garyoak99
2009-12-27, 23:11
Hello,
I believe I have the Windows Protection Suite Trojan. I removed it using MalwareBytes' Anti-Malware but the redirection links in Google still remain! I've already tried running Spybot S&D but it wasn't able to change any of the affected files in the Host directory.
I've already backed up today's registry using ERUNT as suggested in one of the sticky topics.
Here is the HijackThis log as requested:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:42 PM, on 27/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\ico.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Windows\System32\Pelmiced.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
--
End of file - 11384 bytes
IndiGenus
2009-12-28, 18:05
Hi garyoak99 and welcome to the forums here at Spybot S&D.
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
~~~~~~~~~~~~~~~~~
Download This file (http://www.gmer.net/download.php). Note its name and save it to your root folder, such as C:\.
Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "Yes" to begin the scan.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.
IndiGenus
2009-12-29, 01:22
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
IndiGenus
2009-12-29, 02:06
HijackThis reported a problem editing/accessing the \hosts directory just like last time though
That's normal for Vista. I should have asked you to run DDS again. Can you do that and post the log. No need to post the attach log, just the main one.
Also, how's it running?
IndiGenus
2009-12-29, 02:33
Does appear the HOSTS file is still corrupted.
Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.3 - Hosts File Manager
Run HostsXpert 4.3 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
~~~~~~~~~~~~~~
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed.
To run the tool, right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
garyoak99
2009-12-29, 02:58
I received 2 warnings from HostsXpert 4.3:
Your HOSTS file is marked as a "hidden file" and can NOT be manipulated. Press OK to remove the hidden file attribute, CANCEL to quit.
***HostsXpert will NOT reset these attributes.***
I pressed OK but it gave me the same warning.
Then it gave me an error:
ERROR: Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts
and then it closed itself.
The requested file is attached to this message.
IndiGenus
2009-12-29, 03:47
Okay think I've got it.
No need to attach the logs from here. Should be able to (hopefully) copy and paste them in to the comment window.
1. Open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\FW.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\std.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\delfile.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\sld.dll
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
Folder::
c:\programdata\PCPXTRLG
c:\programdata\2fb3af8
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new DDS log.
Let me know how it's running also.
garyoak99
2009-12-29, 05:04
Here is the ComboFix log:
ComboFix 09-12-26.05 - Owner 28/12/2009 18:50:31.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2046.1298 [GMT -8:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
SP: Norton AntiVirus *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\delfile.exe"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\eb.drv"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\energy.dll"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\FW.exe"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\pal.dll"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\PE.sys"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\sld.dll"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\std.exe"
"c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\2fb3af8
c:\programdata\2fb3af8\58.mof
c:\programdata\2fb3af8\BackUp\Logitech SetPoint.lnk
c:\programdata\2fb3af8\BackUp\MagicDisc.lnk
c:\programdata\2fb3af8\PC2fb3.exe
c:\programdata\2fb3af8\PCLG.ico
c:\programdata\2fb3af8\PCLGSys\vd952342.bd
c:\programdata\PCPXTRLG
c:\programdata\PCPXTRLG\PCKHJCLG.cfg
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.sys
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\delfile.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\FW.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\sld.dll
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\std.exe
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.
2009-12-29 02:56 . 2009-12-29 02:56 -------- d-----w- c:\users\Owner\AppData\Local\temp
2009-12-29 02:56 . 2009-12-29 02:56 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-29 02:56 . 2009-12-29 02:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-29 00:54 . 2009-12-14 16:59 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.025\NAVENG.SYS
2009-12-29 00:54 . 2009-12-14 16:59 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.025\EECTRL.SYS
2009-12-29 00:54 . 2009-12-14 16:59 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.025\CCERASER.DLL
2009-12-29 00:54 . 2009-12-14 16:59 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.025\ECMSVR32.DLL
2009-12-29 00:54 . 2009-12-14 16:59 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.025\NAVENG32.DLL
2009-12-29 00:54 . 2009-12-14 16:59 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.025\NAVEX32A.DLL
2009-12-29 00:54 . 2009-12-14 16:59 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.025\NAVEX15.SYS
2009-12-29 00:54 . 2009-12-14 16:59 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.025\ERASER.SYS
2009-12-29 00:40 . 2009-12-29 00:59 -------- d-----w- C:\HostsXpert
2009-12-28 21:43 . 2009-12-28 21:43 293376 ----a-w- C:\ccnywecq.exe
2009-12-28 15:43 . 2009-12-14 16:59 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.004\NAVENG.SYS
2009-12-28 15:43 . 2009-12-14 16:59 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.004\EECTRL.SYS
2009-12-28 15:43 . 2009-12-14 16:59 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.004\CCERASER.DLL
2009-12-28 15:43 . 2009-12-14 16:59 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.004\ECMSVR32.DLL
2009-12-28 15:43 . 2009-12-14 16:59 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.004\NAVENG32.DLL
2009-12-28 15:43 . 2009-12-14 16:59 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.004\NAVEX32A.DLL
2009-12-28 15:43 . 2009-12-14 16:59 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.004\NAVEX15.SYS
2009-12-28 15:43 . 2009-12-14 16:59 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\20091228.004\ERASER.SYS
2009-12-27 20:57 . 2009-12-27 20:57 -------- d-----w- c:\program files\ERUNT
2009-12-27 20:37 . 2009-12-27 20:37 -------- d-----w- c:\program files\Trend Micro
2009-12-26 18:51 . 2009-12-27 18:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-26 18:51 . 2009-12-26 19:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-26 16:48 . 2009-12-26 16:48 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2009-12-26 16:48 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 16:48 . 2009-12-26 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 16:48 . 2009-12-26 16:48 -------- d-----w- c:\programdata\Malwarebytes
2009-12-26 16:48 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 04:11 . 2009-12-28 23:36 -------- d-----w- c:\users\Owner\AppData\Local\CrashDumps
2009-12-26 04:08 . 2009-12-26 04:08 -------- d-----w- c:\programdata\Electronic Arts
2009-12-24 03:24 . 2009-12-25 16:20 -------- d-----w- C:\CPKDATA
2009-12-24 03:24 . 2009-12-24 03:25 -------- d-----w- C:\CPKHOME
2009-12-24 02:01 . 2009-12-24 02:01 138240 ----a-w- c:\users\Owner\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-12-24 02:01 . 2009-12-24 02:01 138240 ----a-w- c:\users\Owner\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-12-24 02:01 . 2009-12-24 02:01 138240 ----a-w- c:\users\Owner\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-12-24 02:01 . 2009-12-24 02:01 138240 ----a-w- c:\users\Owner\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-12-18 23:24 . 2009-11-21 06:12 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091217.001\Scxpx86.dll
2009-12-18 23:24 . 2009-11-21 06:12 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091217.001\IDSxpx86.dll
2009-12-18 23:24 . 2009-11-21 06:12 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091217.001\IDSviA64.sys
2009-12-18 23:24 . 2009-11-21 06:12 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091217.001\IDSvix86.sys
2009-12-18 23:24 . 2009-11-21 06:12 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091217.001\SymIDSCo.sys
2009-12-18 23:24 . 2009-11-21 06:12 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091217.001\SymIDSI.dll
2009-12-18 23:24 . 2009-11-21 06:12 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091217.001\IDS9xx86.dll
2009-12-17 23:26 . 2009-11-21 06:12 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091216.001\Scxpx86.dll
2009-12-17 23:26 . 2009-11-21 06:12 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091216.001\IDSxpx86.dll
2009-12-17 23:26 . 2009-11-21 06:12 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091216.001\IDSviA64.sys
2009-12-17 23:26 . 2009-11-21 06:12 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091216.001\IDSvix86.sys
2009-12-17 23:26 . 2009-11-21 06:12 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091216.001\SymIDSCo.sys
2009-12-17 23:26 . 2009-11-21 06:12 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091216.001\SymIDSI.dll
2009-12-17 23:26 . 2009-11-21 06:12 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\20091216.001\IDS9xx86.dll
2009-12-16 15:07 . 2009-11-21 06:12 732536 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\scxpx86.dll
2009-12-16 15:07 . 2009-11-21 06:12 685432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\idsxpx86.dll
2009-12-16 15:07 . 2009-11-21 06:12 396336 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\IDSvia64.sys
2009-12-16 15:07 . 2009-11-21 06:12 286768 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\IDSvix86.sys
2009-12-16 15:07 . 2009-11-21 06:12 268664 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\symidsco.sys
2009-12-16 15:07 . 2009-11-21 06:12 173432 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\SymIDSI.dll
2009-12-16 15:07 . 2009-11-21 06:12 157120 ----a-w- c:\programdata\Symantec\Definitions\SymcData\ipsdefs\BinHub\ids9xx86.dll
2009-12-16 15:03 . 2009-12-16 15:07 -------- d-----w- c:\program files\Norton AntiVirus
2009-12-16 15:02 . 2009-12-16 15:16 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-16 15:02 . 2009-12-16 15:16 -------- d-----w- c:\program files\Symantec
2009-12-16 15:02 . 2009-12-14 16:59 84912 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng.sys
2009-12-16 15:02 . 2009-12-14 16:59 371248 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\eeCtrl.sys
2009-12-16 15:02 . 2009-12-14 16:59 2747440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\cceraser.dll
2009-12-16 15:02 . 2009-12-14 16:59 259440 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ecmsvr32.dll
2009-12-16 15:02 . 2009-12-14 16:59 177520 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\naveng32.dll
2009-12-16 15:02 . 2009-12-14 16:59 1647984 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex32a.dll
2009-12-16 15:02 . 2009-12-14 16:59 1323568 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\navex15.sys
2009-12-16 15:02 . 2009-12-14 16:59 102448 ----a-w- c:\programdata\Symantec\Definitions\VirusDefs\BinHub\ERASER.sys
2009-12-16 14:15 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-16 06:03 . 2009-12-16 06:03 -------- d-----w- c:\programdata\PCSettings
2009-12-16 02:44 . 2009-12-11 04:29 1782128 ----a-w- c:\programdata\Norton\NUA.exe
2009-12-16 02:44 . 2009-12-16 15:16 -------- d-----w- c:\programdata\Norton
2009-12-09 15:08 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 15:08 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 15:08 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 14:22 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 14:13 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 02:15 . 2008-07-18 23:23 696320 ----a-w- c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ca2gbdoj.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
2009-12-07 03:59 . 2009-12-07 03:59 167948 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-06 15:06 . 2009-12-21 23:07 439816 ----a-w- c:\users\Owner\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-01 02:02 . 2009-12-01 02:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-12-01 02:02 . 2009-12-01 02:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 02:40 . 2007-11-28 19:23 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 1
2009-12-29 01:35 . 2008-02-04 18:58 -------- d-----w- c:\users\Owner\AppData\Roaming\uTorrent
2009-12-29 00:41 . 2009-01-01 02:45 -------- d-----w- c:\users\Owner\AppData\Roaming\TeraCopy
2009-12-28 16:30 . 2008-08-28 02:29 -------- d-----w- c:\program files\Cheat Engine
2009-12-26 16:21 . 2006-11-02 12:37 -------- d-----w- c:\program files\Microsoft Games
2009-12-26 04:14 . 2009-02-05 04:22 -------- d-----w- c:\program files\Common Files\BioWare
2009-12-26 04:14 . 2007-11-10 03:59 -------- d-----w- c:\programdata\Media Center Programs
2009-12-24 03:24 . 2007-07-03 20:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-24 02:01 . 2007-12-08 23:08 -------- d-----w- c:\program files\SystemRequirementsLab
2009-12-24 02:01 . 2009-02-07 14:51 -------- d-----w- c:\users\Owner\AppData\Roaming\SystemRequirementsLab
2009-12-24 01:54 . 2009-03-27 02:57 -------- d-----w- c:\users\Owner\AppData\Roaming\Microsoft Game Studios
2009-12-24 01:54 . 2009-03-27 02:57 -------- d-----w- c:\programdata\Microsoft Games
2009-12-20 00:52 . 2008-11-12 13:42 -------- d-----w- c:\programdata\Symantec
2009-12-16 23:08 . 2007-11-05 18:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-16 15:16 . 2009-12-16 15:02 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-16 15:16 . 2009-12-16 15:02 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-16 06:03 . 2009-11-07 01:17 80528056 ----a-w- c:\programdata\Norton\{NAV_Production_94_17.1.0.19_NUC}\NAV10UPEN.exe
2009-12-09 15:14 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 15:13 . 2007-11-15 08:50 -------- d-----w- c:\programdata\Microsoft Help
2009-12-07 04:14 . 2008-02-10 14:37 -------- d-----w- c:\users\Owner\AppData\Roaming\mIRC
2009-12-07 04:12 . 2008-02-10 14:37 -------- d-----w- c:\program files\mIRC
2009-11-29 20:22 . 2009-07-25 21:49 -------- d-----w- c:\users\Owner\AppData\Roaming\vlc
2009-11-21 06:40 . 2009-12-09 14:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 14:23 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 14:23 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 14:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 00:37 . 2009-11-17 00:37 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 00:37 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 00:36 . 2009-11-17 00:36 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-13 06:16 . 2009-11-13 06:16 -------- d-----w- c:\program files\CCleaner
2009-11-09 14:05 . 2007-11-04 23:21 -------- d-----w- c:\program files\Java
2009-11-06 18:59 . 2009-11-06 18:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 18:59 . 2009-11-06 18:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-01 20:34 . 2008-03-25 05:22 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-31 05:07 . 2009-10-31 05:06 -------- d-----w- c:\program files\iTunes
2009-10-31 05:07 . 2009-10-31 05:07 -------- d-----w- c:\program files\iPod
2009-10-31 05:06 . 2009-09-12 04:50 -------- d-----w- c:\program files\Common Files\Apple
2009-10-31 05:06 . 2009-09-12 04:50 -------- d-----w- c:\programdata\Apple Computer
2009-10-31 04:54 . 2009-10-31 04:54 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-25 14:19 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-11 12:17 . 2008-12-11 02:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:08 . 2009-11-17 00:33 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-17 00:33 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-17 00:33 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02 . 2009-11-17 00:34 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-17 00:34 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-17 00:34 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-17 00:34 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-17 00:34 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-17 00:34 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-17 00:34 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-17 00:34 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-17 00:34 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-17 00:34 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-17 00:34 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-17 00:34 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-09-30 22:58 . 2008-01-26 01:47 9576 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\CCMSLLUM.DLL
2008-04-24 03:04 . 2007-11-22 17:24 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-04-24 03:04 . 2007-11-22 17:24 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-04-24 03:04 . 2007-11-22 17:24 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-04-24 03:04 . 2007-11-22 17:24 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-04-24 03:04 . 2007-11-22 17:24 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-06-17 03:30 . 2008-06-17 03:26 24 --sha-w- c:\windows\SBAB25611.tmp
2006-05-03 09:06 . 2008-12-08 15:14 163328 --sh--r- c:\windows\System32\flvDX.dll
2007-02-21 10:47 . 2008-12-08 15:14 31232 --sh--r- c:\windows\System32\msfDX.dll
2008-03-16 12:30 . 2008-12-08 15:14 216064 --sh--r- c:\windows\System32\nbDX.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-12-28_23.49.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-12-28 23:38 . 2009-12-28 23:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-29 02:45 . 2009-12-29 02:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-28 23:38 . 2009-12-28 23:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-29 02:45 . 2009-12-29 02:45 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-01-28 14:26 . 2009-12-29 00:35 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-01-28 14:26 . 2009-12-28 23:18 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-02-07 4608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Mouse Suite 98 Daemon"="ICO.EXE" [2006-10-23 56128]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-11-18 827904]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-10-03 6335008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-24 185872]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-18 68592]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-8-7 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk
backup=c:\windows\pss\GamersFirst LIVE!.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 03:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):f6,5e,7b,9c,6a,3d,ca,01
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20091217.001\IDSvix86.sys [18/12/2009 3:24 PM 286768]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [25/01/2008 5:47 PM 149352]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [26/12/2009 10:51 AM 1153368]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\System32\drivers\l160x86.sys [27/04/2009 12:55 AM 47104]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [16/12/2009 7:17 AM 102448]
R3 NmPar;MosChip PCI Parallel Port;c:\windows\System32\drivers\NmPar.sys [28/11/2007 5:02 PM 81408]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [05/02/2008 11:34 AM 41008]
R3 UsbFltr;WayTech USB Filter Driver1;c:\windows\System32\drivers\UsbFltr.sys [09/04/2007 9:50 AM 9600]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [06/02/2009 6:35 PM 716272]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [12/01/2008 6:32 PM 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [04/06/2008 8:26 AM 21504]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\progra~1\PLE200\PLCNDIS5.SYS [05/07/2008 11:27 AM 17280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ca2gbdoj.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 1\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 1\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ca2gbdoj.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 18:56
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2675066249-46245194-1688890379-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:14,5b,b5,f0,a4,01,bb,b5,fc,a2,b8,76,18,21,a3,2f,26,1a,e9,19,42,d2,d2,
ea,cb,39,73,23,ab,11,80,09,1d,59,f9,1c,0f,8e,e6,b0,92,9d,cf,b4,cc,f0,14,6f,\
"??"=hex:00,57,a3,77,bf,cd,64,0f,ab,2a,26,76,ad,c4,be,c1
[HKEY_USERS\S-1-5-21-2675066249-46245194-1688890379-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:3d,89,2e,de,6d,54,31,6d,cd,c0,37,f7,c1,a8,86,66,5f,2c,9e,65,e4,
0c,f9,44,ec,01,6e,8d,ba,c1,7b,6d,b8,71,97,3e,97,ab,8a,37,70,75,1e,04,45,a6,\
"rkeysecu"=hex:d0,54,60,20,22,85,94,72,a5,d1,6e,e5,87,be,30,47
.
Completion time: 2009-12-28 18:59:14
ComboFix-quarantined-files.txt 2009-12-29 02:59
ComboFix2.txt 2009-12-28 23:51
Pre-Run: 149,994,385,408 bytes free
Post-Run: 149,941,858,304 bytes free
- - End Of File - - C0DF9FCF2BB3E7BAAF7A2A86B5A3EF59
and the DDS .txt file:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 19:02:07.74 on 28/12/2009
Internet Explorer: 8.0.6001.18865 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2046.1047 [GMT -8:00]
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton AntiVirus *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\ca2gbdoj.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox 3 beta 1\plugins\NPTURNMED.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\ca2gbdoj.default\extensions\flashplugin@idm\platform\winnt\plugins\npidmdcp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 1\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 1\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 1\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 1\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 1\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3 beta 1\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3 beta 1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20091217.001\IDSvix86.sys [2009-12-18 286768]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-26 1153368]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2009-4-27 47104]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-16 102448]
R3 NmPar;MosChip PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2007-11-28 81408]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-2-5 41008]
R3 UsbFltr;WayTech USB Filter Driver1;c:\windows\system32\drivers\UsbFltr.sys [2007-4-9 9600]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-4 21504]
S3 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\progra~1\ple200\PLCNDIS5.SYS [2008-7-5 17280]
S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2009-12-16 1245064]
=============== Created Last 30 ================
2009-12-29 02:59:18 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-29 02:43:51 0 d-----w- C:\ComboFix
2009-12-29 00:40:53 0 d-----w- C:\HostsXpert
2009-12-28 23:38:58 98816 ----a-w- c:\windows\sed.exe
2009-12-28 23:38:58 77312 ----a-w- c:\windows\MBR.exe
2009-12-28 23:38:58 261632 ----a-w- c:\windows\PEV.exe
2009-12-28 23:38:58 161792 ----a-w- c:\windows\SWREG.exe
2009-12-28 21:43:43 293376 ----a-w- C:\ccnywecq.exe
2009-12-27 20:37:52 0 d-----w- c:\program files\Trend Micro
2009-12-26 18:51:09 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-26 18:51:09 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-26 16:48:53 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2009-12-26 16:48:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-26 16:48:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-26 16:48:48 0 d-----w- c:\programdata\Malwarebytes
2009-12-26 16:48:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 04:08:07 0 d-----w- c:\programdata\Electronic Arts
2009-12-24 03:24:40 0 d-----w- C:\CPKHOME
2009-12-24 03:24:40 0 d-----w- C:\CPKDATA
2009-12-16 15:03:26 0 d-----w- c:\program files\Norton AntiVirus
2009-12-16 15:02:51 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-16 15:02:51 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-16 15:02:51 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-16 15:02:44 0 d-----w- c:\program files\Symantec
2009-12-16 14:15:21 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-16 06:03:59 0 d-----w- c:\programdata\PCSettings
2009-12-16 02:44:03 0 d-----w- c:\programdata\Norton
2009-12-09 15:08:45 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 15:08:44 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 15:08:44 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 14:22:18 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 14:13:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-07 03:59:38 167948 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-01 02:02:40 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-12-01 02:02:38 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
==================== Find3M ====================
2009-12-16 15:03:56 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-16 15:03:56 143360 ----a-w- c:\windows\inf\infstor.dat
2009-12-16 15:03:55 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 00:37:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 00:36:39 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-06 18:59:54 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 18:59:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2008-06-04 17:13:15 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
============= FINISH: 19:02:30.80 ===============
I still see a Google redirection among the search results though everything else seems fine.
IndiGenus
2009-12-29, 06:33
Let's see if you can clear this up manually.
We need to make sure all hidden files are showing so please:
1. Close all programs so that you are at your desktop.
2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
3. Click on the Control Panel menu option.
4. When the control panel opens you can either be in Classic View or Control Panel Home view:
If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.
Go to step 5.
If you are in the Control Panel Home view do the following:
Click on the Appearance and Personalization link .
Click on Show Hidden Files or Folders.
Go to step 5.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now Windows Vista is configured to show all hidden files.
Reboot your computer in Safe Mode by restarting your computer and tap the F8 key just before Windows starts to load. This will bring up the Advanced Options Menu.
Select option to run Windows in Safe Mode, then press Enter.
Select the Operating System that you would like to start and press Enter (note: if there is only one simply press Enter).
Open Windows explorer to the folder: C:\Windows\System32\Drivers\etc
Right click on HOSTS (it should have no file extension) and select Properties
Security tab
Make sure you as a user, and/or "Administrator" has full permissions on the file. If not, change the permissions to Full.
Using Notepad open C:\windows\system32\driver\ETC\hosts
Delete all entries in that file except for:
127.0.0.1 localhost
Save the file and close it, then reboot to normal mode and let me know how you made out.
garyoak99
2009-12-29, 07:55
I did as instructed but then it told me that it was a read-only file. So, then I went back to the properties tab, unchecked the read-only box and then successfully saved it.
It looks like that did it! Thank you! :D:
IndiGenus
2009-12-29, 15:58
I did as instructed but then it told me that it was a read-only file. So, then I went back to the properties tab, unchecked the read-only box and then successfully saved it.
It looks like that did it! Thank you! :D:
Great! Nice job. :rockon:
I would suggest you update and run MalwareBytes again if you haven't already done do. Post the log if anything is found.
~~~~~~~~~~~~~~~
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.
Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419
In your next reply post:
Kaspersky log
New DDS log taken after the above scan has run