Solved

Browser Search Hijacked

Posted on 2009-07-15
8
772 Views
Last Modified: 2013-12-06
I have a desktop machine that apparently has some browser hijacking software installed that I cannot track down to remove for the life of me.  I have run SpyBot, AdAware, Malwarebytes Anti-Malware, and AVG on the machine both in regular bootup and SafeMode.  Even after all doing all that, I can run a websearch on Google or any other SearchEngine and when I click on one of the results in the search list, it takes me to some bogus websites.  I will post my HiJackThis log below for anyone that might could notice something that I am missing.  Does anyone have any suggestions on how to fix this issue?????

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:33 PM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103472 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Comcast Install 1.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; Media Center PC 2.8; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; OfficeLiveConnector.1.3; OfficeLivePatch.0.0)" -"http://www.miniclip.com/games/basketball-slam/en/"
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://67.20.2.66/CACHE/stc/1/binaries/vpnweb.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227971596500
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenDNS Updater (OpenDNS Updater.exe) - OpenDNS - C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 12123 bytes
0
Comment
Question by:gvector1
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 17

Expert Comment

by:selvol
ID: 24864771
0
 
LVL 15

Accepted Solution

by:
greyknight17 earned 500 total points
ID: 24864943
Let's see what ComboFix can find for us:

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 24865963
Hi,

If you spybot you able to protect your lmhost file!
If you want a site to block please write 127.0.0.1 to the address:

192.168.0.11 fake.org

he Lmhosts file is a local text file that maps Internet Protocol (IP) addresses to NetBIOS names of remote servers with which you want to communicate over the TCP/IP protocol.

The Lmhosts file is located in the %SystemRoot%\System32\Drivers\Etc folder on a Windows computer. The file is named LMHOSTS.SAM, and must be renamed to LMHOSTS before it can be used. Since an LMHOSTS file contains a static computer name to IP address mapping, it may cause conflicts if you are also using DHCP to dynamically assign IP addresses or the computer IP changed.

You experience name resolution issues on your TCP/IP network, especially for a small business with WINS server, you may want to use Lmhosts files to resolve NetBIOS names

Sample Lmhosts File
192.168.0.11 Bob #PRE
192.168.0.25 ms-mvps #PRE


Sample lmhosts file for pointing to a domain

10.0.0.1 PDCNAME #PRE #DOM:DOMAIN-NAME

10.0.0.1 "DOMAIN-NAME \0x1b" #PRE

Or

10.0.0.1  MS-MVP  #PRE  #DOM:CHICAGOTECH

10.0.0.1  "CHICAGOTECH  \0x1b"  #PRE
Note The domain name in this entry is case sensitive. Make sure that you use uppercase characters for the domain name. If you use lowercase characters for the domain name, NetBT does not recognize the name.

To reload of the NBT Remote Cache Name Table, use this command: nbtstat -R. To display of the NBT Remote Cache Name Table nbtstat -C.

If you want to delet something from autorunning, please run msconfig, from running programs, and unnecessary programs!

http://netsquirrel.com/msconfig/

Best Regards,
Istvan



0
 

Author Comment

by:gvector1
ID: 24873680
Okay, I ran Combofix, and here is the log:

ComboFix 09-07-14.08 - Kendal 07/15/2009 21:23.1.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1534.972 [GMT -5:00]
Running from: C:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\96329996.ini
c:\recycler\S-1-5-21-1454471165-492894223-839522115-500
c:\windows\Installer\11344009.msp
c:\windows\Installer\11e5554.msp
c:\windows\Installer\141d557.msp
c:\windows\Installer\141d55b.msp
c:\windows\Installer\1569bc3.msp
c:\windows\Installer\165aab5b.msp
c:\windows\Installer\1b81017f.msp
c:\windows\Installer\1c121e7.msp
c:\windows\Installer\20a737f6.msp
c:\windows\Installer\25cd7ef7.msp
c:\windows\Installer\2be8798.msp
c:\windows\Installer\2be879c.msp
c:\windows\Installer\2cecf03.msp
c:\windows\Installer\323ae3f.msp
c:\windows\Installer\4a22d.msp
c:\windows\Installer\4a231.msp
c:\windows\Installer\4a235.msp
c:\windows\Installer\4a239.msp
c:\windows\Installer\4ffe64.msp
c:\windows\Installer\4ffe68.msp
c:\windows\Installer\51f53e3.msp
c:\windows\Installer\56e51.msp
c:\windows\Installer\56e55.msp
c:\windows\Installer\5948645.msp
c:\windows\Installer\5948649.msp
c:\windows\Installer\5f63624.msp
c:\windows\Installer\667e635.msp
c:\windows\Installer\6e77656.msp
c:\windows\Installer\7f52bce.msp
c:\windows\Installer\84a33a1.msp
c:\windows\Installer\84a33a5.msp
c:\windows\Installer\b1ce4a9.msp
c:\windows\Installer\ba4f55d.msp
c:\windows\Installer\ba4f561.msp
c:\windows\Installer\c0de3da.msp
c:\windows\kb913800.exe
c:\windows\system32\drivers\hjgruiamsenapp.sys
c:\windows\system32\hjgruijtovlruc.dat
c:\windows\system32\hjgruimrtlqmsm.dat
c:\windows\system32\hjgruiogkvdlyp.dll
c:\windows\system32\hjgruithpxudoy.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiftoygflk


(((((((((((((((((((((((((   Files Created from 2009-06-16 to 2009-07-16  )))))))))))))))))))))))))))))))
.

2009-07-16 00:28 . 2009-07-15 22:23      3137363      ----a-r-      C:\ComboFix.exe
2009-07-15 03:26 . 2009-07-15 03:27      --------      dc-h--w-      c:\windows\ie8
2009-07-13 04:39 . 2009-07-13 04:39      --------      d-sh--w-      c:\documents and settings\NetworkService\IETldCache
2009-07-07 05:58 . 2009-07-07 05:59      --------      d-----w-      c:\program files\Spybot - Search & Destroy
2009-07-07 05:58 . 2009-07-07 05:59      --------      d-----w-      c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-07 00:39 . 2009-07-07 06:04      --------      d---a-w-      c:\documents and settings\All Users\Application Data\TEMP
2009-07-06 07:24 . 2009-07-06 07:24      2167576      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-06 07:24 . 2009-07-06 07:24      2054424      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-06 07:24 . 2009-06-27 06:37      327688      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-06 07:24 . 2009-06-27 06:37      3402008      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-06 07:24 . 2009-06-27 06:37      1204504      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-06 07:24 . 2009-06-27 06:37      337176      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-06 07:24 . 2009-06-27 06:37      829208      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-06 07:24 . 2009-06-27 06:37      3298072      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-06 07:24 . 2009-06-27 06:36      1454360      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-06 07:24 . 2009-06-27 06:36      1085208      ----a-w-      c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-06 04:51 . 2009-07-06 04:39      15688      ----a-w-      c:\windows\system32\lsdelete.exe
2009-07-06 04:39 . 2009-07-06 04:38      64160      ----a-w-      c:\windows\system32\drivers\Lbd.sys
2009-07-06 04:39 . 2009-07-13 04:45      25440      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-06 04:39 . 2009-07-06 04:39      314712      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-06 04:39 . 2009-07-06 04:39      348496      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-06 04:39 . 2009-07-06 04:39      169312      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-06 04:39 . 2009-07-06 04:39      15688      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-07-06 04:39 . 2009-07-06 04:39      298336      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-07-06 04:39 . 2009-07-06 04:39      84832      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-07-06 04:39 . 2009-07-13 04:45      1630560      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-07-06 04:39 . 2009-07-06 04:39      40288      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-07-06 04:39 . 2009-07-06 04:39      246128      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-07-06 04:38 . 2009-07-06 04:38      85352      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe
2009-07-06 04:38 . 2009-07-06 04:38      664424      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-07-06 04:38 . 2009-07-06 04:38      64160      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-07-06 04:38 . 2009-07-06 04:38      563064      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-07-06 04:38 . 2009-07-06 04:38      566632      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-07-06 04:38 . 2009-07-13 04:45      2353480      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-07-06 04:38 . 2009-07-06 04:38      629072      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-07-06 04:38 . 2009-07-06 04:38      520024      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-07-06 04:38 . 2009-07-06 04:38      1029456      ----a-w-      c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-07-06 04:36 . 2009-07-06 04:36      --------      dc-h--w-      c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-06 04:36 . 2009-03-12 08:17      2902048      -c--a-w-      c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-06 04:36 . 2009-07-06 04:36      --------      d-----w-      c:\program files\Lavasoft
2009-07-06 04:36 . 2009-07-06 04:39      --------      d-----w-      c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-06 04:28 . 2009-07-06 04:28      --------      d-----w-      c:\program files\Trend Micro
2009-07-04 01:32 . 2009-07-04 01:32      --------      d-----w-      c:\documents and settings\Dylan\Application Data\Red Kawa
2009-07-03 23:01 . 2009-07-03 23:01      --------      d-----w-      c:\program files\Regensoft
2009-07-03 23:01 . 2009-07-12 05:10      --------      d-----w-      c:\program files\AviSynth 2.5
2009-07-03 23:01 . 2009-07-03 23:01      --------      d-----w-      c:\program files\Red Kawa
2009-07-03 22:33 . 2008-12-04 06:25      120832      ----a-w-      c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-06-28 04:34 . 2009-06-28 04:34      --------      d-sh--w-      c:\windows\system32\config\systemprofile\IETldCache
2009-06-25 04:55 . 2009-06-25 04:55      --------      d-sh--w-      c:\documents and settings\Dylan\IECompatCache
2009-06-19 02:41 . 2009-06-19 02:41      --------      d-sh--w-      c:\documents and settings\Kendal\IECompatCache

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 05:12 . 2008-03-16 20:40      --------      d-----w-      c:\program files\LogMeIn
2009-07-10 03:15 . 2009-05-29 00:23      --------      d-----w-      c:\program files\3DVHAS
2009-07-06 07:24 . 2009-05-09 05:55      335752      ----a-w-      c:\windows\system32\drivers\avgldx86.sys
2009-07-03 22:36 . 2009-02-27 02:52      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2009-07-03 22:36 . 2009-05-09 05:48      3561743      ----a-w-      c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-27 06:37 . 2009-05-09 05:55      11952      ----a-w-      c:\windows\system32\avgrsstx.dll
2009-06-27 06:37 . 2009-05-09 05:55      27784      ----a-w-      c:\windows\system32\drivers\avgmfx86.sys
2009-06-18 17:16 . 2008-03-24 01:43      57      ----a-w-      c:\windows\popcinfo.dat
2009-06-18 00:55 . 2009-06-06 00:33      --------      d-----w-      c:\documents and settings\Kendal\Application Data\MySQL
2009-06-17 16:27 . 2009-02-27 02:52      38160      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-02-27 02:52      19096      ----a-w-      c:\windows\system32\drivers\mbam.sys
2009-06-15 21:24 . 2009-06-15 21:24      --------      d-----w-      c:\documents and settings\Dylan\Application Data\Notepad++
2009-06-12 04:38 . 2009-06-06 00:18      --------      d-----w-      c:\documents and settings\Kendal\Application Data\SQLyog
2009-06-11 04:41 . 2008-11-29 14:54      --------      d-----w-      c:\program files\Microsoft SQL Server
2009-06-11 04:35 . 2008-03-09 21:43      --------      d-----w-      c:\program files\Java
2009-06-11 04:30 . 2009-06-11 04:30      152576      ----a-w-      c:\documents and settings\Kendal\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-09 23:17 . 2008-02-22 14:48      126040      ----a-w-      c:\documents and settings\Kendal\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-08 03:09 . 2009-06-07 00:53      --------      d-----w-      c:\documents and settings\Dylan\Application Data\SQLyog
2009-06-07 00:55 . 2009-06-07 00:54      --------      d-----w-      c:\documents and settings\Dylan\Application Data\MySQL
2009-06-06 21:50 . 2008-02-22 23:46      126040      ----a-w-      c:\documents and settings\Dylan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 00:17 . 2008-11-30 20:48      --------      d-----w-      c:\program files\MySQL
2009-06-06 00:17 . 2009-06-06 00:17      --------      d-----w-      c:\program files\SQLyog Community
2009-06-04 23:40 . 2009-06-04 23:39      --------      d-----w-      c:\documents and settings\Kendal\Application Data\Notepad++
2009-06-04 23:39 . 2009-06-04 23:39      --------      d-----w-      c:\program files\Notepad++
2009-06-04 23:05 . 2009-06-04 23:05      --------      d-----w-      c:\program files\EDIdEv
2009-06-04 23:05 . 2009-06-04 23:05      --------      d-----w-      c:\documents and settings\All Users\Application Data\EDIdEv
2009-06-04 23:05 . 2009-06-04 23:05      1060864      ----a-w-      c:\windows\system32\MFC71.DLL
2009-06-04 23:03 . 2009-05-17 04:45      1721248      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2009-06-04 23:02 . 2009-06-04 23:02      --------      d-----w-      c:\program files\AnkhSVN 2
2009-05-30 21:42 . 2009-05-27 02:07      --------      d-----w-      c:\program files\Crawler
2009-05-27 01:44 . 2009-05-27 01:44      --------      d-----w-      c:\program files\OceanDive
2009-05-25 01:34 . 2009-05-25 01:33      --------      d-----w-      c:\program files\Euro Truck Simulator
2009-05-25 00:58 . 2009-05-25 00:58      --------      d-----w-      c:\program files\John Deere Drive Green
2009-05-25 00:58 . 2008-02-18 18:59      --------      d--h--w-      c:\program files\InstallShield Installation Information
2009-05-21 16:33 . 2008-12-02 01:12      410984      ----a-w-      c:\windows\system32\deploytk.dll
2009-05-17 23:25 . 2009-05-17 23:25      --------      d-----w-      c:\program files\Information Packaging
2009-05-17 22:39 . 2009-05-17 20:42      --------      d-----w-      c:\program files\nLite
2009-05-17 21:01 . 2009-05-17 20:40      --------      d-----w-      c:\program files\WinUpdatesList
2009-05-17 20:40 . 2009-05-17 20:40      39424      ----a-w-      c:\windows\zipinst.exe
2009-05-17 18:02 . 2009-05-17 17:57      --------      d-----w-      c:\program files\Microsoft
2009-05-17 18:02 . 2009-05-17 18:02      --------      d-----w-      c:\program files\Microsoft Office Outlook Connector
2009-05-17 18:01 . 2008-05-03 18:05      --------      d-----w-      c:\program files\Windows Live
2009-05-17 18:00 . 2009-05-17 04:49      --------      d-----w-      c:\program files\Microsoft SQL Server Compact Edition
2009-05-17 17:57 . 2009-05-17 17:57      --------      d-----w-      c:\program files\Windows Live SkyDrive
2009-05-17 16:48 . 2009-05-17 16:48      --------      d-----w-      c:\program files\Common Files\Windows Live
2009-05-17 16:38 . 2008-11-29 14:54      --------      d-----w-      c:\program files\Microsoft Silverlight
2009-05-17 16:17 . 2008-11-29 01:46      --------      d-----w-      c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-17 13:46 . 2009-05-17 04:46      18368      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-05-17 13:36 . 2009-05-17 04:13      --------      d-----w-      c:\program files\Common Files\Merge Modules
2009-05-17 13:24 . 2008-11-29 14:50      --------      d-----w-      c:\program files\Microsoft Visual Studio 9.0
2009-05-17 05:56 . 2009-05-17 05:56      --------      d-----w-      c:\program files\MSDN
2009-05-17 04:56 . 2009-05-17 04:56      --------      d-----w-      c:\program files\Business Objects
2009-05-17 04:54 . 2009-05-17 04:54      --------      d-----w-      c:\program files\Microsoft Device Emulator
2009-05-17 04:53 . 2009-05-17 04:52      --------      d-----w-      c:\program files\Windows Mobile 5.0 SDK R2
2009-05-17 04:49 . 2009-05-17 04:49      --------      d-----w-      c:\program files\Microsoft Synchronization Services
2009-05-17 04:47 . 2008-03-19 00:28      --------      d-----w-      c:\program files\Microsoft.NET
2009-05-17 04:39 . 2009-05-17 04:39      --------      d-----w-      c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-05-17 04:32 . 2009-05-17 04:13      --------      d-----w-      c:\program files\HTML Help Workshop
2009-05-17 04:31 . 2008-11-29 14:48      --------      d-----w-      c:\program files\MSBuild
2009-05-17 04:13 . 2009-05-17 04:13      --------      d-----w-      c:\program files\Microsoft SDKs
2009-05-17 04:13 . 2009-05-17 04:13      --------      d-----w-      c:\program files\CE Remote Tools
2009-05-17 04:11 . 2009-05-17 04:11      --------      d-----w-      c:\program files\Microsoft Web Designer Tools
2009-05-15 14:03 . 2009-05-15 14:03      9232      ----a-w-      c:\documents and settings\Kendal\mqdmmdfl.sys
2009-05-15 14:03 . 2009-05-15 14:03      92064      ----a-w-      c:\documents and settings\Kendal\mqdmmdm.sys
2009-05-15 14:03 . 2009-05-15 14:03      79328      ----a-w-      c:\documents and settings\Kendal\mqdmserd.sys
2009-05-15 14:03 . 2009-05-15 14:03      66656      ----a-w-      c:\documents and settings\Kendal\mqdmbus.sys
2009-05-15 14:03 . 2009-05-15 14:03      6208      ----a-w-      c:\documents and settings\Kendal\mqdmcmnt.sys
2009-05-15 14:03 . 2009-05-15 14:03      5936      ----a-w-      c:\documents and settings\Kendal\mqdmwhnt.sys
2009-05-15 14:03 . 2009-05-15 14:03      4048      ----a-w-      c:\documents and settings\Kendal\mqdmcr.sys
2009-05-15 14:03 . 2009-05-15 14:03      25600      ----a-w-      c:\documents and settings\Kendal\usbsermptxp.sys
2009-05-15 14:03 . 2009-05-15 14:03      22768      ----a-w-      c:\documents and settings\Kendal\usbsermpt.sys
2009-05-13 05:15 . 2006-03-04 03:33      915456      ----a-w-      c:\windows\system32\wininet.dll
2009-05-09 06:01 . 2008-11-29 14:53      416      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-05-09 05:55 . 2009-05-09 05:55      108552      ----a-w-      c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-10 11:00      345600      ----a-w-      c:\windows\system32\localspl.dll
2009-05-07 04:23 . 2009-05-07 04:23      152576      ----a-w-      c:\documents and settings\Kendal\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-23 00:13 . 2009-05-08 00:48      98304      ----a-w-      c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
2009-04-23 00:13 . 2009-05-08 00:48      77824      ----a-w-      c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
2009-04-18 05:20 . 2009-04-18 05:20      129      ----a-w-      c:\documents and settings\Kendal\Local Settings\Application Data\fusioncache.dat
2009-04-17 12:26 . 2004-08-10 11:00      1847168      ----a-w-      c:\windows\system32\win32k.sys
2009-06-25 20:13 . 2008-06-21 16:54      134648      ----a-w-      c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-08-09 19:10 . 2008-02-25 19:55      245408      ----a-w-      c:\program files\mozilla firefox\plugins\unicows.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-11-02 14:26      80384      ----a-w-      c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-27 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-06 520024]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

c:\documents and settings\Kendal\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-27 06:37      11952      ----a-w-      c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 14:16      87352      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3306:TCP"= 3306:TCP:MySQL Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/5/2009 11:39 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/9/2009 12:55 AM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/9/2009 12:55 AM 108552]
R1 ISODisk;ISODisk;c:\windows\system32\drivers\ISODisk.sys [11/28/2008 8:48 PM 9600]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/9/2009 12:54 AM 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [3/16/2008 3:40 PM 47640]
R2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\OpenDNS Updater\OpenDNS Updater.exe --run --> c:\program files\OpenDNS Updater\OpenDNS Updater.exe --run [?]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [8/20/2008 8:42 PM 370872]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\Dylan\LOCALS~1\Temp\{1735A~1\atiicdxx.sys --> c:\docume~1\Dylan\LOCALS~1\Temp\{1735A~1\atiicdxx.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [5/15/2009 5:50 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [5/15/2009 5:50 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [5/15/2009 10:47 AM 23680]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;c:\windows\system32\drivers\vpnva.sys [8/20/2008 7:57 PM 20152]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 6:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 3:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 6:28 PM 369688]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:38]

2008-06-19 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2100 series5E771253C1676EBED677BF361FDFC537825E15B8205890654.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103472 -Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Comcast Install 1.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; Media Center PC 2.8; .NET CLR 3.0.4506.2152; .NET
HKLM-Run-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://67.20.2.66/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\{22119944-ED35-4ab1-910B-E619EA06A115}\components\rfproxy_27.dll
FF - component: c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayAccessService.dll
FF - component: c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\EbayFormSubmitObserver.dll
FF - component: c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - plugin: c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Kendal\Application Data\Mozilla\Firefox\Profiles\urgjq2lr.default\extensions\TechnicianConsole@logmeinrescue.com\platform\WINNT\plugins\npRescue.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1404)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\ehome\ehrec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\program files\OpenDNS Updater\OpenDNS Updater.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\ehome\ehmsas.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-07-16 21:53 - machine was rebooted
ComboFix-quarantined-files.txt  2009-07-16 02:53

Pre-Run: 70,475,010,048 bytes free
Post-Run: 70,901,440,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

405      --- E O F ---      2009-06-11 01:01


Does anything stand out in this log file?????

Thanks,
Kendal
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 17

Expert Comment

by:selvol
ID: 24874060
My suggestion Is one I use myself....  Dump all that Non needed stuff.
Dump all the Virus, Ad ware, popup Blocker, Toolbars, etc.
And see how much better you computer runs.  I  put my name on it.  Your computer will run much better. And you will be able to freely use a computer not taken over by Gimmicks.
Ever one of the types of programs I mentioned above is robbing you of the freedom to use your computer. At the speed and with the resources available that it is capable of.
I could not get a virus  by surfing the Internet. As I have been for 15 years. Unless I was a visitor of "CRacks and KeyGens and wares sites. "  Even then I'd need to Install a program I downloaded with out checking it first. With this online virus scanner.
http://www.virustotal.com/
 
Bottom Line those programs I mention are most likely the cause.
Each one wants to RULE yor computer.. I have had 3 Virus's in 15 years.
And I deserved them.
I do not use A locally installed virus scanner.  And NEver will

Rename this"QuickTime Task"="c:\program files\QuickTime\qttask.exe" to zqttask.exe
that it eating up resources and is not needed.
Selvol
0
 
LVL 25

Expert Comment

by:Tony Giangreco
ID: 24889585
1.      ComboFix
a.      Read the directions located at the URL from  John at Bleepingcomputer.com
b.      Rename Combofix PRIOR before downloaded to your PC.  

Restart into safe mode and run the following series.

2.      You may also want to check the host file. It may have been altered  
a.      Script to reinstal Winsock, TCP/IP stack, and HOSTS file.
http://downloads.subratam.org/WinsockFix.zip
3.      Malwarebytes www.malwarebutes.com
4.      SuperAntiSpyware www.superantispyware.com
5.      Spybot www.spybot.com
6.      Symantec Endpoint  http://www.symantec.com/business/products/trialware.jsp?pcid=pcat_security&pvid=prot_suite_sbe_1
7.      If the situation continues, go to www.TrendMicro.com  and run the online scan Housecall
0
 

Author Closing Comment

by:gvector1
ID: 31604022
It seems that combofix has fixed the problem.  Since I have run combofix, I have not had any hijacker issues.  Let's hope it stays that way.  

Thanks to all for suggestions.
Kendal
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 24996537
Go to Start->Run, copy/paste in combofix /u and hit OK to remove it.

Good job. It looks clean now. Follow the below links for ways to help prevent these infections:

1. TonyKlein's article So how did I get infected in the first place?
http://www.spywareinfoforum.com/index.php?showtopic=60955

2. Simple and easy ways to keep your computer safe and secure on the Internet
http://www.bleepingcomputer.com/tutorials/tutorial82.html

3. "miekiemoes' "How to prevent Malware"
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away. **********…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now