Browser hijacked and possible virus
Hello Experts,
Need some help here. I've tried finding and removing my infections using Spybot S & D, AdAware AE, SuperAntiSpyware and a removal tool. I thought this was Virtumonde or Vundo trojan, and both spybot and SuperAntiSpyware found variations of the vundo trojan, I can't seem to get rid of it.
Here the symptoms:
Doing a Google search in Firefox and I click on one of the results, it goes to the result page but then instantly redirects to some random ads/search page. A simple search on Google for HijackThis, and clicking on the first HijackThis result which should have gone to "http://majorgeeks.com/download3155.html", instead redirected to "http://www.findstuff.com" with a search result.
My AVG Antivirus can't update, and also crashes occasionally. Firefox crashes quite often, usually after a couple searches or when switching tabs.
The following is my HijackThis report, I hope someone here can guide me in the right direction.
Regards...
Need some help here. I've tried finding and removing my infections using Spybot S & D, AdAware AE, SuperAntiSpyware and a removal tool. I thought this was Virtumonde or Vundo trojan, and both spybot and SuperAntiSpyware found variations of the vundo trojan, I can't seem to get rid of it.
Here the symptoms:
Doing a Google search in Firefox and I click on one of the results, it goes to the result page but then instantly redirects to some random ads/search page. A simple search on Google for HijackThis, and clicking on the first HijackThis result which should have gone to "http://majorgeeks.com/download3155.html", instead redirected to "http://www.findstuff.com" with a search result.
My AVG Antivirus can't update, and also crashes occasionally. Firefox crashes quite often, usually after a couple searches or when switching tabs.
The following is my HijackThis report, I hope someone here can guide me in the right direction.
Regards...
Logfile of HijackThis v1.99.1
Scan saved at 1:25:35 PM, on 4/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.36.252.76:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Turbine Download Manager Tray Icon] "C:\Program Files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll/300
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Nick\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0TR\Swafer.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://webmap.em.gov.bc.ca/mapplace/mgaxctrl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go.com/games/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: cbxywww - cbxywww.dll (file missing)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exeASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For the Firefox search hijacks it sounds very much like a Goored infection.
GooredFix should take care of it.
Please download GooredFix and save it to your Desktop.
http://www.geekstogo.com/f
Double-click GooredFix.exe on your Desktop to run it.
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system.
Please also allow any registry changes that may be prompted by any of your security programs.
It's also a good idea to run combofix as already suggested as there might be other virus present in the system as well.
GooredFix should take care of it.
Please download GooredFix and save it to your Desktop.
http://www.geekstogo.com/f
Double-click GooredFix.exe on your Desktop to run it.
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system.
Please also allow any registry changes that may be prompted by any of your security programs.
It's also a good idea to run combofix as already suggested as there might be other virus present in the system as well.
ASKER
(working on MalwareBytes Anti Malware and combofix now)...
GooredLog.txt:
GooredLog.txt:
GooredFix v1.92 by jpshortstuff
Log created at 19:49 on 12/04/2009 running Option #2 (Nick)
Firefox version 3.0.8 (en-US)
=====Goored Deletions=====
=====Dumping Registry Values=====
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"ASKER
At this time I only get a blank page when viewing any page on bleepingcomputer.com. Is there a mirror location I can get ComboFix?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Malwarebytes Log file:
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3
4/12/2009 9:53:39 PM
mbam-log-2009-04-12 (21-53-39).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 206643
Time elapsed: 1 hour(s), 36 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 65
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\sai.instantiator (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sai.instantiator.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d85530e8-d39d-49d0-9f36-300d594556d2} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4e7bd74f-2b8d-469e-86bd-fd60bb9aae3a} (Adware.OneToolBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000020040000} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\NewCfg (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\NewCfg (Adware.OneToolBar) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Local Settings\Temp\7zS1B.tmp\AdwareAlert\SpyCleaner.dll (Rogue.SpyCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\1.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\10.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\2.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\20off.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\3.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\4.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\5.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\6.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\7.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\8.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\9.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\action.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\atlantis.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\bfgtoolbarDLL.zip (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\bfgtoolbartb0500.cfg (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\bfg_greetings.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\card.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\COMBOSEARCH.acs (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\ErrorLog.txt (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\logo.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\mahjong.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\mygames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\mygamestoolbar.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\new.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\newgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\puzzle.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\search.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\thereef.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\topten.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\webgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\bfgtoolbar\word.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\1.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\10.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\2.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\20off.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\3.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\4.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\5.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\6.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\7.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\8.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\9.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\action.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\atlantis.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\bfgtoolbarDLL.zip (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\bfgtoolbartb0500.cfg (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\bfg_greetings.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\card.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\COMBOSEARCH.acs (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\ErrorLog.txt (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\logo.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\mahjong.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\mygames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\mygamestoolbar.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\new.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\newgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\puzzle.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\search.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\thereef.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\topten.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\webgames.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Application Data\bfgtoolbar\word.bmp (Adware.OneToolBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\ENCSC-Download.com.2.5.1040.0.exe (Trojan.Agent) -> Quarantined and deleted successfully.ASKER
I'm getting a "source file could not be read" error when trying to download ComboFix from the bleepingcomputers.com site. I'll try and find a mirror.
You should be able to access the below link. Try the link posted there if no links will work.
https://www.experts-exchange.com/questions/24288356/Load-Tools.html
https://www.experts-exchange.com/questions/24288356/Load-Tools.html
ASKER
Thanks guys. ComboFix log below:
ComboFix 09-04-13.09 - Nick 2009-04-12 22:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1527.895 [GMT -7:00]
Running from: c:\tools-av\16987\16987.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\bcrmqiu.wab
c:\windows\IE4 Error Log.txt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FREEZESCREENSAVER
-------\Service_FreezeScreenSaver
((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.
2009-04-13 05:19 . 2009-04-13 05:19 -------- d-----w C:\Tools-AV
2009-04-13 02:47 . 2009-04-13 02:47 -------- d-----w c:\documents and settings\Nick\Application Data\Malwarebytes
2009-04-13 02:47 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 02:47 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 02:47 . 2009-04-13 02:47 -------- d-----w c:\program files\Malwarebytes Anti-Malware
2009-04-13 02:47 . 2009-04-13 02:47 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-12 20:06 . 2009-04-12 20:06 51744 ----a-w c:\documents and settings\Administrator.NIH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 20:05 . 2009-04-12 20:05 -------- d-----w c:\program files\Process Hacker
2009-04-12 20:05 . 2009-04-12 20:05 -------- d-----w c:\documents and settings\Administrator.NIH\Local Settings\Application Data\Adobe
2009-04-12 15:36 . 2009-04-12 15:36 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-12 15:36 . 2009-04-12 15:36 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-12 15:36 . 2009-04-12 15:36 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2009-04-12 15:35 . 2009-04-12 15:35 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-12 06:32 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-11 18:04 . 2009-04-11 18:04 -------- d-----w c:\documents and settings\Administrator.NIH\Application Data\Ipswitch
2009-04-11 18:03 . 2009-04-11 18:03 -------- d-----w c:\documents and settings\Administrator.NIH\Local Settings\Application Data\Mozilla
2009-04-11 18:03 . 2009-04-11 18:03 -------- d-----w c:\documents and settings\Administrator.NIH\Application Data\InterVideo
2009-04-11 17:15 . 2009-04-11 17:15 -------- d-sh--w c:\documents and settings\Administrator.NIH\IETldCache
2009-04-11 16:55 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-11 16:52 . 2009-04-11 16:52 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-04 03:06 . 2009-04-04 03:33 -------- d-----w c:\windows\system32\Adobe
2009-04-03 22:28 . 2009-04-03 22:28 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-03 22:27 . 2009-04-03 22:27 -------- d-----w c:\program files\Microsoft.NET
2009-04-03 22:25 . 2009-04-03 22:25 -------- d-----w c:\documents and settings\Nick\Local Settings\Application Data\Microsoft Help
2009-04-03 22:25 . 2009-04-05 14:48 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-03 22:24 . 2009-04-03 22:24 -------- d--h--r C:\MSOCache
2009-04-03 22:23 . 2009-04-03 22:23 -------- d-----w c:\program files\Common Files\Nikon
2009-04-03 22:21 . 2009-04-03 22:36 -------- d-----w c:\program files\Microsoft Expression
2009-04-03 21:40 . 2009-04-04 10:09 2352 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-03 21:40 . 2009-04-03 21:40 -------- d-----w c:\program files\MSBuild
2009-04-03 21:39 . 2009-04-03 21:39 -------- d-----w c:\windows\system32\XPSViewer
2009-04-03 21:39 . 2009-04-03 21:39 -------- d-----w c:\program files\Reference Assemblies
2009-04-03 21:38 . 2006-06-29 20:07 14048 ------w c:\windows\system32\spmsg2.dll
2009-04-03 19:05 . 2009-04-03 19:05 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-03 18:45 . 2009-03-25 03:27 606293 ----a-w c:\windows\system32\wbocx.ocx
2009-04-03 18:45 . 2009-03-25 03:27 50688 ----a-w c:\windows\system32\wbhelp2.dll
2009-04-03 18:45 . 2009-04-03 18:45 -------- d-----w c:\documents and settings\All Users\Application Data\Ipswitch
2009-04-03 18:45 . 2009-04-03 18:45 -------- d-----w c:\documents and settings\Nick\Application Data\InstallShield
2009-04-03 18:32 . 2009-04-03 18:39 1276 ----a-w c:\windows\system32\WS_FTP_Install.BAK
2009-04-03 04:39 . 2009-04-03 18:21 -------- d-----w c:\documents and settings\Nick\Application Data\BitTorrent
2009-04-03 04:39 . 2009-04-03 04:39 -------- d-----w c:\documents and settings\Nick\Local Settings\Application Data\DNA
2009-04-03 04:39 . 2009-04-13 14:19 -------- d-----w c:\program files\DNA
2009-04-03 04:39 . 2009-04-13 14:19 -------- d-----w c:\documents and settings\Nick\Application Data\DNA
2009-04-03 04:39 . 2009-04-03 04:39 -------- d-----w c:\program files\BitTorrent
2009-04-03 04:13 . 2009-04-12 21:36 -------- d-----w c:\documents and settings\Nick\Local Settings\Application Data\True BoxShot
2009-04-03 04:13 . 2009-04-12 20:53 -------- d-----w c:\program files\True BoxShot
2009-03-23 19:09 . 2009-04-12 01:50 -------- d--h--w C:\$AVG8.VAULT$
2009-03-23 16:55 . 2009-03-23 16:56 -------- d-----w c:\program files\bwin
2009-03-22 20:48 . 2009-03-22 20:48 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-22 20:48 . 2009-03-27 15:16 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-22 20:48 . 2009-03-22 20:48 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-22 20:47 . 2009-04-10 01:42 -------- d-----w c:\windows\system32\drivers\Avg
2009-03-22 20:47 . 2009-03-22 20:47 -------- d-----w c:\program files\AVG
2009-03-22 20:47 . 2009-03-22 20:47 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-22 01:25 . 2009-03-22 01:25 -------- d-sh--w c:\documents and settings\Compaq_Owner\PrivacIE
2009-03-22 01:22 . 2009-03-22 01:22 -------- d-sh--w c:\documents and settings\Compaq_Owner\IETldCache
2009-03-21 22:44 . 2009-03-21 22:44 -------- d-sh--w c:\documents and settings\Nick\PrivacIE
2009-03-21 22:44 . 2009-03-21 22:44 -------- d-sh--w c:\documents and settings\Nick\IECompatCache
2009-03-21 22:12 . 2009-03-21 22:12 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-03-21 22:12 . 2009-03-21 22:12 -------- d-sh--w c:\documents and settings\Nick\IETldCache
2009-03-21 21:55 . 2009-03-21 21:55 -------- d-----w c:\windows\ie8updates
2009-03-21 21:52 . 2009-03-21 21:53 -------- dc-h--w c:\windows\ie8
2009-03-21 21:49 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-03-21 20:39 . 2009-03-21 20:54 -------- d-----w c:\documents and settings\Nick\Application Data\PE Explorer
2009-03-21 20:39 . 2009-03-21 20:39 -------- d-----w c:\program files\PE Explorer
2009-03-20 01:31 . 2009-03-20 01:31 -------- d-----w c:\program files\MozBackup
2009-03-20 01:05 . 2008-04-14 00:12 218624 ----a-w c:\windows\system32\uxtheme.backup
2009-03-18 18:10 . 2009-03-19 05:15 -------- d-----w c:\program files\World of Warcraft
2009-03-18 18:08 . 2009-03-18 18:08 -------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2009-03-18 02:58 . 2009-03-18 02:58 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-18 02:58 . 2009-03-18 02:58 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-18 02:58 . 2009-03-18 02:58 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-18 02:58 . 2009-03-18 02:58 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 14:17 . 2009-04-12 06:37 1719 ----a-w C:\aaw7boot.log
2009-04-13 05:19 . 2009-04-13 05:19 4 ----a-w C:\menu.txt
2009-04-12 20:47 . 2004-08-12 03:28 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-12 15:20 . 2005-05-21 01:40 51744 ----a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 00:52 . 2008-02-22 20:02 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-04-11 16:52 . 2005-09-25 01:53 -------- d-----w c:\program files\Lavasoft
2009-04-11 14:33 . 2007-03-29 03:53 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 14:33 . 2007-03-29 03:53 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-10 02:08 . 2005-05-10 17:25 488 ----a-w C:\hpfr5550.xml
2009-04-04 14:15 . 2007-03-31 04:02 51744 ----a-w c:\documents and settings\Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-03 22:41 . 2007-11-18 16:57 -------- d-----w c:\program files\NoteTab Pro 5
2009-04-03 22:28 . 2004-08-12 03:33 -------- d-----w c:\program files\Microsoft Works
2009-04-03 21:39 . 2008-05-24 17:08 -------- d-----w c:\program files\SmartFTP Client
2009-03-26 15:36 . 2008-02-22 20:02 -------- d-----w c:\program files\Security Task Manager
2009-03-23 15:58 . 2008-05-24 17:07 -------- d-----w c:\program files\SmartFTP Client 3.0 Setup Files
2009-03-20 01:05 . 2004-08-29 18:24 218624 ----a-w c:\windows\system32\uxtheme.dll
2009-03-20 00:41 . 2008-05-03 15:45 -------- d-----w c:\program files\Realspace3_at
2009-03-19 19:25 . 2004-08-12 11:57 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-19 03:48 . 2004-08-12 11:57 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-19 03:39 . 2005-05-10 17:06 -------- d-----w c:\program files\Yahoo!
2009-03-19 02:42 . 2007-06-11 02:39 -------- d-----w c:\program files\My Way Games
2009-03-19 02:38 . 2008-02-29 01:18 -------- d-----w c:\program files\Real Link Finder
2009-03-19 02:38 . 2008-05-02 17:01 -------- d-----w c:\program files\ProfessorFizzwizzleTrial_at
2009-03-19 02:38 . 2008-10-01 23:52 -------- d-----w c:\program files\PokerSmoke
2009-03-19 02:37 . 2008-04-08 00:30 -------- d-----w c:\program files\phantomlinkcloaker
2009-03-19 02:36 . 2008-05-03 03:00 -------- d-----w c:\program files\DeerDrive_at
2009-03-19 02:35 . 2008-02-20 19:08 -------- d-----w c:\program files\Cain
2009-03-19 02:35 . 2008-03-22 16:57 -------- d-----w c:\program files\Autodesk
2009-03-19 02:24 . 2005-05-08 15:13 -------- d-----w c:\program files\Common Files\Adobe
2009-03-18 22:43 . 2005-05-15 02:04 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-18 17:21 . 2008-05-23 23:30 -------- d-----w c:\program files\RealArcade
2009-03-18 17:20 . 2009-02-03 02:18 -------- d-----w c:\documents and settings\All Users\Application Data\Turbine
2009-03-18 17:20 . 2005-05-21 17:35 -------- d-----w c:\program files\Shockwave.com
2009-03-18 17:19 . 2008-05-02 20:33 -------- d-----w c:\program files\DevastationZoneTroopers_at
2009-03-18 17:17 . 2009-01-15 15:21 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-18 07:44 . 2009-02-08 01:19 -------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Shareaza
2009-03-08 11:34 . 2004-08-29 18:24 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-29 18:21 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-29 18:20 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-29 18:24 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-29 19:08 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-29 18:21 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-29 18:21 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-29 18:22 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-29 18:21 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-29 18:22 156160 ----a-w c:\windows\system32\msls31.dll
2009-02-09 11:13 . 2004-08-29 18:24 1846784 ----a-w c:\windows\system32\win32k.sys
2008-12-22 21:07 . 2008-12-22 21:07 319 -c-ha-w c:\documents and settings\Nick\hpothb07.dat
2008-03-14 19:37 . 2008-03-14 19:37 0 -c--a-w c:\program files\temp01
2007-08-28 18:08 . 2007-10-27 18:08 32 -c--a-r c:\documents and settings\All Users\hash.dat
2007-06-22 03:58 . 2005-05-08 18:46 127 ----a-w c:\documents and settings\Nick\Local Settings\Application Data\fusioncache.dat
2005-10-25 21:32 . 2005-10-25 21:32 774144 -c--a-w c:\program files\RngInterstitial.dll
2004-08-12 03:54 . 2007-09-05 16:58 128 -c--a-w c:\documents and settings\Administrator.NIH\Local Settings\Application Data\fusioncache.dat
2004-08-12 03:54 . 2005-12-11 02:09 128 -c--a-w c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2004-08-12 03:54 . 2005-05-08 14:46 128 -c--a-w c:\documents and settings\Compaq_Owner\Local Settings\Application Data\fusioncache.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-26 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-02 321344]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-08-11 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-22 1932568]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoSimpleStartMenu"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-22 13:48 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a--c--- 2004-08-20 15:51 118784 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a--c--- 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a--c--- 2004-08-20 15:55 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
-----c--- 2007-07-11 11:01 393216 c:\progra~1\TELUSE~1\SMARTB~1\MotiveSB.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 17:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 15:50 4620288 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a--c--- 2004-10-29 15:50 86016 c:\windows\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2004-08-11 19:34 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a--c--- 2005-05-10 12:50 100056 c:\progra~1\SYMNET~1\SNDMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TELUS_eCare_Lite_McciTrayApp]
--a--c--- 2007-01-24 14:55 1007720 c:\program files\TELUS_eCare_Lite\eCareTrayApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-08-11 20:23 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-03-04 12:01 88209 c:\windows\AGRSMMSG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2004-07-06 01:05 2550272 c:\windows\ALCWZRD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-29 15:50 921600 c:\windows\system32\nwiz.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Shareaza Applications\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R3 PAC7311;VGA SoC PC-Camera;c:\windows\system32\DRIVERS\PA707UCM.SYS [2005-10-18 154752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 Stuffit Archive Name Service;Stuffit Archive Name Service;c:\program files\Smith Micro\StuffIt11\ArcNameService.exe [2007-10-08 157000]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-22 908056]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-22 298264]
R4 LiveTurbineMessageService;Turbine Message Service - Live; [x]
R4 LiveTurbineNetworkService;Turbine Network Service - Live; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-22 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-27 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 12:06]
2008-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
2008-09-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
2005-08-26 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1115579937.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
2009-04-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
2008-09-09 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKLM-Run-Turbine Download Manager Tray Icon - c:\program files\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
MSConfigStartUp-BO1HelperStartUp - c:\progra~1\BUTTER~1\BO1HEL~1.EXE
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-trioService - c:\progra~1\Freeze.com\Halloween\\trioService.exe
MSConfigStartUp-VTTimer - VTTimer.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ca.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://ca.yahoo.com
mStart Page = hxxp://ca.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
uInternet Settings,ProxyServer = 69.36.252.76:8081
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\[u]0[/u]2.05.0001.1119\en-us\msntb.dll/search.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Nick\Start Menu\Programs\IMVU\Run IMVU.lnk
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\ipfc88d9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\ipfc88d9.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 07:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2740385269-3582360190-2949210702-1010\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2740385269-3582360190-2949210702-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D85530E8-D39D-49D0-9F36-300D594556D2}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Flags"=dword:00000004
"Count"=dword:00000175
"Time"=hex:d8,07,02,00,04,00,1c,00,0e,00,03,00,2c,00,af,02
"Blocked"=dword:0000014e
[HKEY_USERS\S-1-5-21-2740385269-3582360190-2949210702-1010\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2B18761-A2FB-43F3-A4DE-E112872A42F6}\iexplore]
@DACL=(02 0000)
"Type"=dword:00000003
"Flags"=dword:00000000
"Count"=dword:00000001
"Time"=hex:d8,07,02,00,03,00,14,00,11,00,29,00,0d,00,ee,02
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\SYSTEM32\\RAZADUPE.DLL"
"ThreadingModel"="Both"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F2B18761-A2FB-43F3-A4DE-E112872A42F6}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\mljgh.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(860)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
- - - - - - - > 'explorer.exe'(2140)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\corel\Graphics8\programs\CMFFld80.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\locator.exe
c:\windows\system32\PAStiSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-13 7:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 14:26
ComboFix2.txt 2008-02-29 16:36
Pre-Run: 8,166,928,384 bytes free
Post-Run: 8,678,756,352 bytes free
478 --- E O F --- 2009-04-11 22:17
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the bold text below into Notepad:
File::c:\\WINDOWS\\system32\\mlj
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not click on combofix's window while it's running. That may cause it to stall.
How is it running so far?
File::c:\\WINDOWS\\system32\\mlj
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not click on combofix's window while it's running. That may cause it to stall.
How is it running so far?
greyknight17,
Please don't be offended... but I'm just wondering if you did that script in a hurry.
Correct me if I'm wrong;
The key below is a null-embedded key so if we have to take action on that key we should use the RegNull directive not RegLock.
>>>"RegLock::
[HKEY_USERS\S-1-5-21-27403
Below are not null-embedded keys so we should use RegLockDel directive(or alternatively we can use RegLock:: and Registry::)
>>>Regnull::
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
Will combofix take action if the files have doubleslashes?
>>>File::
c:\\WINDOWS\\system32\\mlj
c:\\WINDOWS\\SYSTEM32\\RAZ
Please don't be offended... but I'm just wondering if you did that script in a hurry.
Correct me if I'm wrong;
The key below is a null-embedded key so if we have to take action on that key we should use the RegNull directive not RegLock.
>>>"RegLock::
[HKEY_USERS\S-1-5-21-27403
Below are not null-embedded keys so we should use RegLockDel directive(or alternatively we can use RegLock:: and Registry::)
>>>Regnull::
[HKEY_LOCAL_MACHINE\softwa
[HKEY_LOCAL_MACHINE\softwa
Will combofix take action if the files have doubleslashes?
>>>File::
c:\\WINDOWS\\system32\\mlj
c:\\WINDOWS\\SYSTEM32\\RAZ
ASKER
greyknight and rpggamergirl,
I'll be away from that computer for a few days now, so I won't be able to run this CFScript.txt example 'till then. What we've done already has made a huge improvement on performance, both in the browser and my ability to update AVG etc. (which was also blocked).
Thanks for your help guys. I'll finish it up when I get back to the problem computer.
Regards...
I'll be away from that computer for a few days now, so I won't be able to run this CFScript.txt example 'till then. What we've done already has made a huge improvement on performance, both in the browser and my ability to update AVG etc. (which was also blocked).
Thanks for your help guys. I'll finish it up when I get back to the problem computer.
Regards...
rpggamergirl, I'm not offended at all. Thanks for catching that. Stupid me...must have been doing something else while typing up the reply. I was actually staring at those double slashes as well and thought I proofread the entire fix before posting.
ziffgone, please ignore my last reply and do the following instead:
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
File::c:\WINDOWS\system32\mljgh.
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not click on combofix's window while it's running. That may cause it to stall.
ziffgone, please ignore my last reply and do the following instead:
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:
File::c:\WINDOWS\system32\mljgh.
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not click on combofix's window while it's running. That may cause it to stall.
ASKER
Ok, sorry this has taken so long.
Attached is the new "ComboFix.txt" log file after dropping the "CFScript.txt" file, (outlined above), into the ComboFix.exe software.
ComboFix.txt
Attached is the new "ComboFix.txt" log file after dropping the "CFScript.txt" file, (outlined above), into the ComboFix.exe software.
ComboFix.txt
You may delete this file:
c:\program files\temp01
Good job. Your log is clean.
Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.
You may read the below links on how to prevent future infections:
1. TonyKlein's article "So how did I get infected in the first place?"
http://www.spywareinfoforum.com/index.php?showtopic=60955
2. "Simple and easy ways to keep your computer safe and secure on the Internet"
http://www.bleepingcomputer.com/tutorials/tutorial82.html
3. "miekiemoes' "How to prevent Malware"
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
c:\program files\temp01
Good job. Your log is clean.
Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.
You may read the below links on how to prevent future infections:
1. TonyKlein's article "So how did I get infected in the first place?"
http://www.spywareinfoforum.com/index.php?showtopic=60955
2. "Simple and easy ways to keep your computer safe and secure on the Internet"
http://www.bleepingcomputer.com/tutorials/tutorial82.html
3. "miekiemoes' "How to prevent Malware"
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
ASKER
Thank you guys, you were both a tremendous help. :)
ziffgone,
Glad to know it's now resolved.
Thanks!
greyknight17,
No worries... typos/error we've all done it, :)
Glad to know it's now resolved.
Thanks!
greyknight17,
No worries... typos/error we've all done it, :)
ASKER
Regards...