system was unable to find the specified registry key or value

then Save As to C:\Windows with name: "PRAGMApcvbyputob"

saved without a warning, I used quotes as instructed. I just opened that location and verified the two spellings were the same, there is now a file in c:\windows with this name and is not associated with .txt

#117
RKinner

Posted 09 January 2011 - 09:24 PM

Malware Expert

Expert
24,625 posts

Curses. Thought we were onto something there but if you can save a file with the same name as the folder used to have then the folder is definitely not there any more.

I wonder about these detections in System Restore tho. It's as if whatever is hidden in the system can't hide in System Restore. You did clear System Restore back in post #18 didn't you?

Let's try F-Secure's rescue disk.

http://www.f-secure....ools/rescue-cd/

Detailed instructions are in the PDF file but you burn it to a bootable CD or USB drive then boot off it and let it scan your system. This way since windows is not active it is harder for things to hide.

Ron

#118
Big O

Posted 09 January 2011 - 09:39 PM

Member

Topic Starter
Member
104 posts

Yeah I deleted all restore points awhile ago. I will run down and go the f secure route

#119
Big O

Posted 09 January 2011 - 10:46 PM

Member

Topic Starter
Member
104 posts

Well, I downloaded the file from your link. I extracted the .rar to my desktop and transfered to a cdr. I then tried to reboot from the cd, nothing started from the cd, It appeared to read the cd then fire up as normal. I rebooted again and went into the BIOS and made sure cd was the first boot option and it was. I went back and tried to make the cd autorun but there were no .exe files in the cd. I ensured the cd was 'closed' and tried to boot from it again, nothing. I read the .pdf and received no wisdom on whats going wrong. It shows several files being associated with outlook, don't know if that is normal or not.

#120
Big O

Posted 09 January 2011 - 11:20 PM

Member

Topic Starter
Member
104 posts

Hey look what i got to run finally

ComboFix 11-01-08.05 - Tim Oakley 01/09/2011 22:07:26.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.582 [GMT -7:00]
Running from: c:\documents and settings\Tim Oakley\Desktop\george.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Online Armor Firewall *Disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tim Oakley\Local Settings\Application Data\{3F174225-6496-4A74-B549-C4358CE3B826}
c:\documents and settings\Tim Oakley\Local Settings\Application Data\{3F174225-6496-4A74-B549-C4358CE3B826}\chrome.manifest
c:\documents and settings\Tim Oakley\Local Settings\Application Data\{3F174225-6496-4A74-B549-C4358CE3B826}\chrome\content\_cfg.js
c:\documents and settings\Tim Oakley\Local Settings\Application Data\{3F174225-6496-4A74-B549-C4358CE3B826}\chrome\content\overlay.xul
c:\documents and settings\Tim Oakley\Local Settings\Application Data\{3F174225-6496-4A74-B549-C4358CE3B826}\install.rdf
c:\windows\2417.EXE
c:\windows\system32\mi2.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PRAGMApcvbyputob
-------\Service_PRAGMApcvbyputob

((((((((((((((((((((((((( Files Created from 2010-12-10 to 2011-01-10 )))))))))))))))))))))))))))))))
.

2011-01-09 16:50 . 2011-01-09 16:50 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\QuickScan
2011-01-08 16:47 . 2011-01-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\OnlineArmor
2011-01-08 16:47 . 2011-01-08 16:47 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\OnlineArmor
2011-01-08 16:47 . 2010-10-27 02:52 38856 ----a-w- c:\windows\system32\drivers\oahlp32.sys
2011-01-08 16:47 . 2010-10-27 02:52 25000 ----a-w- c:\windows\system32\drivers\OAmon.sys
2011-01-08 16:47 . 2010-10-27 02:52 29272 ----a-w- c:\windows\system32\drivers\OAnet.sys
2011-01-08 16:47 . 2010-10-27 02:52 202064 ----a-w- c:\windows\system32\drivers\OADriver.sys
2011-01-08 16:46 . 2011-01-10 05:04 -------- d-----w- c:\program files\Online Armor
2011-01-08 16:33 . 2004-05-12 18:13 40960 ----a-w- c:\windows\system32\exitwx.exe
2011-01-06 05:39 . 2011-01-10 05:04 -------- d-----w- c:\windows\system32\CatRoot2
2011-01-06 05:35 . 2011-01-06 05:35 -------- d-----w- c:\program files\UPHClean
2011-01-06 02:12 . 2008-04-14 01:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-06 02:12 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-06 02:12 . 2008-04-14 01:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-01-06 02:12 . 2001-08-18 05:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-01-06 02:12 . 2001-08-18 05:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-01-06 02:12 . 2001-08-18 05:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe
2011-01-06 02:12 . 2001-08-17 19:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-01-06 02:12 . 2004-08-04 05:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys
2011-01-06 02:12 . 2004-08-04 05:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys
2011-01-06 02:10 . 2001-08-17 19:13 16925 ----a-w- c:\windows\system32\dllcache\w940nd.sys
2011-01-06 02:09 . 2004-08-04 05:31 32384 ----a-w- c:\windows\system32\dllcache\usb101et.sys
2011-01-06 02:08 . 2001-08-17 19:12 34375 ----a-w- c:\windows\system32\dllcache\tpro4.sys
2011-01-06 02:07 . 2001-08-18 05:36 94293 ----a-w- c:\windows\system32\dllcache\sxports.dll
2011-01-06 02:06 . 2001-08-17 19:51 20752 ----a-w- c:\windows\system32\dllcache\sonync.sys
2011-01-06 02:05 . 2001-08-17 21:56 157696 ----a-w- c:\windows\system32\dllcache\sisv256.dll
2011-01-06 02:04 . 2001-08-17 20:51 16640 ----a-w- c:\windows\system32\dllcache\scmstcs.sys
2011-01-06 02:03 . 2001-08-17 19:19 30720 ----a-w- c:\windows\system32\dllcache\rthwcls.sys
2011-01-06 02:02 . 2001-08-17 20:51 16128 ----a-w- c:\windows\system32\dllcache\pscr.sys
2011-01-06 02:01 . 2001-08-18 05:36 44544 ----a-w- c:\windows\system32\dllcache\ovui2.dll
2011-01-06 01:50 . 2001-08-17 19:20 87040 ----a-w- c:\windows\system32\dllcache\nm6wdm.sys
2011-01-06 01:50 . 2001-08-17 19:20 126080 ----a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2011-01-06 01:50 . 2001-08-17 19:12 32840 ----a-w- c:\windows\system32\dllcache\ngrpci.sys
2011-01-06 01:50 . 2004-08-04 05:31 132695 ----a-w- c:\windows\system32\dllcache\netwlan5.sys
2011-01-06 01:50 . 2001-08-17 19:11 65278 ----a-w- c:\windows\system32\dllcache\netflx3.sys
2011-01-06 01:50 . 2001-08-17 19:50 39264 ----a-w- c:\windows\system32\dllcache\neo20xx.sys
2011-01-06 01:50 . 2001-08-18 05:36 60480 ----a-w- c:\windows\system32\dllcache\neo20xx.dll
2011-01-06 01:50 . 2001-08-17 20:49 15872 ----a-w- c:\windows\system32\dllcache\ne2000.sys
2011-01-06 01:50 . 2001-08-17 21:56 91488 ----a-w- c:\windows\system32\dllcache\n9i3disp.dll
2011-01-06 01:50 . 2001-08-17 19:50 27936 ----a-w- c:\windows\system32\dllcache\n9i3d.sys
2011-01-06 01:48 . 2008-04-13 19:46 15232 ----a-w- c:\windows\system32\dllcache\mpe.sys
2011-01-06 01:47 . 2001-08-17 19:12 20573 ----a-w- c:\windows\system32\dllcache\lne100.sys
2011-01-06 01:46 . 2001-08-18 05:36 90200 ----a-w- c:\windows\system32\dllcache\io8ports.dll
2011-01-06 01:45 . 2006-03-15 10:00 10096640 ----a-w- c:\windows\system32\dllcache\hwxcht.dll
2011-01-06 01:44 . 2001-08-18 05:36 83968 ----a-w- c:\windows\system32\dllcache\hpgt21.dll
2011-01-06 01:43 . 2001-08-17 19:12 16074 ----a-w- c:\windows\system32\dllcache\fa312nd5.sys
2011-01-06 01:42 . 2001-08-17 19:11 69194 ----a-w- c:\windows\system32\dllcache\el656cd5.sys
2011-01-06 01:41 . 2001-08-18 05:36 110592 ----a-w- c:\windows\system32\dllcache\dc260usd.dll
2011-01-06 01:40 . 2001-08-18 05:36 32256 ----a-w- c:\windows\system32\dllcache\diapi2NT.dll
2011-01-06 01:39 . 2001-08-17 19:49 17152 ----a-w- c:\windows\system32\dllcache\atitvsnd.sys
2011-01-06 01:37 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-01-04 01:56 . 2011-01-04 01:56 -------- d-----w- c:\documents and settings\Tim Oakley\Application Data\Avira
2011-01-02 21:14 . 2010-12-13 15:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-02 21:14 . 2010-12-13 15:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-02 21:14 . 2010-06-17 21:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-02 21:14 . 2010-06-17 21:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-02 21:14 . 2011-01-02 21:14 -------- d-----w- c:\program files\Avira
2011-01-02 21:14 . 2011-01-02 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-12-30 03:51 . 2010-12-30 03:51 1409 ----a-w- c:\windows\QTFont.for
2010-12-30 03:51 . 2010-12-30 03:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-12-30 03:46 . 2010-12-31 01:51 -------- d-----w- c:\documents and settings\Tim Oakley\Local Settings\Application Data\Temp
2010-12-30 03:46 . 2010-12-30 03:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-12-30 00:09 . 2010-12-30 00:09 -------- d-----w- c:\program files\ESET
2010-12-29 17:04 . 2010-12-29 17:04 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-30 01:27 . 2001-08-17 18:52 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys
2010-11-18 18:12 . 2006-09-28 13:27 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2006-09-28 01:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-09-28 01:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-09-28 01:01 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-09-28 01:01 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-09-28 01:01 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-09-28 01:01 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-09-28 01:01 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-16 454784]
"Power2GoExpress"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2010-10-27 2345000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-10 984352]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2010-10-27 353992]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yqeuqldq

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ICQ7.2\\ICQ.exe"=
"c:\\Program Files\\ICQ7.2\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11674:TCP"= 11674:TCP:*:Disabled:BitComet 11674 TCP
"11674:UDP"= 11674:UDP:*:Disabled:BitComet 11674 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [1/29/2007 6:21 AM 42240]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [1/8/2011 9:47 AM 202064]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [1/8/2011 9:47 AM 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [1/8/2011 9:47 AM 29272]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/2/2011 2:14 PM 135336]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [1/8/2011 9:46 AM 380784]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [12/29/2007 6:44 PM 450400]
S1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [1/8/2011 9:47 AM 38856]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [1/8/2011 9:46 AM 3652696]
S3 PhnxVcd;PhnxVcd;c:\windows\system32\drivers\phnxvcd.sys [3/21/2006 12:37 PM 47488]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/29/2010 8:46 PM 136176]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder

2011-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2011-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 03:46]

2011-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 03:46]

2011-01-10 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - h:\misc\DivXCodecUninstall.exe
AddRemove-CPQ Color By You - c:\windows\system32\javaws.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2684)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Microsoft ActiveSync\Wcescomm.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-01-09 22:19:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-10 05:19

Pre-Run: 38,988,378,112 bytes free
Post-Run: 38,827,417,600 bytes free

- - End Of File - - D30C3307CA0F3BE287BD634D563B1DF7