Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Firefox & IE Redirects


  • Please log in to reply

#1
Hock44

Hock44

    New Member

  • Member
  • Pip
  • 7 posts
Hi, Forum experts!

I searched for and found an adult video I wanted online. Afterwards, both FF and IE had a redirect problem. After a Google Search when I click on a search results link I get redirected to ad websites.

I ran a full scan with MS Security Essentials. I stopped it, unfinished, after 6 hours. It found three problems:
1. SettingsModifier:Win32/PossibleHostsFileHijack, which it disinfected.
2. Rogue:Win32/FakeRean, which it deleted.
3. TrojanDownloader:Java/Exdoer, which it deleted.

I started to try Highjackthis but learned about OTL and this forum. I ran OTL and got a log, but then I decided to try the following:
I tried OTM and gooredfix without success. I then scanned & cleaned tracking cookies with HitmanPro5. I still have the same problem.
So I reran OTL, hence the Run 2 in the log file.

Since this type of problem seems to be unique to each user, I am sending this to you. Thanks in advance for any help you can give me.

Here is my log:

OTL logfile created on: 5/6/2011 10:45:53 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Owner\Desktop\Malware programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,016.00 Mb Total Physical Memory | 516.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): C:\pagefile.sys 948 1896 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.49 Gb Total Space | 3.52 Gb Free Space | 6.84% Space Free | Partition Type: NTFS
Drive D: | 4.43 Gb Total Space | 0.67 Gb Free Space | 15.11% Space Free | Partition Type: FAT32

Computer Name: HP1 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/06 09:26:29 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\Malware programs\OTL.exe
PRC - [2010/11/11 13:26:42 | 000,226,984 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
PRC - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/06/09 07:16:26 | 000,116,104 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2010/06/09 07:16:02 | 000,378,248 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardian.exe
PRC - [2010/05/18 07:57:06 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2010/02/10 20:12:14 | 000,160,592 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2009/02/17 16:28:30 | 001,365,304 | ---- | M] (U3 LLC) -- C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
PRC - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/08/11 13:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/05/06 09:26:29 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\Malware programs\OTL.exe
MOD - [2011/05/05 16:21:00 | 000,053,248 | -HS- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Application Data\cleanhlc.dll
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (LinksysUpdater)
SRV - File not found [Auto | Stopped] -- -- (LexBceS)
SRV - File not found [Auto | Stopped] -- -- (ewido anti-malware 4.0 guard)
SRV - File not found [Auto | Stopped] -- -- (btwdins)
SRV - [2010/11/11 13:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/06/09 07:16:26 | 000,116,104 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2010/05/18 07:57:06 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2010/05/06 02:29:12 | 000,293,456 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/09/24 13:36:08 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/23 21:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2008/12/12 18:06:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/08/11 13:41:00 | 000,063,040 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)


========== Driver Services (SafeList) ==========

DRV - [2011/05/06 09:59:03 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EBBF30E9-73C1-4C48-B1AA-3B92581980BD}\MpKsl2ec19dad.sys -- (MpKsl2ec19dad)
DRV - [2011/05/06 01:08:36 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EBBF30E9-73C1-4C48-B1AA-3B92581980BD}\MpKsl8628f8e0.sys -- (MpKsl8628f8e0)
DRV - [2010/06/09 07:16:05 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2010/03/18 02:02:08 | 000,037,328 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2010/03/18 02:01:52 | 000,038,864 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2010/03/18 02:01:12 | 000,010,448 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2009/09/16 17:55:00 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2009/08/26 13:45:10 | 000,013,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\epmntdrv.sys -- (epmntdrv)
DRV - [2008/12/12 18:05:20 | 000,025,264 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\purendis.sys -- (purendis)
DRV - [2008/12/12 18:05:18 | 000,023,984 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\pnarp.sys -- (pnarp)
DRV - [2008/08/11 13:41:00 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 13:41:00 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2008/05/06 17:06:00 | 000,011,520 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdcsam.sys -- (WDC_SAM)
DRV - [2008/02/27 14:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/08/22 13:51:38 | 000,097,152 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2007/07/23 15:05:20 | 000,009,104 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLADResM.SYS -- (DLADResM)
DRV - [2007/07/23 15:04:58 | 000,037,360 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2007/07/23 15:04:56 | 000,098,448 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2007/07/23 15:04:56 | 000,093,552 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2007/07/23 15:04:54 | 000,027,216 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2007/07/23 15:04:52 | 000,032,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2007/07/23 15:04:52 | 000,016,304 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2007/07/23 15:04:50 | 000,108,752 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2007/07/23 14:49:44 | 000,030,064 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/07/23 14:49:44 | 000,014,576 | ---- | M] (Roxio) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/07/04 01:30:34 | 000,026,624 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2004/10/07 18:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/10/01 11:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2004/08/03 23:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2004/08/03 23:29:52 | 000,166,912 | ---- | M] (S3 Graphics, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3gnbm.sys -- (S3Psddr)
DRV - [2004/06/09 09:29:56 | 000,006,977 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DDMI2.sys -- (SDDMI2)
DRV - [2004/03/08 12:55:50 | 000,013,567 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\CDRBSDRV.SYS -- (cdrbsdrv)
DRV - [2003/12/12 20:03:10 | 000,652,689 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/09/19 16:14:42 | 000,022,183 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btserial.sys -- (BTSERIAL)
DRV - [2003/09/19 16:14:14 | 000,222,876 | ---- | M] (WIDCOMM, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\btslbcsp.sys -- (BTSLBCSP)
DRV - [2003/09/19 16:11:16 | 001,257,418 | ---- | M] (WIDCOMM, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2003/02/26 19:19:50 | 000,260,736 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2003/02/22 19:55:26 | 000,141,824 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys -- (fasttx2k)
DRV - [2002/12/24 22:09:48 | 000,030,848 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (SISAGP)
DRV - [2002/09/06 18:24:00 | 000,013,568 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2002/04/15 15:31:50 | 000,107,776 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97ich4.sys -- (ac97intc) Intel® 82801DB/DBM Audio Driver Service (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsof...arch/search.asp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;localhost

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.98
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.608
FF - prefs.js..extensions.enabledItems: {66E978CD-981F-47DF-AC42-E3CF417C1467}:0.4.3
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1,localhost"


FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2008/06/14 11:56:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.16\extensions\\Components: H:\System\Apps\3C9F7B3F-D55C-42cd-8537-B878518B73AF\Exec\firefox\components
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.16\extensions\\Plugins: H:\System\Apps\3C9F7B3F-D55C-42cd-8537-B878518B73AF\Exec\firefox\plugins
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/06/21 06:41:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/30 18:55:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

[2008/07/28 22:24:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2011/05/06 10:38:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wkl5s4ab.default\extensions
[2010/07/10 20:14:34 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wkl5s4ab.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/03/06 08:24:17 | 000,000,000 | ---D | M] (New Tab Homepage) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wkl5s4ab.default\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
[2010/06/07 17:50:44 | 000,000,000 | ---D | M] (LogMeIn, Inc. Remote Access Plugin) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\wkl5s4ab.default\extensions\[email protected]
[2011/05/05 09:55:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/14 11:56:29 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX
[2009/08/30 18:21:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2009/09/12 18:02:13 | 000,028,488 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2009/09/12 18:02:13 | 000,185,232 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2009/09/12 18:02:42 | 000,099,216 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2009/09/12 18:02:11 | 000,061,840 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll

O1 HOSTS File: ([2011/05/06 09:46:23 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahooo Search Protection) - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk = C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe ()
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: TaskBar - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html ()
O9 - Extra 'Tools' menuitem : RoboForm TaskBar Icon - {320AF880-6646-11D3-ABEE-C5DBF3571F51} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComTaskBarIcon.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (Yahoo! Inc.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.micr...D0C/wmv9dmo.cab (Reg Error: Value error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/10 15:08:22 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2002/09/11 04:02:32 | 000,000,045 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{5b66b690-0d20-11e0-9b14-000c6e5f5cc1}\Shell - "" = AutoRun
O33 - MountPoints2\{5b66b690-0d20-11e0-9b14-000c6e5f5cc1}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5b66b690-0d20-11e0-9b14-000c6e5f5cc1}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/06 10:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Malware programs
[2011/05/06 09:46:18 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/05/06 09:42:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/06 09:40:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT Registry Backup Tool
[2011/05/06 09:40:52 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/05/02 11:33:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Time Management
[2011/04/30 19:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2011/04/30 19:30:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AdobeUM
[2011/04/30 18:55:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PrintMe Internet Printing
[2011/04/30 18:54:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Adobe PDF 6.0
[2011/04/30 18:54:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/04/30 18:53:41 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/04/30 13:36:13 | 000,000,000 | ---D | C] -- C:\Program Files\Viewpoint
[2011/04/30 13:36:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/04/29 15:19:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads
[2011/04/29 15:12:49 | 000,000,000 | ---D | C] -- C:\ProgramData
[2011/04/29 14:51:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Effexis Software
[2011/04/29 14:51:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Effexis Software
[2011/04/29 14:49:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Effexis Achieve Planner 2
[2011/04/29 14:49:23 | 000,000,000 | ---D | C] -- C:\Program Files\Effexis Software
[2011/04/29 14:47:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Downloaded Installations
[2011/04/29 09:26:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Above & Beyond
[2011/04/29 09:26:16 | 000,000,000 | ---D | C] -- C:\Program Files\Above & Beyond

========== Files - Modified Within 30 Days ==========

[2011/05/06 10:46:21 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3FC117BE-8BDD-4D86-B2EE-6D28C09B4A67}.job
[2011/05/06 10:23:54 | 000,002,281 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003.lnk
[2011/05/06 10:04:37 | 000,000,247 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2011/05/06 10:04:04 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/05/06 09:57:51 | 000,001,180 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/06 09:57:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/06 09:46:23 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/05/06 09:41:31 | 000,000,778 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/05 22:17:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2011/05/05 17:04:45 | 000,054,476 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Car Loan Calculator ~ Auto ...pdf
[2011/05/05 16:20:46 | 000,000,860 | RH-- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20110506-072706.backup
[2011/05/04 09:41:20 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
[2011/05/03 15:38:09 | 000,012,828 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\avatar wolf head shot_505.jpg
[2011/05/03 15:35:37 | 000,022,556 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\avatar_kitty lion in mirror_7120.gif
[2011/05/03 15:33:15 | 000,008,572 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\avatar_sexy blonde BMW tshirt14129.jpg
[2011/05/03 15:24:26 | 000,049,542 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\avatar_flipping 100's_11916.gif
[2011/05/03 15:22:40 | 000,015,057 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\avatar_driving beagle_9373.gif
[2011/05/03 15:14:18 | 000,014,862 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\avatar_flipping money_11916.gif
[2011/05/03 13:58:29 | 000,002,269 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2003.lnk
[2011/05/03 11:49:07 | 000,168,408 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\CVS Caremark Mail Order Form.pdf
[2011/05/03 11:32:47 | 001,245,088 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\CVS Caremark Getting Started Guide.pdf
[2011/05/02 22:48:25 | 000,083,119 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Adult DVD Marketplace receipt 5-2-11.pdf
[2011/05/02 17:44:47 | 000,098,668 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\CCB Introduction.pdf
[2011/05/02 10:37:50 | 000,336,118 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Amazon Porsche calendar order 5-2-11.pdf
[2011/04/30 20:06:26 | 000,011,430 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Solution 12.pdf
[2011/04/30 19:38:47 | 000,339,440 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/30 13:36:16 | 000,037,027 | ---- | M] () -- C:\WINDOWS\atmoUn.exe
[2011/04/30 09:48:31 | 000,000,803 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/04/30 09:48:23 | 000,382,560 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/30 09:48:23 | 000,062,178 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/29 15:25:30 | 000,012,856 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\LittleGuy camp trailer to carry up to 1000# motorcycles.jpeg
[2011/04/29 15:19:48 | 000,066,149 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\LittleGuy camp trailer for motorcycles.jpeg
[2011/04/29 15:09:07 | 000,001,825 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Achieve Planner 2.lnk
[2011/04/29 09:33:10 | 000,000,716 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Above & Beyond.lnk
[2011/04/29 09:26:37 | 000,002,334 | ---- | M] () -- C:\WINDOWS\status.MIF
[2011/04/26 22:00:00 | 000,000,384 | ---- | M] () -- C:\WINDOWS\tasks\SmartDefrag.job
[2011/04/25 12:56:16 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

========== Files Created - No Company Name ==========

[2011/05/06 09:41:31 | 000,000,778 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2011/05/05 17:04:42 | 000,054,476 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Car Loan Calculator ~ Auto ...pdf
[2011/05/03 15:38:08 | 000,012,828 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\avatar wolf head shot_505.jpg
[2011/05/03 15:35:36 | 000,022,556 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\avatar_kitty lion in mirror_7120.gif
[2011/05/03 15:33:13 | 000,008,572 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\avatar_sexy blonde BMW tshirt14129.jpg
[2011/05/03 15:24:25 | 000,049,542 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\avatar_flipping 100's_11916.gif
[2011/05/03 15:22:39 | 000,015,057 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\avatar_driving beagle_9373.gif
[2011/05/03 15:14:16 | 000,014,862 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\avatar_flipping money_11916.gif
[2011/05/03 11:49:07 | 000,168,408 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CVS Caremark Mail Order Form.pdf
[2011/05/03 11:32:47 | 001,245,088 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CVS Caremark Getting Started Guide.pdf
[2011/05/02 22:48:24 | 000,083,119 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Adult DVD Marketplace receipt 5-2-11.pdf
[2011/05/02 17:44:47 | 000,098,668 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\CCB Introduction.pdf
[2011/05/02 10:37:46 | 000,336,118 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Amazon Porsche calendar order 5-2-11.pdf
[2011/04/30 20:06:23 | 000,011,430 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Solution 12.pdf
[2011/04/30 18:55:16 | 000,002,431 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Acrobat 6.0 Standard.lnk
[2011/04/30 18:55:16 | 000,002,389 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Acrobat Distiller 6.0.lnk
[2011/04/30 18:44:50 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/30 13:36:16 | 000,037,027 | ---- | C] () -- C:\WINDOWS\atmoUn.exe
[2011/04/29 15:25:28 | 000,012,856 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\LittleGuy camp trailer to carry up to 1000# motorcycles.jpeg
[2011/04/29 15:19:33 | 000,066,149 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\LittleGuy camp trailer for motorcycles.jpeg
[2011/04/29 15:09:07 | 000,001,825 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Achieve Planner 2.lnk
[2011/04/29 09:33:10 | 000,000,716 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Above & Beyond.lnk
[2011/01/16 13:24:48 | 000,200,536 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/06/17 21:57:03 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2010/03/24 06:42:48 | 000,001,747 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2010/02/11 23:12:43 | 000,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2010/02/10 08:21:11 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\Native.exe
[2010/02/10 07:51:50 | 000,000,266 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2009/12/18 15:35:37 | 001,673,216 | ---- | C] () -- C:\WINDOWS\System32\BootMan.exe
[2009/12/18 15:35:37 | 000,086,408 | ---- | C] () -- C:\WINDOWS\System32\setupempdrv03.exe
[2009/12/18 15:35:37 | 000,014,848 | ---- | C] () -- C:\WINDOWS\System32\EuEpmGdi.dll
[2009/12/18 15:35:36 | 000,013,192 | ---- | C] () -- C:\WINDOWS\System32\epmntdrv.sys
[2009/12/18 15:35:36 | 000,008,456 | ---- | C] () -- C:\WINDOWS\System32\EuGdiDrv.sys
[2009/12/14 07:35:08 | 001,380,403 | ---- | C] () -- C:\WINDOWS\System32\avgsdk.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/07/06 19:03:41 | 000,000,244 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2009/07/06 19:03:41 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2009/07/06 19:03:12 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/07/06 19:03:12 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2009/07/06 19:02:06 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf08a.dat
[2009/07/06 19:01:56 | 000,000,086 | ---- | C] () -- C:\WINDOWS\Brfaxrx.ini
[2009/07/06 19:01:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
[2009/07/06 19:01:55 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/07/06 18:57:49 | 000,031,567 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/11/23 11:00:41 | 000,038,460 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (DOS).ADR
[2008/11/21 14:47:52 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/14 13:31:32 | 000,000,222 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2008/11/14 13:30:22 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\LXBKLCNP.DLL
[2008/11/14 13:30:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbkvs.dll
[2008/11/14 13:30:21 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\LXBKIH.EXE
[2008/11/14 13:30:20 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\INSTMON.EXE
[2008/11/14 13:29:37 | 000,000,266 | ---- | C] () -- C:\WINDOWS\System32\lxbkcoin.ini
[2008/02/13 22:16:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/01/01 14:34:34 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\Inetwh16.dll
[2008/01/01 14:34:34 | 000,004,528 | ---- | C] () -- C:\WINDOWS\System32\Setbrows.exe
[2007/12/29 08:33:44 | 000,011,382 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft Excel.TSK
[2007/12/22 14:22:04 | 000,000,303 | ---- | C] () -- C:\WINDOWS\MIREPAIR.INI
[2007/12/22 14:22:04 | 000,000,058 | ---- | C] () -- C:\WINDOWS\MITCHELL.INI
[2007/12/22 14:21:56 | 000,001,980 | ---- | C] () -- C:\WINDOWS\ODWIN.INI
[2007/12/22 14:21:56 | 000,000,754 | ---- | C] () -- C:\WINDOWS\BTI.INI
[2007/11/01 22:16:21 | 000,000,279 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/10/13 17:41:56 | 000,001,284 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/08/06 12:07:30 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/02/20 22:09:03 | 000,139,344 | ---- | C] () -- C:\WINDOWS\System32\DNLEng.dll
[2007/02/20 22:09:02 | 000,837,352 | ---- | C] () -- C:\WINDOWS\dbplugin.exe
[2007/02/20 22:09:01 | 002,025,208 | ---- | C] () -- C:\WINDOWS\npdbplug.dll
[2006/09/18 14:37:50 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx12_ic.ini
[2006/09/18 14:37:48 | 000,667,280 | ---- | C] () -- C:\WINDOWS\System32\tx12.dll
[2006/08/10 07:12:46 | 000,014,637 | ---- | C] () -- C:\Program Files\Quicken.QIF
[2006/02/09 22:10:37 | 000,038,444 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Comma Separated Values (Windows).ADR
[2006/02/04 19:43:47 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIDIB4.dll
[2006/02/01 13:52:52 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIDBD32.dll
[2006/02/01 13:45:59 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2006/02/01 13:37:22 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2006/02/01 13:37:22 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2006/02/01 13:37:22 | 000,001,024 | ---- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2006/01/27 07:43:52 | 000,096,256 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/01/26 16:14:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/26 15:22:33 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2006/01/26 13:19:15 | 000,000,030 | ---- | C] () -- C:\WINDOWS\INTURS.DAT
[2006/01/26 13:09:13 | 000,000,239 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2006/01/26 13:04:09 | 000,000,022 | ---- | C] () -- C:\WINDOWS\INTUSB.DAT
[2006/01/26 13:04:09 | 000,000,022 | ---- | C] () -- C:\WINDOWS\INTUPREM.DAT
[2006/01/26 07:36:14 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2006/01/24 23:37:30 | 000,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2004/08/02 15:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/09/19 16:35:38 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\btsendto_ie.dll
[2003/09/19 16:34:40 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\btsendto_wab.dll
[2003/09/19 16:27:38 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2003/09/19 16:14:42 | 000,022,183 | ---- | C] () -- C:\WINDOWS\System32\drivers\btserial.sys
[2003/04/10 04:35:00 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/04/10 04:21:36 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/04/10 01:51:07 | 000,000,438 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2003/04/10 01:51:07 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2003/04/10 00:06:10 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/04/10 00:04:00 | 000,090,112 | R--- | C] () -- C:\WINDOWS\bwUnin-6.2.3.66.exe
[2003/04/10 00:03:38 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/04/10 00:03:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/04/09 23:57:04 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/04/09 23:16:44 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/04/09 23:06:59 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis740.bin
[2003/04/09 23:06:59 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis650.bin
[2003/04/09 22:55:02 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/04/09 22:44:58 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/04/09 22:44:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/04/09 22:44:29 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/04/09 22:23:21 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/04/09 22:21:27 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/04/09 22:16:07 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/04/09 22:05:45 | 000,000,573 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/04/09 22:05:26 | 000,382,560 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/04/09 22:05:26 | 000,062,178 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/04/09 15:10:31 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/04/09 15:09:25 | 000,339,440 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/12/12 07:14:32 | 001,962,496 | ---- | C] () -- C:\WINDOWS\System32\quartz(2).dll
[2002/12/12 07:14:32 | 000,132,096 | ---- | C] () -- C:\WINDOWS\System32\devenum(2).dll
[2002/12/12 07:14:32 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\msdmo(2).dll
[2002/11/14 08:09:12 | 000,036,864 | ---- | C] () -- C:\WINDOWS\hpfsched.exe
[2002/11/14 08:08:26 | 000,004,760 | ---- | C] () -- C:\WINDOWS\hphmdl11.dat
[2002/03/14 13:00:26 | 000,038,567 | ---- | C] () -- C:\WINDOWS\System32\pcpbios.exe
[2001/12/26 17:12:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[2001/09/04 00:46:38 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/08/23 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 05:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 05:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/07/30 17:33:56 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 23:04:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[2001/01/03 06:11:14 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[1998/08/16 06:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll

========== LOP Check ==========

[2010/06/17 21:56:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/04/29 14:51:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Effexis Software
[2007/12/28 18:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/04/12 18:39:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GoodSync
[2010/07/24 21:03:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
[2009/06/27 23:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Linksys
[2009/12/11 09:19:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2010/06/17 21:59:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2008/06/14 11:56:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2011/04/30 18:30:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
[2009/07/07 08:14:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/08/06 20:12:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2010/06/17 22:19:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
[2010/05/24 18:14:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/27 14:47:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2011/04/30 13:36:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/10/23 23:40:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2010/06/10 19:17:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Amazon
[2008/12/11 18:38:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Auslogics
[2011/04/29 14:51:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Effexis Software
[2010/02/23 05:47:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GoodSync
[2006/01/24 19:37:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\interMute
[2006/01/28 06:53:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterVideo
[2009/11/15 10:44:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\IObit
[2007/02/18 20:55:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Leadertech
[2007/10/27 15:50:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OLYMPUS
[2009/07/13 09:29:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2009/07/06 19:20:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ScanSoft
[2008/12/05 08:35:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SpamBayes
[2006/04/12 06:15:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Windows Live Safety Center
[2006/05/12 17:01:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\XnView
[2011/05/05 22:17:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2011/05/06 10:04:04 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2011/04/26 22:00:00 | 000,000,384 | ---- | M] () -- C:\WINDOWS\Tasks\SmartDefrag.job
[2011/05/06 10:46:21 | 000,000,392 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{3FC117BE-8BDD-4D86-B2EE-6D28C09B4A67}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> C:\WINDOWS:AEA9E19E16322FFB
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34

< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,148 posts
  • MVP
ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.


Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image




* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Ron
  • 0

#3
Hock44

Hock44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi, Ron,

Thanks for the help. I ran combofix and got its log and then ran aswMBR. AswMBR DID have the FixMBR button enabled but not the Fix button.

Here is the combofix log.

ComboFix 11-05-09.03 - Owner 05/10/2011 13:57:51.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1016.326 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\George.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\LogMeInRemoteUser.HP1\WINDOWS
c:\documents and settings\LogMeInRemoteUser\WINDOWS
c:\documents and settings\Owner\Application Data\cleanhlc.exe
c:\documents and settings\Owner\WINDOWS
c:\documents and settings\QBDataServiceUser\WINDOWS
c:\windows\system\oeminfo.ini
c:\windows\system32\config\systemprofile\WINDOWS
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
.
.
2011-05-10 20:25 . 2011-05-10 20:25 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B90D3340-C9ED-4EF1-AA76-DE8C1AF5D846}\MpKslc5f51aab.sys
2011-05-10 19:59 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B90D3340-C9ED-4EF1-AA76-DE8C1AF5D846}\mpengine.dll
2011-05-07 08:04 . 2011-05-07 08:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-07 08:01 . 2011-05-07 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-05-07 08:01 . 2011-05-07 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\windows\system32\drivers\NST
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\program files\Norton Safe Web Lite
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\program files\NortonInstaller
2011-05-06 19:47 . 2011-05-06 19:47 -------- d-----w- c:\documents and settings\Owner\Application Data\QFX Software
2011-05-06 19:47 . 2011-05-06 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\QFX Software
2011-05-06 19:25 . 2011-04-24 22:14 225856 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2011-05-06 19:25 . 2011-05-06 19:25 -------- d-----w- c:\program files\KeyScrambler
2011-05-06 18:25 . 2011-05-10 20:26 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-06 18:25 . 2011-05-06 18:25 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-06 18:23 . 2011-05-06 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-05-06 16:46 . 2011-05-06 16:46 -------- d-----w- C:\_OTM
2011-05-06 16:40 . 2011-05-06 16:41 -------- d-----w- c:\program files\ERUNT
2011-05-05 23:59 . 2011-05-05 23:59 101888 ----a-w- c:\program files\Mozilla Firefox\null0.5240364877852767.exe
2011-05-01 02:30 . 2011-05-06 00:05 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2011-05-01 01:54 . 2011-05-01 02:33 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-30 20:36 . 2011-04-30 20:36 37027 ----a-w- c:\windows\atmoUn.exe
2011-04-30 20:36 . 2011-04-30 20:36 -------- d-----w- c:\program files\Viewpoint
2011-04-30 20:36 . 2011-04-30 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2011-04-29 22:12 . 2011-04-29 22:12 -------- d-----w- C:\ProgramData
2011-04-29 21:51 . 2011-04-29 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Effexis Software
2011-04-29 21:51 . 2011-04-29 21:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Effexis Software
2011-04-29 21:49 . 2011-04-29 21:49 -------- d-----w- c:\program files\Effexis Software
2011-04-29 21:47 . 2011-04-29 21:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2011-04-29 16:26 . 2011-04-30 15:03 -------- d-----w- c:\program files\Above & Beyond
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2010-11-19 23:33 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2006-01-25 14:51 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2001-08-23 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2001-08-23 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2010-06-05 00:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2001-08-23 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2001-08-23 12:00 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-23 12:00 357888 ------w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 16:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2006-01-25 04:32 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2001-08-23 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2006-01-25 14:49 229888 ------w- c:\windows\system32\fxscover.exe
2009-09-13 01:02 . 2009-09-13 01:02 28488 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-09-13 01:02 . 2009-09-13 01:02 185232 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-09-13 01:02 . 2009-09-13 01:02 99216 -c--a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-11 160592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-05-06 6470464]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-7-20 22486]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 14:16 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk.disabled
backup=c:\windows\pss\Acrobat Assistant.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk.disabled]
backup=c:\windows\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk.disabled]
backup=c:\windows\pss\Quicken Startup.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk.disabled
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk.disabled]
backup=c:\windows\pss\Updates from HP.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk.disabled
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" -hide -runkey
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Brother\\Brmfl08g\\FAXRX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R1 MpKslc5f51aab;MpKslc5f51aab;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B90D3340-C9ED-4EF1-AA76-DE8C1AF5D846}\MpKslc5f51aab.sys [5/10/2011 1:25 PM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/11/2010 2:48 PM 10448]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 1:41 PM 12856]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe [5/6/2011 12:48 PM 130000]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [5/6/2011 12:25 PM 225856]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 ewido anti-malware 4.0 driver;ewido anti-malware 4.0 driver;\??\c:\program files\ewido anti-malware 4.0\guard.sys --> c:\program files\ewido anti-malware 4.0\guard.sys [?]
S1 MpKsl11fb492c;MpKsl11fb492c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC10515B-A42A-48AF-827E-DB3E1B39096F}\MpKsl11fb492c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC10515B-A42A-48AF-827E-DB3E1B39096F}\MpKsl11fb492c.sys [?]
S1 MpKsl840a4dbe;MpKsl840a4dbe;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC10515B-A42A-48AF-827E-DB3E1B39096F}\MpKsl840a4dbe.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BC10515B-A42A-48AF-827E-DB3E1B39096F}\MpKsl840a4dbe.sys [?]
S1 MpKsldcce1b8a;MpKsldcce1b8a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E206A7FD-C67F-4050-884D-8A61803DE12E}\MpKsldcce1b8a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E206A7FD-C67F-4050-884D-8A61803DE12E}\MpKsldcce1b8a.sys [?]
S1 MpKslf354b738;MpKslf354b738;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F509D0B4-8D7F-463D-9DD2-725B187501F5}\MpKslf354b738.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F509D0B4-8D7F-463D-9DD2-725B187501F5}\MpKslf354b738.sys [?]
S1 MpKslfe62cf16;MpKslfe62cf16;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{087DD258-086D-49D6-9C20-BF7FC1C3D522}\MpKslfe62cf16.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{087DD258-086D-49D6-9C20-BF7FC1C3D522}\MpKslfe62cf16.sys [?]
S2 ewido anti-malware 4.0 guard;ewido anti-malware 4.0 guard;c:\program files\ewido anti-malware 4.0\guard.exe --> c:\program files\ewido anti-malware 4.0\guard.exe [?]
S2 LinksysUpdater;Linksys Updater;"c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "c:\program files\Linksys\Linksys Updater\conf\wrapper.conf" --> c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [?]
S3 cpuz128;cpuz128;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/18/2009 3:35 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/18/2009 3:35 PM 8456]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLC5F51AAB
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]
.
2011-05-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
2011-04-27 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-05-25 23:48]
.
2011-05-10 c:\windows\Tasks\User_Feed_Synchronization-{3FC117BE-8BDD-4D86-B2EE-6D28C09B4A67}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
TCP: {5A878DF4-2C10-4F1F-9E88-69E7CCEEFC6D} = 64.13.68.5,64.13.115.12
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\wkl5s4ab.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: KeyScrambler: [email protected] - %profile%\extensions\[email protected]
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: Norton Safe Web Lite Toolbar: {203FB6B2-2E1E-4474-863B-4C483ECCE78E} - c:\documents and settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.2.0.6\coFFNST
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-cleanhlc - c:\documents and settings\Owner\Application Data\cleanhlc.exe
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-TopmostClock - c:\program files\Topmost Clock\TopMostClock.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 14:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2011-05-10 14:31:50
ComboFix-quarantined-files.txt 2011-05-10 21:31
.
Pre-Run: 3,241,439,232 bytes free
Post-Run: 3,338,481,664 bytes free
.
- - End Of File - - 52F9908E87BD26C8A7A584238D5B8801

Here is the aswMBR log.

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-10 14:36:22
-----------------------------
14:36:22.140 OS Version: Windows 5.1.2600 Service Pack 3
14:36:22.140 Number of processors: 1 586 0x207
14:36:22.140 ComputerName: HP1 UserName:
14:36:24.234 Initialize success
14:36:28.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:36:28.437 Disk 0 Vendor: SAMSUNG_SV0602H RH100-11 Size: 57277MB BusType: 3
14:36:30.468 Disk 0 MBR read successfully
14:36:30.468 Disk 0 MBR scan
14:36:30.468 Disk 0 unknown MBR code
14:36:32.468 Disk 0 scanning sectors +117285840
14:36:32.500 Disk 0 scanning C:\WINDOWS\system32\drivers
14:36:47.265 Service scanning
14:36:48.921 Disk 0 trace - called modules:
14:36:48.937 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:36:48.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86a26ab8]
14:36:48.937 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\0000006f[0x86a2a1b0]
14:36:48.937 5 ACPI.sys[f743e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x869f2940]
14:36:48.953 Scan finished successfully
14:37:03.093 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\Malware programs\MBR.dat"
14:37:03.109 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\Malware programs\aswMBR.txt"


I am avoiding using any search engines in my browser (currently Firefox, sometimes IE).

Thanks again for your help.

Tom

Edited by Hock44, 10 May 2011 - 03:49 PM.

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,148 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\program files\Mozilla Firefox\null0.5240364877852767.exe

Firefox::
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Norton Safe Web Lite Toolbar: {203FB6B2-2E1E-4474-863B-4C483ECCE78E} - c:\documents and settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.2.0.6\coFFNST

Driver::
NSL
Lbd
ewido anti-malware 4.0 driver
MpKsl11fb492c
MpKsl840a4dbe
MpKsldcce1b8a
MpKslf354b738
MpKslfe62cf16
ewido anti-malware 4.0 guard
LinksysUpdater
cpuz128

Folder::
c:\program files\Norton Safe Web Lite


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.


Let's also run Microsoft's new Safety Scanner:

http://www.microsoft...us/default.aspx

Let me know if it finds something.

Ron
  • 0

#5
Hock44

Hock44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi, Ron,

I created the CFScript.txt file as directed. I then dropped it on combofix.exe "george.exe" and it ran. The log is posted below.

I also ran MSERT.exe from Microsoft, "quick" scan, and nothing was found.

ComboFix 11-05-10.02 - Owner 05/11/2011 10:13:56.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1016.485 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\George.exe
Command switches used :: c:\documents and settings\Owner\Desktop\Malware programs\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
FILE ::
"c:\program files\Mozilla Firefox\null0.5240364877852767.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Norton Safe Web Lite
c:\program files\Norton Safe Web Lite\Branding\1.2.0.6\07\01\isbrand.loc
c:\program files\Norton Safe Web Lite\Branding\1.2.0.6\07\01\readme.htm
c:\program files\Norton Safe Web Lite\Branding\1.2.0.6\09\01\isBrand.loc
c:\program files\Norton Safe Web Lite\Branding\1.2.0.6\09\01\Readme.htm
c:\program files\Norton Safe Web Lite\Branding\fallback.dat
c:\program files\Norton Safe Web Lite\Branding\langver.map
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\{2A85E335-7417-424d-AD89-31DED1689794}.dat
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\{71B3DD3A-BC1F-40cc-A74F-C0C30DFCE7D5}.dat
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\{F8D07955-00ED-4093-88AA-0A0F69AFD83C}.dat
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccErrDsp.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccGEvt.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccGLog.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccGLog\ccGLog.dat
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccIPC.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccJobMgr.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccL100U.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSet.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvc.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccVrTrst.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\coFFNST.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\coInst.exe
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\coParse.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\coSvcNST.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\coUINST.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\coWPPSB.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diArkive.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diLueCbk.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diMaster.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diStRptr.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\IMAGES\misc\NortonSafeSearch.ico
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\Jobs\ccJobSch.dat
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\Lue.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\Microsoft.VC90.CRT.manifest
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\msvcm90.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\msvcp90.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\msvcr90.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\NCOVER.dat
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\service.dat
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\stdres.dat
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\SymHTML.dll
c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\xpath.js
c:\program files\Norton Safe Web Lite\isolate.ini
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\07\01\couictlr.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\07\01\cssbase.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\07\01\isres.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\07\01\numgui.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\07\01\uialert.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\09\01\coUICtlr.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\09\01\CSSBase.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\09\01\isRes.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\09\01\NumGui.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\09\01\uiAlert.loc
c:\program files\Norton Safe Web Lite\MUI\1.2.0.6\IMAGES\CSSBase.dll
c:\program files\Norton Safe Web Lite\MUI\fallback.dat
c:\program files\Norton Safe Web Lite\MUI\langver.map
c:\program files\Norton Safe Web Lite\MUI\maplngid.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_CPUZ128
-------\Legacy_EWIDO_ANTI-MALWARE_4.0_DRIVER
-------\Legacy_EWIDO_ANTI-MALWARE_4.0_GUARD
-------\Legacy_LBD
-------\Legacy_LINKSYSUPDATER
-------\Legacy_MPKSL840A4DBE
-------\Legacy_MPKSLDCCE1B8A
-------\Legacy_MPKSLF354B738
-------\Legacy_MPKSLFE62CF16
-------\Legacy_NSL
-------\Service_cpuz128
-------\Service_ewido anti-malware 4.0 driver
-------\Service_ewido anti-malware 4.0 guard
-------\Service_Lbd
-------\Service_LinksysUpdater
-------\Service_MpKsl11fb492c
-------\Service_MpKsl840a4dbe
-------\Service_MpKsldcce1b8a
-------\Service_MpKslf354b738
-------\Service_MpKslfe62cf16
-------\Service_NSL
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-10 21:37 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49FEE13C-CEA3-44C1-8B3E-908B1F3F037F}\mpengine.dll
2011-05-10 20:52 . 2011-05-10 21:31 -------- d-----w- C:\George
2011-05-07 08:04 . 2011-05-07 08:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-07 08:01 . 2011-05-07 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-05-07 08:01 . 2011-05-07 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\windows\system32\drivers\NST
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\program files\NortonInstaller
2011-05-06 19:47 . 2011-05-06 19:47 -------- d-----w- c:\documents and settings\Owner\Application Data\QFX Software
2011-05-06 19:47 . 2011-05-06 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\QFX Software
2011-05-06 19:25 . 2011-04-24 22:14 225856 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2011-05-06 19:25 . 2011-05-06 19:25 -------- d-----w- c:\program files\KeyScrambler
2011-05-06 18:25 . 2011-05-11 01:26 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-06 18:25 . 2011-05-06 18:25 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-06 18:23 . 2011-05-06 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-05-06 16:46 . 2011-05-06 16:46 -------- d-----w- C:\_OTM
2011-05-06 16:40 . 2011-05-06 16:41 -------- d-----w- c:\program files\ERUNT
2011-05-05 23:59 . 2011-05-05 23:59 101888 ----a-w- c:\program files\Mozilla Firefox\null0.5240364877852767.exe
2011-05-01 02:30 . 2011-05-10 23:32 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2011-05-01 01:54 . 2011-05-01 02:33 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-30 20:36 . 2011-04-30 20:36 37027 ----a-w- c:\windows\atmoUn.exe
2011-04-30 20:36 . 2011-04-30 20:36 -------- d-----w- c:\program files\Viewpoint
2011-04-30 20:36 . 2011-04-30 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2011-04-29 22:12 . 2011-04-29 22:12 -------- d-----w- C:\ProgramData
2011-04-29 21:51 . 2011-04-29 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Effexis Software
2011-04-29 21:51 . 2011-04-29 21:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Effexis Software
2011-04-29 21:49 . 2011-04-29 21:49 -------- d-----w- c:\program files\Effexis Software
2011-04-29 21:47 . 2011-04-29 21:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2011-04-29 16:26 . 2011-04-30 15:03 -------- d-----w- c:\program files\Above & Beyond
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2010-11-19 23:33 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2006-01-25 14:51 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2001-08-23 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2001-08-23 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2010-06-05 00:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2001-08-23 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2001-08-23 12:00 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-23 12:00 357888 ------w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 16:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2006-01-25 04:32 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2001-08-23 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2006-01-25 14:49 229888 ------w- c:\windows\system32\fxscover.exe
2009-09-13 01:02 . 2009-09-13 01:02 28488 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-09-13 01:02 . 2009-09-13 01:02 185232 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-09-13 01:02 . 2009-09-13 01:02 99216 -c--a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of %user%\library ----
.
.
---- Directory of c:\program files\Common ----
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-11 160592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2011-05-06 6470464]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-7-20 22486]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 14:16 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk.disabled
backup=c:\windows\pss\Acrobat Assistant.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk.disabled]
backup=c:\windows\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk.disabled]
backup=c:\windows\pss\Quicken Startup.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk.disabled
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk.disabled]
backup=c:\windows\pss\Updates from HP.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk.disabled
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" -hide -runkey
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Brother\\Brmfl08g\\FAXRX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/11/2010 2:48 PM 10448]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 1:41 PM 12856]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [5/6/2011 12:25 PM 225856]
S1 MpKsl5b7e7568;MpKsl5b7e7568;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49FEE13C-CEA3-44C1-8B3E-908B1F3F037F}\MpKsl5b7e7568.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49FEE13C-CEA3-44C1-8B3E-908B1F3F037F}\MpKsl5b7e7568.sys [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/18/2009 3:35 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/18/2009 3:35 PM 8456]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]
.
2011-05-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
2011-05-11 c:\windows\Tasks\User_Feed_Synchronization-{3FC117BE-8BDD-4D86-B2EE-6D28C09B4A67}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
TCP: {5A878DF4-2C10-4F1F-9E88-69E7CCEEFC6D} = 64.13.68.5,64.13.115.12
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\wkl5s4ab.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: KeyScrambler: [email protected] - %profile%\extensions\[email protected]
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: Norton Safe Web Lite Toolbar: {203FB6B2-2E1E-4474-863B-4C483ECCE78E} - c:\documents and settings\All Users\Application Data\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.2.0.6\coFFNST
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-11 10:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(2224)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Siber Systems\AI RoboForm\roboform.dll
c:\program files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\SureThing Shared\stllssvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
.
**************************************************************************
.
Completion time: 2011-05-11 10:59:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 17:59
.
Pre-Run: 3,334,324,224 bytes free
Post-Run: 3,103,703,040 bytes free
.
- - End Of File - - 2AA0A304D3E7441ED3D718A55733F492
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,148 posts
  • MVP
Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml


Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.


Ron
  • 0

#7
Hock44

Hock44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
HI, Ron,

I cleared the Java cache and then ran malwarebytes. Here is the log, which looks clean to me.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6558

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/11/2011 10:35:55 PM
mbam-log-2011-05-11 (22-35-55).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 423343
Time elapsed: 5 hour(s), 33 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,148 posts
  • MVP
I don't like the looks of this:

2011-05-05 23:59 . 2011-05-05 23:59 101888 ----a-w- c:\program files\Mozilla Firefox\null0.5240364877852767.exe

but I tried removing it and it came back.

Submit the file to http://virustotal.com and let's see what they say about it. Copy and paste the report if it says anything other than 0/42 or so.

I assume you are still getting redirected?

Ron
  • 0

#9
Hock44

Hock44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi, Ron,

I just tested Firefox & IE7 and there is no longer a problem. I am going to submit that file anyway. I will post the results and we can probably close this thread when I do that.

Thank you again for all your help!

Tom
  • 0

#10
Hock44

Hock44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi, Ron,

I could not find the file c:\program files\Mozilla Firefox\null0.5240364877852767.exe. I searched all of C: drive, hidden files and system files included. So I reran combofix and searched the log. No evidence of it in the log, either. Just for safety's sake, I will post the log below. I think we are good to go and you can close this thread.

Again, thanks!

Tom

ComboFix 11-05-11.04 - Owner 05/12/2011 8:15.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1016.429 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Malware programs\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
.
.
2011-05-11 23:50 . 2011-05-11 23:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-05-11 23:50 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-11 23:50 . 2011-05-11 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-11 23:49 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 23:49 . 2011-05-11 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-11 18:59 . 2011-05-11 18:59 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{505D3833-09FB-42A6-8C05-E4469DA34239}\MpKslc8b1b706.sys
2011-05-11 18:58 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{505D3833-09FB-42A6-8C05-E4469DA34239}\mpengine.dll
2011-05-11 18:39 . 2011-05-11 20:05 -------- d-----w- c:\program files\HooTech Net Meter
2011-05-10 20:52 . 2011-05-10 21:31 -------- d-----w- C:\George
2011-05-07 08:04 . 2011-05-07 08:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-07 08:01 . 2011-05-07 08:01 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-05-07 08:01 . 2011-05-07 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\windows\system32\drivers\NST
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-05-06 19:48 . 2011-05-06 19:48 -------- d-----w- c:\program files\NortonInstaller
2011-05-06 19:47 . 2011-05-06 19:47 -------- d-----w- c:\documents and settings\Owner\Application Data\QFX Software
2011-05-06 19:47 . 2011-05-06 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\QFX Software
2011-05-06 19:25 . 2011-04-24 22:14 225856 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2011-05-06 19:25 . 2011-05-06 19:25 -------- d-----w- c:\program files\KeyScrambler
2011-05-06 18:25 . 2011-05-11 01:26 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-05-06 18:25 . 2011-05-06 18:25 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-05-06 18:23 . 2011-05-06 18:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-05-06 16:46 . 2011-05-06 16:46 -------- d-----w- C:\_OTM
2011-05-06 16:40 . 2011-05-06 16:41 -------- d-----w- c:\program files\ERUNT
2011-05-01 02:30 . 2011-05-11 19:23 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2011-05-01 01:54 . 2011-05-01 02:33 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-30 20:36 . 2011-04-30 20:36 37027 ----a-w- c:\windows\atmoUn.exe
2011-04-30 20:36 . 2011-04-30 20:36 -------- d-----w- c:\program files\Viewpoint
2011-04-30 20:36 . 2011-04-30 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2011-04-29 22:12 . 2011-04-29 22:12 -------- d-----w- C:\ProgramData
2011-04-29 21:51 . 2011-04-29 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Effexis Software
2011-04-29 21:51 . 2011-04-29 21:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Effexis Software
2011-04-29 21:49 . 2011-04-29 21:49 -------- d-----w- c:\program files\Effexis Software
2011-04-29 21:47 . 2011-04-29 21:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2011-04-29 16:26 . 2011-04-30 15:03 -------- d-----w- c:\program files\Above & Beyond
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2010-11-19 23:33 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-07 05:33 . 2006-01-25 14:51 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2001-08-23 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 19:00 . 2001-08-23 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 19:00 . 2010-06-05 00:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 19:00 . 2001-08-23 12:00 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-17 19:00 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2011-02-17 13:18 . 2001-08-23 12:00 455936 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2001-08-23 12:00 357888 ------w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 16:36 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-17 11:44 . 2006-01-25 04:32 389120 ----a-w- c:\windows\system32\html.iec
2011-02-15 12:56 . 2001-08-23 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2009-09-13 01:02 . 2009-09-13 01:02 28488 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-09-13 01:02 . 2009-09-13 01:02 185232 -c--a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-09-13 01:02 . 2009-09-13 01:02 99216 -c--a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
((((((((((((((((((((((((((((( [email protected]_21.21.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-11 17:42 . 2011-05-11 17:42 274432 c:\windows\ERDNT\AutoBackup\5-11-2011\Users\00000002\UsrClass.dat
+ 2011-05-11 17:42 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-11-2011\ERDNT.EXE
+ 2011-05-01 02:15 . 2011-05-11 19:34 3777536 c:\windows\Installer\dcbdf.msi
- 2011-05-01 02:15 . 2011-05-06 21:52 3777536 c:\windows\Installer\dcbdf.msi
+ 2011-05-11 17:42 . 2011-05-11 17:42 11423744 c:\windows\ERDNT\AutoBackup\5-11-2011\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-02-11 160592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-02-19 1089536]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-7-20 22486]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 14:16 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk.disabled
backup=c:\windows\pss\Acrobat Assistant.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk.disabled]
backup=c:\windows\pss\Quicken Scheduled Updates.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk.disabled
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk.disabled]
backup=c:\windows\pss\Quicken Startup.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk.disabled
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk.disabled]
backup=c:\windows\pss\Updates from HP.lnk.disabledCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk.disabled
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Brother\\Brmfl08g\\FAXRX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
.
R1 MpKslc8b1b706;MpKslc8b1b706;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{505D3833-09FB-42A6-8C05-E4469DA34239}\MpKslc8b1b706.sys [5/11/2011 11:59 AM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/11/2010 2:48 PM 10448]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 1:41 PM 12856]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [5/6/2011 12:25 PM 225856]
S1 MpKsl5b7e7568;MpKsl5b7e7568;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49FEE13C-CEA3-44C1-8B3E-908B1F3F037F}\MpKsl5b7e7568.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49FEE13C-CEA3-44C1-8B3E-908B1F3F037F}\MpKsl5b7e7568.sys [?]
S2 NetMeterService;Net Meter Service;c:\program files\HooTech Net Meter\NetMeterService.exe [5/11/2011 11:39 AM 192512]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [12/18/2009 3:35 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [12/18/2009 3:35 PM 8456]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 5:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLC8B1B706
*NewlyCreated* - NETMETERSERVICE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2010-12-07 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]
.
2011-05-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 20:26]
.
2011-05-12 c:\windows\Tasks\User_Feed_Synchronization-{3FC117BE-8BDD-4D86-B2EE-6D28C09B4A67}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 22:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
TCP: {5A878DF4-2C10-4F1F-9E88-69E7CCEEFC6D} = 64.13.68.5,64.13.115.12
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\wkl5s4ab.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: New Tab Homepage: {66E978CD-981F-47DF-AC42-E3CF417C1467} - %profile%\extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467}
FF - Ext: LogMeIn, Inc. Remote Access Plugin: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: KeyScrambler: [email protected] - %profile%\extensions\[email protected]
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-12 08:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3688)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2011-05-12 08:48:45
ComboFix-quarantined-files.txt 2011-05-12 15:48
ComboFix2.txt 2011-05-11 17:59
.
Pre-Run: 2,954,846,208 bytes free
Post-Run: 2,933,968,896 bytes free
.
- - End Of File - - 1D094CC962A8E294B0C68B921805B894
  • 0

#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,148 posts
  • MVP
I think I would uninstall MSSE and reinstall it. It does not do well if you install it on top of an infected system.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java (Java™ 6 Update 25). Get the latest at:

http://javadl.sun.co...?BundleId=41723

Save it to your PC then close all browsers and install it.

Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)

Java does not remove the old consoles from Firefox so go into Firefox, Add-Ons and find any old Java Consoles and Disable or Uninstall them.


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Quicktime also needs to be up to date if you have it.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://download.cnet...4-10752777.html
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#12
Hock44

Hock44

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay, thanks! I did all the things you recommended.

I did not like Autorun Eater. It just kept my USB drive from even being recognized.

I use Spybot Search & Destroy weekly so I am just going to keep using their immunize for my hosts file.


Thank you for your help. Please feel free to close this thread.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP