View Full Version : Regedit virus
Demetrius
2010-03-16, 17:30
My computer is infected with a regedit virus. I had to uninstall spybot because it no longer opened,
despite clicking on its icon. I repeatedly tried to uninstall Amazon Unbox (in case you wanted me to) but it will not go away from the programs list.
Erunt registry backup done.
Here is my uninstall list:
AbiWord 2.6.8
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Premiere 6.0
Adobe Reader 9.1
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
Amazon Unbox Video
Apple Application Support
Apple Software Update
Aspell 0.6 Dictionary (Language: en)
Aspell Data
BitZipper 2009
BitZipperSearch Toolbar
Browser Highlighter - Firefox
Canon MX850 series
CD-LabelPrint
Cleaner 5 EZ
Compatibility Pack for the 2007 Office system
Corel WinDVD 9
Dasher
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Dragon NaturallySpeaking 9
DVD Decrypter (Remove Only)
ERUNT 1.1j
FileZilla Client 3.3.0.1
Final Draft 7
GIMP 2.6.6
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImgBurn
Impression DVD SE
Java(TM) 6 Update 13
Junk Mail filter update
LeechFTP
LyX 1.6.2-1
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Small Business
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
MiKTeX 2.7
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Driver
OpenOffice.org 3.1
PestPatrol Upgrade
Picture Resize Genius 2.9.5
QuickTime
Rainlendar2 (remove only)
RealOne Player
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Skype web features
Skype™ 4.1
SpywareBlaster 4.2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
VC 9.0 Runtime
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6e
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip 12.1
ZoneAlarm Security Suite
And here is the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:51 PM, on 3/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\tbh\base\bin\tbhSystray.exe
C:\WINDOWS\system32\C10E1A\A9DA21.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\tbh\base\bin\tbhDaemon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\J\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: BitZipperSearch Toolbar - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - C:\Program Files\BitZipperSearch\tbBit1.dll
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: BitZipperSearch Toolbar - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - C:\Program Files\BitZipperSearch\tbBit1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitZipperSearch Toolbar - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - C:\Program Files\BitZipperSearch\tbBit1.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LaunchList] C:\Program Files\Pinnacle\DV500\LaunchList.exe
O4 - HKLM\..\Run: [tbhSystray] C:\Program Files\tbh\base\bin\tbhSystray.exe
O4 - HKLM\..\Run: [A9DA21] C:\WINDOWS\system32\C10E1A\A9DA21.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: A9DA21.lnk = C:\WINDOWS\system32\C10E1A\A9DA21.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Documents and Settings\J\Desktop\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Amazon Unbox.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: The Browser Highlighter Monitor (tbhMonitor.exe) - Unknown owner - C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 10181 bytes
P.S. I also have the "Task manager disabled by the administrator" virus, and some programs no longer open, saying "Error while unpacking program, code LP5. Please report to author"
Your help would be greatly appreciated -- thanks! :-)
-------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
Demetrius
2010-03-20, 15:39
Many thanks for helping me! Find the 3 logs below.
--------------------------------
DDS log:
DDS (Ver_10-03-17.01) - NTFSx86
Run by J at 17:13:06.78 on Fri 03/19/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.421 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\tbh\base\bin\tbhDaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\tbh\base\bin\tbhSystray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\C10E1A\A9DA21.EXE
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\J\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [PPMemCheck] c:\progra~1\pestpa~1\PPMemCheck.exe
mRun: [CookiePatrol] c:\progra~1\pestpa~1\CookiePatrol.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LaunchList] c:\program files\pinnacle\dv500\LaunchList.exe
mRun: [tbhSystray] c:\program files\tbh\base\bin\tbhSystray.exe
mRun: [A9DA21] c:\windows\system32\c10e1a\A9DA21.EXE
mRun: [CheckPoint Cleanup] c:\docume~1\j\locals~1\temp\cpes_clean_launcher.exe c:\docume~1\j\locals~1\temp\cpes_clean.exe -final -s -noreboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\j\startm~1\programs\startup\a9da21.lnk - c:\windows\system32\c10e1a\A9DA21.EXE
StartupFolder: c:\docume~1\j\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\j\startm~1\programs\startup\dragon~1.lnk - c:\program files\nuance\naturallyspeaking9\program\natspeak.exe
StartupFolder: c:\docume~1\j\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\j\desktop\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\j\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\j\applic~1\mozilla\firefox\profiles\x0jjor2d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\j\application data\mozilla\firefox\profiles\x0jjor2d.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\j\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\j\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ohgmkq.sys --> c:\windows\system32\drivers\ohgmkq.sys [?]
=============== Created Last 30 ================
2010-03-20 00:09:32 0 d-----w- c:\docume~1\alluse~1\applic~1\ZA_PreservedFiles
2010-03-18 05:29:08 0 d-----w- c:\program files\common files\ScanSoft Shared
2010-03-17 05:23:40 0 d-----w- C:\Amazon Unbox
2010-03-16 07:28:53 4439 ----a-w- c:\documents and settings\j\.recently-used.xbel
2010-03-16 00:39:10 0 d-----w- c:\program files\common files\Macromedia Shared
2010-03-13 03:04:01 1551 ----a-w- c:\windows\UnSetupPestPatrolBeta.mif
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\E777AA
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\C10E1A
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\4190E2
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\272113
==================== Find3M ====================
2010-03-18 07:08:47 2034 ----a-w- c:\docume~1\j\applic~1\SAS7_000.DAT
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-05-01 05:47:02 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10:31 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2009-05-06 21:26:47 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
============= FINISH: 17:13:44.60 ===============
DDS "attach" log:
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/23/2009 12:16:04 AM
System Uptime: 3/19/2010 5:10:56 PM (0 hours ago)
Motherboard: Intel Corporation | | D845EPT2
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | X1 | 1993/100mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 39 GiB total, 12.572 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 73 GiB total, 52.931 GiB free.
G: is FIXED (NTFS) - 112 GiB total, 93.99 GiB free.
I: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7146&SUBSYS_000F11BD&REV_01\5&BD31167&0&2060F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7146&SUBSYS_000F11BD&REV_01\5&BD31167&0&2060F0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_123F&DEV_8120&SUBSYS_000F11BD&REV_B1\5&BD31167&0&4060F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_123F&DEV_8120&SUBSYS_000F11BD&REV_B1\5&BD31167&0&4060F0
Service:
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Canon MX850 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX850 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
==== System Restore Points ===================
RP149: 3/12/2010 7:04:00 PM - Uninstall PestPatrol Upgrade
RP150: 3/16/2010 4:27:46 AM - System Checkpoint
RP151: 3/15/2010 5:37:43 PM - Installed Dreamweaver MX 2004
RP152: 3/15/2010 5:39:03 PM - Installed Extension Manager
RP153: 3/16/2010 1:58:51 PM - Configured Amazon Unbox Video
RP154: 3/16/2010 2:05:02 PM - Configured Amazon Unbox Video
RP155: 3/17/2010 5:22:02 PM - System Checkpoint
==== Installed Programs ======================
AAC Decoder
AbiWord 2.6.8
Acrobat.com
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Premiere 6.0
Adobe Reader 9.1
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
Amazon Unbox Video
Apple Application Support
Apple Software Update
Aspell 0.6 Dictionary (Language: en)
Aspell Data
AutoUpdate
BitZipper 2009
BitZipperSearch Toolbar
Browser Highlighter - Firefox
Canon MX850 series
CD-LabelPrint
Cleaner 5 EZ
Compatibility Pack for the 2007 Office system
Corel WinDVD 9
Dasher
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Dragon NaturallySpeaking 9
DVD Decrypter (Remove Only)
ERUNT 1.1j
FileZilla Client 3.3.0.1
Final Draft 7
GIMP 2.6.6
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImgBurn
Impression DVD SE
Java(TM) 6 Update 13
Junk Mail filter update
LeechFTP
LyX 1.6.2-1
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Small Business
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MiKTeX 2.7
MKV Splitter
Move Media Player
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Driver
OpenOffice.org 3.1
PestPatrol Upgrade
Picture Resize Genius 2.9.5
QuickTime
Rainlendar2 (remove only)
RealOne Player
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Skype web features
Skype™ 4.1
SpywareBlaster 4.2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6e
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip 12.1
ZoneAlarm Security Suite
==== Event Viewer Messages From Past Week ========
3/12/2010 12:46:26 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
3/12/2010 11:41:00 PM, error: Service Control Manager [7034] - The TrueVector Internet Monitor service terminated unexpectedly. It has done this 1 time(s).
3/12/2010 11:40:52 PM, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for DeleteFlag with the following error: Access is denied.
==== End Of File ===========================
GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-19 21:25:40
Windows 5.1.2600 Service Pack 3
Running: tombjh9j.exe; Driver: C:\DOCUME~1\J\LOCALS~1\Temp\kwrdapow.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF68D9340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]
? C:\WINDOWS\system32\drivers\ohgmkq.sys The system cannot find the file specified. !
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 003AB390
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 003AB1A3
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 003A6BCE
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 003A77A7
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 003A9551
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 003A7F73
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 003A798C
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 003A8DCC
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 003AAA37
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 003AAA67
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 003AB5AA
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 003AA791
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 003A94E1
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 003A8633
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 003A7D87
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 003A82CF
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 003AB8D6
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 003A8FCB
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 003A93DD
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 003A9B20
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 003A9810
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 003A9ACE
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 003AA10D
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 003A9C18
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 003A7B9B
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 003A8588
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 003AAB12
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 003A98D2
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 003A9494
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 003A9208
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 003A95E1
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 003AB5B6
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 003A97A7
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 003AB73B
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 003AB709
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 003AB85E
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 003AB8BA
IAT C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe[2180] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 003AB7A7
---- EOF - GMER 1.0.15 ----
Hi,
Thanks for the logs.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Demetrius
2010-03-24, 19:56
Many thanks! The Combofix and DDS logs are below.
ComboFix 10-03-23.03 - J 03/24/2010 13:05:21.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.375 [GMT -7:00]
Running from: c:\documents and settings\J\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\j\LOCALS~1\Temp\E_N4
c:\docume~1\j\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\j\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\j\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\j\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\j\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\j\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\j\LOCALS~1\Temp\E_N4\RegEx.fnr
c:\docume~1\j\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\j\LOCALS~1\Temp\E_N4\spec.fne
c:\documents and settings\j\Application Data\EurekaLog
C:\Thumbs.db
c:\windows\run.log
c:\windows\system32\272113
c:\windows\system32\272113\cnvpe.fne
c:\windows\system32\272113\dp1.fne
c:\windows\system32\272113\eAPI.fne
c:\windows\system32\272113\HtmlView.fne
c:\windows\system32\272113\internet.fne
c:\windows\system32\272113\krnln.fnr
c:\windows\system32\272113\RegEx.fnr
c:\windows\system32\272113\shell.fne
c:\windows\system32\272113\spec.fne
c:\windows\system32\Thumbs.db
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Legacy_ovfsthsdrxdoredwmnmmcxxsiabakawstdlgpa
-------\Service_abp470n5
-------\Service_ovfsthsdrxdoredwmnmmcxxsiabakawstdlgpa
((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.
2010-03-24 20:13 . 2010-03-24 20:14 -------- d--h--w- c:\windows\system32\272113
2010-03-20 00:09 . 2010-03-20 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2010-03-18 05:29 . 2010-03-18 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-03-18 05:29 . 2010-03-18 05:29 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-03-17 05:23 . 2010-03-17 05:23 -------- d-----w- C:\Amazon Unbox
2010-03-16 00:40 . 2003-09-06 01:16 815104 ----a-w- c:\documents and settings\j\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll
2010-03-16 00:40 . 2003-09-06 01:16 757760 ----a-w- c:\documents and settings\j\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
2010-03-16 00:39 . 2010-03-16 00:39 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2010-03-11 07:58 . 2010-03-11 08:13 -------- d--h--w- c:\windows\system32\C10E1A
2010-03-11 07:58 . 2010-03-11 07:58 -------- d--h--w- c:\windows\system32\E777AA
2010-03-11 07:58 . 2010-03-11 07:58 -------- d--h--w- c:\windows\system32\4190E2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 06:36 . 2009-04-05 05:31 -------- d-----w- c:\documents and settings\j\Application Data\dvdcss
2010-03-24 06:13 . 2010-01-16 03:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-23 07:57 . 2009-03-28 06:22 2034 ----a-w- c:\documents and settings\j\Application Data\SAS7_000.DAT
2010-03-20 00:03 . 2009-05-01 23:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 21:02 . 2009-03-23 11:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-16 21:01 . 2009-03-23 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 07:28 . 2009-05-21 00:35 -------- d-----w- c:\documents and settings\j\Application Data\gtk-2.0
2010-03-16 00:39 . 2009-03-25 03:29 -------- d-----w- c:\program files\Common Files\Macromedia
2010-03-16 00:39 . 2009-03-25 03:26 -------- d-----w- c:\program files\Macromedia
2010-03-16 00:37 . 2009-03-24 00:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 03:18 . 2009-04-20 06:16 -------- d-----w- c:\program files\PestPatrol
2010-02-03 18:20 . 2009-05-11 00:17 -------- d-----w- c:\documents and settings\j\Application Data\Skype
2010-02-03 16:09 . 2009-05-11 00:18 -------- d-----w- c:\documents and settings\j\Application Data\skypePM
2010-02-02 22:21 . 2009-12-02 00:54 -------- d-----w- c:\program files\Cleaner 5 EZ
2010-01-30 12:53 . 2009-12-30 05:40 -------- d-----w- c:\documents and settings\j\Application Data\FileZilla
2010-01-30 04:32 . 2010-01-30 04:32 -------- d-----w- c:\program files\tbh
2010-01-30 04:31 . 2010-01-30 04:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-30 04:31 . 2009-05-11 00:16 -------- d-----r- c:\program files\Skype
2010-01-30 04:30 . 2010-01-30 04:30 -------- d-----w- c:\program files\Common Files\Skype
2010-01-30 04:30 . 2009-05-11 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-18 22:59 . 2009-11-10 23:53 79488 ----a-w- c:\documents and settings\j\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-08 12:26 . 2010-01-04 10:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 00:07 . 2009-05-06 23:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-05-06 23:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 05:47 . 2009-05-01 05:47 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10 . 2009-05-01 05:10 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
2009-11-21 02:01 2166296 ----a-w- c:\program files\BitZipperSearch\tbBit1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{97BCEB59-CFCD-4B16-A863-B3F72CF9F196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4411392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3953488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 811008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2009-03-23 220160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 113520]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 284200]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 151552]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 337448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-03 222616]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 491520]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-03-24 1049896]
"A9DA21"="c:\windows\system32\C10E1A\A9DA21.EXE" [2010-03-11 1505299]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 508824]
c:\documents and settings\j\Start Menu\Programs\Startup\
A9DA21.lnk - c:\windows\system32\C10E1A\A9DA21.EXE [2010-3-11 1505299]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 187392]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2007-2-12 2516584]
ERUNT AutoBackup.lnk - c:\documents and settings\j\Desktop\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 465920]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2009-9-3 179304]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 152992]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-11 603464]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\PROGRA~1\\Nuance\\NATURA~1\\Program\\natspeak.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\WinZip\\WZQKPICK.EXE"=
"c:\\WINDOWS\\system32\\C10E1A\\A9DA21.EXE"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\rndal.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Rainlendar2\\Rainlendar2.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\quickstart.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\j\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\j\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\j\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\j\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-PPMemCheck - c:\progra~1\PESTPA~1\PPMemCheck.exe
HKLM-Run-CookiePatrol - c:\progra~1\PESTPA~1\CookiePatrol.exe
HKLM-Run-LaunchList - c:\program files\Pinnacle\DV500\LaunchList.exe
AddRemove-PestPatrol Upgrade - c:\progra~1\PESTPA~1\Logs\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 13:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\devldr32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2010-03-24 13:19:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-24 20:19
Pre-Run: 15,175,012,352 bytes free
Post-Run: 15,015,677,952 bytes free
- - End Of File - - DB591A0A1EE2DD4409C0003E326C2988
DDS (Ver_10-03-17.01) - NTFSx86
Run by J at 15:42:16.39 on Wed 03/24/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.456 [GMT -7:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\tbh\base\bin\tbhDaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\tbh\base\bin\tbhSystray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\C10E1A\A9DA21.EXE
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Documents and Settings\j\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [tbhSystray] c:\program files\tbh\base\bin\tbhSystray.exe
mRun: [A9DA21] c:\windows\system32\c10e1a\A9DA21.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\j\startm~1\programs\startup\a9da21.lnk - c:\windows\system32\c10e1a\A9DA21.EXE
StartupFolder: c:\docume~1\j\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\j\startm~1\programs\startup\dragon~1.lnk - c:\program files\nuance\naturallyspeaking9\program\natspeak.exe
StartupFolder: c:\docume~1\j\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\j\desktop\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\j\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\j\applic~1\mozilla\firefox\profiles\x0jjor2d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\j\application data\mozilla\firefox\profiles\x0jjor2d.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\j\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\j\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
R3 abp470n5;abp470n5;c:\windows\system32\drivers\ohgmkq.sys [2010-3-24 5669]
=============== Created Last 30 ================
2010-03-24 22:38:44 5669 ----a-w- c:\windows\system32\drivers\ohgmkq.sys
2010-03-24 20:13:37 0 d--h--w- c:\windows\system32\272113
2010-03-24 20:04:32 98816 ----a-w- c:\windows\sed.exe
2010-03-24 20:04:32 77312 ----a-w- c:\windows\MBR.exe
2010-03-24 20:04:32 261632 ----a-w- c:\windows\PEV.exe
2010-03-24 20:04:32 161792 ----a-w- c:\windows\SWREG.exe
2010-03-24 08:00:30 4432 ----a-w- c:\documents and settings\j\.recently-used.xbel
2010-03-20 21:59:41 0 ----a-w- C:\123a0
2010-03-20 00:09:32 0 d-----w- c:\docume~1\alluse~1\applic~1\ZA_PreservedFiles
2010-03-18 05:29:08 0 d-----w- c:\program files\common files\ScanSoft Shared
2010-03-17 05:23:40 0 d-----w- C:\Amazon Unbox
2010-03-16 00:39:10 0 d-----w- c:\program files\common files\Macromedia Shared
2010-03-13 03:04:01 1551 ----a-w- c:\windows\UnSetupPestPatrolBeta.mif
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\E777AA
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\C10E1A
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\4190E2
==================== Find3M ====================
2010-03-23 07:57:44 2034 ----a-w- c:\docume~1\j\applic~1\SAS7_000.DAT
2009-05-01 05:47:02 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10:31 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2009-05-06 21:26:47 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
============= FINISH: 15:42:48.70 ===============
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
http://forums.spybot.info/showthread.php?p=365031#post365031
Collect::[76]
c:\windows\system32\drivers\ohgmkq.sys
File::
C:\123a0
Folder::
c:\windows\system32\272113
c:\windows\system32\C10E1A
c:\windows\system32\E777AA
c:\windows\system32\4190E2
DDS::
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"A9DA21"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"UacDisableNotify"=dword:00000000
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows, disable protection software and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.1) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 18 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Demetrius
2010-03-27, 23:09
I am posting new logs because my computer has acquired an additional virus and I thought I should post new logs before implementing the Combofix procedure you prescribed.
The additional symptoms are as follows:
- When I insert my USB drive into the computer, new folders keep getting created with names that are relevant to my own files. The trouble started when I clicked on a folder that I thought was mine but was actually a virus (the name tricked me very well).
- Malwarebytes now crashes after scanning approx. 3900 objects. I downloaded a fresh copy and installed it, but the scan cannot proceed beyond the first 4000 objects.
- I tried installing a fresh copy of Kaspersky antivirus. I installed it but it is not allowed to run. I click on the icon and nothing happens.
- Comobofix is not allowed to run. I downloaded a fresh copy and put it in the desktop, but it still will not run.
- The computer keeps trying to engage the floppy disk drive, which makes noises. I keep getting a persistent message that says "Windows -- no disk". The message is impossible to close.
I am attaching fresh DDS logs.
Thanks for your patience!
===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
==== Disk Partitions =========================
==== Disabled Device Manager Items =============
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
AAC Decoder
AbiWord 2.6.8
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Premiere 6.0
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
Amazon Unbox Video
Apple Application Support
Apple Software Update
Aspell 0.6 Dictionary (Language: en)
Aspell Data
AutoUpdate
BitZipper 2009
BitZipperSearch Toolbar
Browser Highlighter - Firefox
Canon MX850 series
CD-LabelPrint
Cleaner 5 EZ
Compatibility Pack for the 2007 Office system
Corel WinDVD 9
Dasher
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Dragon NaturallySpeaking 9
DVD Decrypter (Remove Only)
ERUNT 1.1j
FileZilla Client 3.3.0.1
Final Draft 7
GIMP 2.6.6
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImgBurn
Impression DVD SE
Junk Mail filter update
Kaspersky Anti-Virus 2010
LeechFTP
LyX 1.6.2-1
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Small Business
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MiKTeX 2.7
MKV Splitter
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Driver
OpenOffice.org 3.1
Picture Resize Genius 2.9.5
QuickTime
Rainlendar2 (remove only)
RealOne Player
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Skype web features
Skype™ 4.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6e
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip 12.1
==== End Of File ===========================
DDS (Ver_10-03-17.01) - NTFSx86
Run by Guest at 17:29:56.48 on Sat 03/27/2010
Internet Explorer: 6.0.2900.5512
============== Running Processes ===============
============== Pseudo HJT Report ===============
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mStart Page = hxxp://www.yahoo.com
mWinlogon: Shell=explorer.exe, "c:\documents and settings\j\templates\85068\13485068.exe"
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
TB: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [17154100] c:\windows\system32\340510867285l.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [tbhSystray] c:\program files\tbh\base\bin\tbhSystray.exe
mRun: [A9DA21] c:\windows\system32\c10e1a\A9DA21.EXE
mRun: [0068405] c:\windows\l077410.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\guest\startm~1\programs\startup\a9da21.lnk - c:\windows\system32\c10e1a\A9DA21.EXE
StartupFolder: c:\documents and settings\guest\start menu\programs\startup\adodb.cmd
StartupFolder: c:\windows\system32\73556a\c3405100.cmd
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
================= FIREFOX ===================
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
=============== Created Last 30 ================
2010-03-28 00:19:08 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-28 00:19:08 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-28 00:17:21 0 d-----w- c:\program files\Kaspersky Lab
2010-03-28 00:17:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-03-28 00:14:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-03-27 07:15:37 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2010-03-27 07:15:37 125952 --sha-w- c:\windows\system32\moonlight.scr
2010-03-27 07:15:37 125952 --sh--w- c:\windows\system32\340510867285l.exe
2010-03-27 07:15:37 125952 --sh--w- c:\windows\lsass.exe
2010-03-27 07:15:37 125952 --sh--w- c:\windows\l077410.exe
2010-03-27 07:15:37 125952 --sh--w- c:\windows\038672855.exe
2010-03-27 07:15:37 120 ----a-w- c:\windows\system32\crtsys.dll
2010-03-27 07:15:37 0 d-sh--r- c:\windows\57151
2010-03-27 07:15:37 0 d--h--w- c:\windows\system32\73556a
2010-03-24 20:13:37 0 d--h--w- c:\windows\system32\272113
2010-03-24 20:04:32 98816 ----a-w- c:\windows\sed.exe
2010-03-24 20:04:32 77312 ----a-w- c:\windows\MBR.exe
2010-03-24 20:04:32 261632 ----a-w- c:\windows\PEV.exe
2010-03-24 20:04:32 161792 ----a-w- c:\windows\SWREG.exe
2010-03-20 21:59:41 0 ----a-w- C:\123a0
2010-03-20 00:09:32 0 d-----w- c:\docume~1\alluse~1\applic~1\ZA_PreservedFiles
2010-03-18 05:29:08 0 d-----w- c:\program files\common files\ScanSoft Shared
2010-03-17 05:23:40 0 d-----w- C:\Amazon Unbox
2010-03-16 00:39:10 0 d-----w- c:\program files\common files\Macromedia Shared
2010-03-13 03:04:01 1551 ----a-w- c:\windows\UnSetupPestPatrolBeta.mif
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\E777AA
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\C10E1A
2010-03-11 07:58:32 0 d--h--w- c:\windows\system32\4190E2
==================== Find3M ====================
2009-05-01 05:47:02 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10:31 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\038672855.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\l077410.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\lsass.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\57151\bb178143l.com
2006-09-06 14:12:24 125952 --sha-w- c:\windows\57151\smss.exe
2006-09-06 14:12:24 125952 --sha-w- c:\windows\57151\system.exe
2008-04-14 13:42:02 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2006-09-06 14:12:24 125952 --sh--w- c:\windows\system32\340510867285l.exe
2006-09-06 14:12:24 125952 --sha-w- c:\windows\system32\moonlight.scr
2008-04-14 13:42:02 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
2006-09-06 14:12:24 125952 --sha-w- c:\windows\system32\73556a\c3405100.cmd
============= FINISH: 17:30:43.92 ===============
Hi,
It sounds you have a flash infection on that external drive. Don't plug it on other systems to make sure those don't get infected too.
Comobofix is not allowed to run. I downloaded a fresh copy and put it in the desktop, but it still will not run.
What does it do when you try to run?
Demetrius
2010-03-29, 16:56
When I try to run Combofix a message pops up saying "Combofix has encountered a problem and needs to close. We are sorry about the inconvenience."
What should I do?
Thanks!
Hi,
Let's try different way.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Download Combofix from any of the links below. You must rename it (use Demetrius.exe as name) before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------
Double click on Demetrius.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Demetrius
2010-03-30, 15:50
The trick worked -- thanks!
Here is the Combofix log. The EXE files called "porn", "foto" and "data" are the ones that appeared from nowhere.
Thanks again!
ComboFix 10-03-28.03 - Ed 03/29/2010 22:45:07.7.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.318 [GMT -7:00]
Running from: c:\documents and settings\Ed\Desktop\Demetrius.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Ed\LOCALS~1\Temp\E_N4
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\RegEx.fnr
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\spec.fne
c:\windows\038672855.exe
c:\windows\lsass.exe
c:\windows\MooNlight.txt
c:\windows\system\msvbvm60.dll
c:\windows\system32\272113
c:\windows\system32\272113\cnvpe.fne
c:\windows\system32\272113\dp1.fne
c:\windows\system32\272113\eAPI.fne
c:\windows\system32\272113\HtmlView.fne
c:\windows\system32\272113\internet.fne
c:\windows\system32\272113\krnln.fnr
c:\windows\system32\272113\RegEx.fnr
c:\windows\system32\272113\shell.fne
c:\windows\system32\272113\spec.fne
c:\windows\system32\crtsys.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.
2010-03-30 05:53 . 2010-03-30 05:54 -------- d--h--w- c:\windows\system32\272113
2010-03-30 05:53 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\016276534852l.exe
2010-03-30 05:53 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l644166.exe
2010-03-30 05:53 . 2006-09-06 14:12 125952 --sh--w- c:\windows\035348525.exe
2010-03-30 05:53 . 2010-03-30 05:53 -------- d-sh--r- c:\windows\24627
2010-03-30 05:53 . 2010-03-30 05:53 -------- d--h--w- c:\windows\system32\40223a
2010-03-30 05:53 . 2008-04-14 13:42 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2010-03-28 00:29 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\New Folder(2).exe
2010-03-28 00:29 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\Guest Porn.exe
2010-03-28 00:19 . 2010-03-28 00:19 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-28 00:19 . 2010-03-28 00:19 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-28 00:17 . 2010-03-28 00:17 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-28 00:17 . 2010-03-28 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-28 00:14 . 2010-03-28 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-03-20 00:09 . 2010-03-20 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2010-03-18 05:29 . 2010-03-18 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-03-18 05:29 . 2010-03-29 18:12 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-03-17 05:23 . 2010-03-17 05:23 -------- d-----w- C:\Amazon Unbox
2010-03-16 00:40 . 2003-09-06 01:16 815104 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll
2010-03-16 00:40 . 2003-09-06 01:16 757760 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
2010-03-16 00:39 . 2010-03-30 05:40 -------- d-----w- c:\program files\Common Files\Macromedia Shared
2010-03-11 07:58 . 2010-03-11 08:13 -------- d--h--w- c:\windows\system32\C10E1A
2010-03-11 07:58 . 2010-03-11 07:58 -------- d--h--w- c:\windows\system32\E777AA
2010-03-11 07:58 . 2010-03-11 07:58 -------- d--h--w- c:\windows\system32\4190E2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 05:40 . 2009-03-23 21:57 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-30 00:47 . 2009-04-07 08:32 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-30 00:47 . 2009-04-04 01:30 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-03-29 18:08 . 2010-01-16 03:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-29 08:40 . 2009-03-28 06:22 1914 ----a-w- c:\documents and settings\Ed\Application Data\SAS7_000.DAT
2010-03-28 00:22 . 2009-05-06 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-27 07:32 . 2009-03-25 08:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-26 06:30 . 2009-04-05 05:31 -------- d-----w- c:\documents and settings\Ed\Application Data\dvdcss
2010-03-20 00:03 . 2009-05-01 23:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 21:02 . 2009-03-23 11:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-16 21:01 . 2009-03-23 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 07:28 . 2009-05-21 00:35 -------- d-----w- c:\documents and settings\Ed\Application Data\gtk-2.0
2010-03-16 00:39 . 2009-03-25 03:29 -------- d-----w- c:\program files\Common Files\Macromedia
2010-03-16 00:39 . 2009-03-25 03:26 -------- d-----w- c:\program files\Macromedia
2010-03-16 00:37 . 2009-03-24 00:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 03:18 . 2009-04-20 06:16 -------- d-----w- c:\program files\PestPatrol
2010-02-03 18:20 . 2009-05-11 00:17 -------- d-----w- c:\documents and settings\Ed\Application Data\Skype
2010-02-03 16:09 . 2009-05-11 00:18 -------- d-----w- c:\documents and settings\Ed\Application Data\skypePM
2010-02-02 22:21 . 2009-12-02 00:54 -------- d-----w- c:\program files\Cleaner 5 EZ
2010-01-30 12:53 . 2009-12-30 05:40 -------- d-----w- c:\documents and settings\Ed\Application Data\FileZilla
2010-01-30 04:32 . 2010-01-30 04:32 -------- d-----w- c:\program files\tbh
2010-01-30 04:31 . 2010-01-30 04:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-30 04:31 . 2009-05-11 00:16 -------- d-----r- c:\program files\Skype
2010-01-30 04:30 . 2010-01-30 04:30 -------- d-----w- c:\program files\Common Files\Skype
2010-01-30 04:30 . 2009-05-11 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-18 22:59 . 2009-11-10 23:53 79488 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-08 12:26 . 2010-01-04 10:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 23:07 . 2009-05-06 23:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-05-06 23:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 05:47 . 2009-05-01 05:47 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10 . 2009-05-01 05:10 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-09-06 14:12 . 2010-03-30 05:53 125952 --sh--w- c:\windows\035348525.exe
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sh--w- c:\windows\l077410.exe
2006-09-06 14:12 . 2010-03-30 05:53 125952 --sh--w- c:\windows\l644166.exe
2006-09-06 14:12 . 2010-03-30 05:53 125952 --sh--w- c:\windows\24627\bb745710l.com
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sh--w- c:\windows\57151\bb178143l.com
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sha-w- c:\windows\57151\smss.exe
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sha-w- c:\windows\57151\system.exe
2008-04-14 13:42 . 2010-03-30 05:53 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2006-09-06 14:12 . 2010-03-30 05:53 125952 --sh--w- c:\windows\system32\016276534852l.exe
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sh--w- c:\windows\system32\340510867285l.exe
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sha-w- c:\windows\system32\moonlight.scr
2008-04-14 13:42 . 2001-08-18 12:00 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sha-w- c:\windows\system32\73556a\c3405100.cmd
.
((((((((((((((((((((((((((((( SnapShot@2010-03-24_20.13.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-30 05:45 . 2010-03-30 05:45 16384 c:\windows\temp\Perflib_Perfdata_d0c.dat
+ 2010-03-30 05:53 . 2010-03-30 05:53 16384 c:\windows\temp\Perflib_Perfdata_970.dat
+ 2001-08-18 12:00 . 2010-03-30 05:42 67516 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2010-03-24 19:55 67516 c:\windows\system32\perfc009.dat
+ 2009-09-10 01:01 . 2009-09-10 01:01 27675 c:\windows\system32\drivers\klopp.dat
+ 2009-10-03 01:39 . 2009-10-03 01:39 19472 c:\windows\system32\drivers\klmouflt.sys
+ 2009-09-14 20:42 . 2009-09-14 20:42 32272 c:\windows\system32\drivers\klim5.sys
+ 2009-10-15 03:18 . 2009-10-15 03:18 36880 c:\windows\system32\drivers\klbg.sys
+ 2010-03-27 07:15 . 2006-09-06 14:12 56320 c:\windows\SoftwareDistribution\AuthCabs\Downloaded\Foto Ed.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 56320 c:\windows\ime\shared\New Folder.scr
+ 2010-03-27 07:15 . 2006-09-06 14:12 56320 c:\windows\Downloaded Installations\Ed Porn.exe
- 2001-08-18 12:00 . 2010-03-24 19:55 432686 c:\windows\system32\perfh009.dat
+ 2001-08-18 12:00 . 2010-03-30 05:42 432686 c:\windows\system32\perfh009.dat
+ 2009-10-21 02:34 . 2009-10-21 02:34 219664 c:\windows\system32\klogon.dll
+ 2010-03-28 00:16 . 2009-11-11 23:35 315408 c:\windows\system32\drivers\klif.sys
+ 2009-09-01 21:29 . 2009-09-01 21:29 128016 c:\windows\system32\drivers\kl1.sys
+ 2010-03-30 05:53 . 2006-09-06 14:12 125952 c:\windows\system32\40223a\c0162760.cmd
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\AuthCabs\Downloaded\New Folder.scr
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\AuthCabs\Downloaded\New Folder(2).exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\AuthCabs\Downloaded\Data Ed.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\New Folder.scr
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Foto Ed.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Ed Porn.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Config\Config.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Binaries\Binaries.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\ime\shared\res\res.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\ime\shared\New Folder(2).exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\ime\shared\Ed Porn.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\ime\shared\Data Ed.exe
+ 2010-03-29 18:10 . 2010-03-29 18:10 233472 c:\windows\ERDNT\AutoBackup\3-29-2010\Users\00000002\UsrClass.dat
+ 2010-03-29 18:10 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\3-29-2010\ERDNT.EXE
+ 2010-03-29 06:07 . 2010-03-29 06:07 233472 c:\windows\ERDNT\AutoBackup\3-28-2010\Users\00000002\UsrClass.dat
+ 2010-03-29 06:07 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\3-28-2010\ERDNT.EXE
+ 2010-03-27 07:17 . 2010-03-27 07:17 233472 c:\windows\ERDNT\AutoBackup\3-27-2010\Users\00000002\UsrClass.dat
+ 2010-03-27 07:17 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\3-27-2010\ERDNT.EXE
+ 2010-03-26 23:26 . 2010-03-26 23:26 233472 c:\windows\ERDNT\AutoBackup\3-26-2010\Users\00000002\UsrClass.dat
+ 2010-03-26 23:26 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\3-26-2010\ERDNT.EXE
+ 2010-03-25 07:00 . 2010-03-25 07:00 233472 c:\windows\ERDNT\AutoBackup\3-25-2010\Users\00000002\UsrClass.dat
+ 2010-03-25 07:00 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\3-25-2010\ERDNT.EXE
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\New Folder(2).exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\Ed Porn.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\Data Ed.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.3\CONFLICT.3.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1.exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\New Folder.scr
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\New Folder(2).exe
+ 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}.exe
+ 2010-03-30 05:53 . 2006-09-06 14:12 125952 c:\windows\24627\system.exe
+ 2010-03-30 05:53 . 2006-09-06 14:12 125952 c:\windows\24627\smss.exe
+ 2010-03-29 07:39 . 2010-03-29 07:39 3407360 c:\windows\Installer\1df885.msi
+ 2010-03-29 18:10 . 2010-03-29 18:10 8843264 c:\windows\ERDNT\AutoBackup\3-29-2010\Users\00000001\NTUSER.DAT
+ 2010-03-29 06:07 . 2010-03-29 06:07 8843264 c:\windows\ERDNT\AutoBackup\3-28-2010\Users\00000001\NTUSER.DAT
+ 2010-03-27 07:17 . 2010-03-27 07:17 8843264 c:\windows\ERDNT\AutoBackup\3-27-2010\Users\00000001\NTUSER.DAT
+ 2010-03-26 23:26 . 2010-03-26 23:26 8843264 c:\windows\ERDNT\AutoBackup\3-26-2010\Users\00000001\NTUSER.DAT
+ 2010-03-25 07:00 . 2010-03-25 07:00 8843264 c:\windows\ERDNT\AutoBackup\3-25-2010\Users\00000001\NTUSER.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
2009-11-21 02:01 2166296 ----a-w- c:\program files\BitZipperSearch\tbBit1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{97BCEB59-CFCD-4B16-A863-B3F72CF9F196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4411392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 4055888]
"14621660"="c:\windows\system32\016276534852l.exe" [2006-09-06 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 811008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2009-03-23 220160]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-06 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 151552]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 337448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 491520]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-03-30 1127720]
"A9DA21"="c:\windows\system32\C10E1A\A9DA21.EXE" [2010-03-11 1505299]
"0525162"="c:\windows\l644166.exe" [2006-09-06 125952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 508824]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
A9DA21.lnk - c:\windows\system32\C10E1A\A9DA21.EXE [2010-3-11 1505299]
adodb.cmd [2006-9-6 125952]
c:\documents and settings\Ed\Start Menu\Programs\Startup\
A9DA21.lnk - c:\windows\system32\C10E1A\A9DA21.EXE [2010-3-11 1505299]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 187392]
adodb.cmd [2006-9-6 125952]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2007-2-12 2618984]
ERUNT AutoBackup.lnk - c:\documents and settings\Ed\Desktop\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 465920]
c:\windows\system32\73556a\
c3405100.cmd [2006-9-6 125952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe, \"c:\documents and settings\Ed\Templates\52525\13452525.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\PROGRA~1\\Nuance\\NATURA~1\\Program\\natspeak.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\WinZip\\WZQKPICK.EXE"=
"c:\\WINDOWS\\system32\\C10E1A\\A9DA21.EXE"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\rndal.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Rainlendar2\\Rainlendar2.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\quickstart.exe"=
"c:\\WINDOWS\\system32\\devldr32.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\85068\\13485068.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhSystray.exe"=
"c:\\WINDOWS\\57151\\system.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\85068\\service.exe"=
"c:\\WINDOWS\\57151\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\85068\\winlogon.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/6/2009 4:20 PM 38224]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\Ed\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Ed\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 22:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\WinZip\WZQKPICK.EXE
c:\documents and settings\Ed\Templates\52525\service.exe
c:\windows\24627\smss.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\system32\devldr32.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\documents and settings\Ed\Templates\52525\winlogon.exe
.
**************************************************************************
.
Completion time: 2010-03-29 22:59:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-30 05:59
ComboFix2.txt 2010-03-24 20:19
Pre-Run: 15,885,864,960 bytes free
Post-Run: 15,848,079,360 bytes free
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - 847406F600D41B7AD8F3BB29E8D069F0
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\016276534852l.exe
c:\windows\l644166.exe
c:\windows\035348525.exe
c:\windows\l077410.exe
c:\windows\system32\340510867285l.exe
c:\windows\system32\moonlight.scr
c:\documents and settings\Guest\Start Menu\Programs\Startup\A9DA21.lnk
c:\documents and settings\Ed\Start Menu\Programs\Startup\A9DA21.lnk
Folder::
c:\windows\system32\272113
c:\windows\24627
c:\windows\system32\40223a
c:\windows\system32\C10E1A
c:\windows\system32\E777AA
c:\windows\system32\4190E2
c:\windows\57151
c:\windows\system32\73556a
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"14621660"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"A9DA21"=-
"0525162"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"FirewallOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"UacDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\C10E1A\\A9DA21.EXE"=-
"c:\\Documents and Settings\\Ed\\Templates\\85068\\13485068.exe"=-
"c:\\WINDOWS\\57151\\system.exe"=-
"c:\\Documents and Settings\\Ed\\Templates\\85068\\service.exe"=-
"c:\\WINDOWS\\57151\\smss.exe"=-
"c:\\Documents and Settings\\Ed\\Templates\\85068\\winlogon.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows, disable protection software and refering to the picture above, drag CFScript into Demetrius.exe
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.1) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 18 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
Demetrius
2010-03-30, 22:59
I performed the combofix operation with the code you gave me. Combofix ran as normal, but the symptoms have not gone away. Additionally, when it was producing the log file, the screen went black. I rebooted the machine and performed another combofix scan -- the log is below.
I also did a DDS scan and the 2 logs are below.
I am temporarily without an Internet connection so I cannot run Kaspersky online. I tried installing Kaspersky but it makes the screen goes black. (When the screen goes black, the computer works again after a hard reboot.)
I considered running your lines of code again, but thought it might be unwise and will wait for you to tell me what to do instead. Many thanks!
ComboFix 10-03-28.03 - Ed 03/30/2010 19:38:46.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.446 [GMT -7:00]
Running from: c:\documents and settings\Ed\Desktop\ComboFixRenamed2.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\031804175.exe
c:\windows\lsass.exe
c:\windows\MooNlight.txt
c:\windows\system\msvbvm60.dll
c:\windows\system32\05778a
c:\windows\system32\05778a\c5627320.cmd
c:\windows\system32\crtsys.dll
.
---- Previous Run -------
.
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\RegEx.fnr
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\Ed\LOCALS~1\Temp\E_N4\spec.fne
c:\documents and settings\Ed\Start Menu\Programs\Startup\A9DA21.lnk
c:\documents and settings\Guest\Start Menu\Programs\Startup\A9DA21.lnk
c:\windows\035348525.exe
c:\windows\038783065.exe
c:\windows\038851185.exe
c:\windows\24627\bb745710l.com
c:\windows\24627\smss.exe
c:\windows\24627\system.exe
c:\windows\57151\bb178143l.com
c:\windows\57151\smss.exe
c:\windows\57151\system.exe
c:\windows\l077410.exe
c:\windows\l644166.exe
c:\windows\lsass.exe
c:\windows\MooNlight.txt
c:\windows\system\msvbvm60.dll
c:\windows\system32\016276534852l.exe
c:\windows\system32\06060a\c8466740.cmd
c:\windows\system32\272113\cnvpe.fne
c:\windows\system32\272113\dp1.fne
c:\windows\system32\272113\eAPI.fne
c:\windows\system32\272113\HtmlView.fne
c:\windows\system32\272113\internet.fne
c:\windows\system32\272113\krnln.fnr
c:\windows\system32\272113\RegEx.fnr
c:\windows\system32\272113\shell.fne
c:\windows\system32\272113\spec.fne
c:\windows\system32\340510867285l.exe
c:\windows\system32\40223a\c0162760.cmd
c:\windows\system32\84667a\c4516210.cmd
c:\windows\system32\C10E1A\A9DA21.EXE
c:\windows\system32\crtsys.dll
c:\windows\system32\moonlight.scr
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
-------\Legacy_ABP470N5
-------\Service_abp470n5
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.
2010-03-31 02:46 . 2010-03-31 02:46 -------- d--h--w- c:\windows\system32\40223a
2010-03-31 02:46 . 2008-04-14 13:42 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2010-03-31 02:46 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\016276534852l.exe
2010-03-31 02:46 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l744176.exe
2010-03-31 02:46 . 2006-09-06 14:12 125952 --sh--w- c:\windows\035348525.exe
2010-03-31 02:46 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\New Folder(2).exe
2010-03-31 02:46 . 2010-03-31 02:46 -------- d-sh--r- c:\windows\13516
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\846674885118l.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\451621878306l.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l516211.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l188511.exe
2010-03-31 02:08 . 2010-03-31 02:08 -------- d-sh--r- c:\windows\70373
2010-03-30 05:44 . 2010-03-30 05:59 -------- d-----w- C:\Demetrius
2010-03-28 00:29 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\Guest Porn.exe
2010-03-28 00:19 . 2010-03-28 00:19 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-28 00:19 . 2010-03-28 00:19 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-28 00:17 . 2010-03-28 00:17 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-28 00:17 . 2010-03-28 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-28 00:14 . 2010-03-28 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-03-20 00:09 . 2010-03-20 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2010-03-18 05:29 . 2010-03-18 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-03-18 05:29 . 2010-03-29 18:12 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-03-17 05:23 . 2010-03-17 05:23 -------- d-----w- C:\Amazon Unbox
2010-03-16 00:40 . 2003-09-06 01:16 815104 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll
2010-03-16 00:40 . 2003-09-06 01:16 757760 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
2010-03-16 00:39 . 2010-03-30 05:40 -------- d-----w- c:\program files\Common Files\Macromedia Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 02:07 . 2010-01-16 03:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-30 05:40 . 2009-03-23 21:57 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-30 00:47 . 2009-04-07 08:32 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-30 00:47 . 2009-04-04 01:30 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-03-29 08:40 . 2009-03-28 06:22 1914 ----a-w- c:\documents and settings\Ed\Application Data\SAS7_000.DAT
2010-03-28 00:22 . 2009-05-06 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-27 07:32 . 2009-03-25 08:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-26 06:30 . 2009-04-05 05:31 -------- d-----w- c:\documents and settings\Ed\Application Data\dvdcss
2010-03-20 00:03 . 2009-05-01 23:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 21:02 . 2009-03-23 11:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-16 21:01 . 2009-03-23 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 07:28 . 2009-05-21 00:35 -------- d-----w- c:\documents and settings\Ed\Application Data\gtk-2.0
2010-03-16 00:39 . 2009-03-25 03:29 -------- d-----w- c:\program files\Common Files\Macromedia
2010-03-16 00:39 . 2009-03-25 03:26 -------- d-----w- c:\program files\Macromedia
2010-03-16 00:37 . 2009-03-24 00:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 03:18 . 2009-04-20 06:16 -------- d-----w- c:\program files\PestPatrol
2010-02-03 18:20 . 2009-05-11 00:17 -------- d-----w- c:\documents and settings\Ed\Application Data\Skype
2010-02-03 16:09 . 2009-05-11 00:18 -------- d-----w- c:\documents and settings\Ed\Application Data\skypePM
2010-02-02 22:21 . 2009-12-02 00:54 -------- d-----w- c:\program files\Cleaner 5 EZ
2010-01-30 12:53 . 2009-12-30 05:40 -------- d-----w- c:\documents and settings\Ed\Application Data\FileZilla
2010-01-30 04:32 . 2010-01-30 04:32 -------- d-----w- c:\program files\tbh
2010-01-30 04:31 . 2010-01-30 04:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-30 04:31 . 2009-05-11 00:16 -------- d-----r- c:\program files\Skype
2010-01-30 04:30 . 2010-01-30 04:30 -------- d-----w- c:\program files\Common Files\Skype
2010-01-30 04:30 . 2009-05-11 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-18 22:59 . 2009-11-10 23:53 79488 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-08 12:26 . 2010-01-04 10:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 23:07 . 2009-05-06 23:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-05-06 23:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 05:47 . 2009-05-01 05:47 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10 . 2009-05-01 05:10 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-09-06 14:12 . 2010-03-31 02:46 125952 --sh--w- c:\windows\035348525.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\l188511.exe
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\l200622.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\l516211.exe
2006-09-06 14:12 . 2010-03-31 02:46 125952 --sh--w- c:\windows\l744176.exe
2006-09-06 14:12 . 2010-03-31 02:46 125952 --sh--w- c:\windows\13516\bb745710l.com
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\25727\bb301365l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\70373\bb280254l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\70373\bb783062l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sha-w- c:\windows\70373\smss.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sha-w- c:\windows\70373\system.exe
2008-04-14 13:42 . 2010-03-31 02:46 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2006-09-06 14:12 . 2010-03-31 02:46 125952 --sh--w- c:\windows\system32\016276534852l.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\system32\451621878306l.exe
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\system32\562732180417l.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\system32\846674885118l.exe
2008-04-14 13:42 . 2001-08-18 12:00 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sha-w- c:\windows\system32\73556a\c3405100.cmd
.
((((((((((((((((((((((((((((( SnapShot_2010-03-30_05.53.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-31 02:36 . 2010-03-31 02:36 16384 c:\windows\temp\Perflib_Perfdata_fd8.dat
+ 2010-03-31 02:47 . 2010-03-31 02:47 16384 c:\windows\temp\Perflib_Perfdata_9d8.dat
+ 2001-08-18 12:00 . 2010-03-31 02:35 67516 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2010-03-30 05:42 67516 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2010-03-31 02:35 432686 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2010-03-30 05:42 432686 c:\windows\system32\perfh009.dat
+ 2010-03-31 02:08 . 2010-03-31 02:08 233472 c:\windows\ERDNT\AutoBackup\3-30-2010\Users\00000002\UsrClass.dat
+ 2010-03-31 02:08 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\3-30-2010\ERDNT.EXE
+ 2010-03-31 02:22 . 2006-09-06 14:12 125952 c:\windows\25727\system.exe
+ 2010-03-31 02:22 . 2006-09-06 14:12 125952 c:\windows\25727\smss.exe
+ 2010-03-31 02:46 . 2006-09-06 14:12 125952 c:\windows\13516\system.exe
+ 2010-03-31 02:46 . 2006-09-06 14:12 125952 c:\windows\13516\smss.exe
+ 2010-03-31 02:29 . 2010-03-31 02:29 3407360 c:\windows\Installer\3c677.msi
+ 2010-03-31 02:08 . 2010-03-31 02:08 8843264 c:\windows\ERDNT\AutoBackup\3-30-2010\Users\00000001\NTUSER.DAT
+ 2009-11-14 13:06 . 2009-11-14 13:06 71946752 c:\windows\Installer\3c66e.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
2009-11-21 02:01 2166296 ----a-w- c:\program files\BitZipperSearch\tbBit1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{97BCEB59-CFCD-4B16-A863-B3F72CF9F196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4411392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 4055888]
"13511760"="c:\windows\system32\016276534852l.exe" [2006-09-06 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 811008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2009-03-23 220160]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-06 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 151552]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 337448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 491520]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-03-31 1127720]
"0635162"="c:\windows\l744176.exe" [2006-09-06 125952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 508824]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
adodb.cmd [2006-9-6 125952]
c:\documents and settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 187392]
adodb.cmd [2006-9-6 125952]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2007-2-12 2618984]
ERUNT AutoBackup.lnk - c:\documents and settings\Ed\Desktop\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 465920]
c:\windows\system32\73556a\
c3405100.cmd [2006-9-6 125952]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableTaskMgr"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe, \"c:\documents and settings\Ed\Templates\52635\13452635.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\PROGRA~1\\Nuance\\NATURA~1\\Program\\natspeak.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\WinZip\\WZQKPICK.EXE"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\rndal.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Rainlendar2\\Rainlendar2.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\quickstart.exe"=
"c:\\WINDOWS\\system32\\devldr32.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhSystray.exe"=
"c:\\WINDOWS\\system32\\016276534852l.exe"=
"c:\\WINDOWS\\70373\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\68162\\service.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\63636\\13463636.exe"=
"c:\\WINDOWS\\25727\\smss.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/6/2009 4:20 PM 38224]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 19:47
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\WinZip\WZQKPICK.EXE
c:\documents and settings\Ed\Templates\52635\service.exe
c:\windows\13516\smss.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\lsass.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2010-03-30 19:52:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-31 02:52
ComboFix2.txt 2010-03-30 05:59
ComboFix3.txt 2010-03-24 20:19
Pre-Run: 15,438,909,440 bytes free
Post-Run: 15,430,979,584 bytes free
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - 754480F2093FAAFE750D8E350252CEB2
DDS (Ver_10-03-17.01) - NTFSx86
Run by Ed at 19:36:26.50 on Tue 03/30/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.454 [GMT -7:00]
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\tbh\monitor\bin\tbhMonitor.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\Program Files\tbh\base\bin\tbhDaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\tbh\base\bin\tbhSystray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Ed\Templates\63636\service.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\25727\system.exe
C:\WINDOWS\system32\WINMINE.EXE
C:\PROGRA~1\Nuance\NATURA~1\Program\natspeak.exe
C:\Documents and Settings\Ed\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
uURLSearchHooks: H - No File
mWinlogon: Shell=explorer.exe, "c:\documents and settings\ed\templates\63636\13463636.exe"
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
TB: BitZipperSearch Toolbar: {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - c:\program files\bitzippersearch\tbBit1.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [15726220] c:\windows\system32\562732180417l.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] c:\program files\common files\real\update_ob\evntsvc.exe -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [tbhSystray] c:\program files\tbh\base\bin\tbhSystray.exe
mRun: [0636627] c:\windows\l200622.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\ed\start menu\programs\startup\adodb.cmd
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\dragon~1.lnk - c:\program files\nuance\naturallyspeaking9\program\natspeak.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\ed\desktop\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\windows\system32\05778a\c5627320.cmd
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237794374732
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - c:\windows\system32\klogon.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\x0jjor2d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\ed\application data\mozilla\firefox\profiles\x0jjor2d.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-9-1 128016]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [2009-10-22 70952]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\ohgmkq.sys --> c:\windows\system32\drivers\ohgmkq.sys [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-6 38224]
=============== Created Last 30 ================
2010-03-31 02:24:21 125952 --sh--w- c:\windows\lsass.exe
2010-03-31 02:22:11 125952 --sh--w- c:\windows\system32\562732180417l.exe
2010-03-31 02:22:11 125952 ----a-w- c:\windows\system32\moonlight.scr
2010-03-31 02:22:10 125952 --sh--w- c:\windows\l200622.exe
2010-03-31 02:22:10 125952 --sh--w- c:\windows\031804175.exe
2010-03-31 02:22:07 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2010-03-31 02:22:07 0 d--h--w- c:\windows\system32\05778a
2010-03-31 02:22:06 120 ----a-w- c:\windows\system32\crtsys.dll
2010-03-31 02:22:06 0 d-sh--r- c:\windows\25727
2010-03-31 02:12:02 0 d-----w- C:\xxxxxxxx
2010-03-31 02:08:04 125952 --sh--w- c:\windows\system32\846674885118l.exe
2010-03-31 02:08:04 125952 --sh--w- c:\windows\system32\451621878306l.exe
2010-03-31 02:08:03 125952 --sh--w- c:\windows\l516211.exe
2010-03-31 02:08:03 125952 --sh--w- c:\windows\l188511.exe
2010-03-31 02:08:02 0 d-sh--r- c:\windows\70373
2010-03-30 05:44:12 0 d-----w- C:\Demetrius
2010-03-28 00:19:08 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-28 00:19:08 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-28 00:17:21 0 d-----w- c:\program files\Kaspersky Lab
2010-03-28 00:17:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-03-28 00:14:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-03-27 07:15:37 0 d--h--w- c:\windows\system32\73556a
2010-03-24 20:04:32 98816 ----a-w- c:\windows\sed.exe
2010-03-24 20:04:32 77312 ----a-w- c:\windows\MBR.exe
2010-03-24 20:04:32 261632 ----a-w- c:\windows\PEV.exe
2010-03-24 20:04:32 161792 ----a-w- c:\windows\SWREG.exe
2010-03-24 08:00:30 4432 ----a-w- c:\documents and settings\ed\.recently-used.xbel
2010-03-20 21:59:41 0 ----a-w- C:\123a0
2010-03-20 00:09:32 0 d-----w- c:\docume~1\alluse~1\applic~1\ZA_PreservedFiles
2010-03-18 05:29:08 0 d-----w- c:\program files\common files\ScanSoft Shared
2010-03-17 05:23:40 0 d-----w- C:\Amazon Unbox
2010-03-16 00:39:10 0 d-----w- c:\program files\common files\Macromedia Shared
2010-03-13 03:04:01 1551 ----a-w- c:\windows\UnSetupPestPatrolBeta.mif
==================== Find3M ====================
2010-03-29 08:40:42 1914 ----a-w- c:\docume~1\ed\applic~1\SAS7_000.DAT
2009-05-01 05:47:02 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10:31 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\031804175.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\l188511.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\l200622.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\l516211.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\lsass.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\25727\bb301365l.com
2006-09-06 14:12:24 125952 --sh--w- c:\windows\70373\bb280254l.com
2006-09-06 14:12:24 125952 --sh--w- c:\windows\70373\bb783062l.com
2006-09-06 14:12:24 125952 --sha-w- c:\windows\70373\smss.exe
2006-09-06 14:12:24 125952 --sha-w- c:\windows\70373\system.exe
2008-04-14 13:42:02 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2006-09-06 14:12:24 125952 --sh--w- c:\windows\system32\451621878306l.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\system32\562732180417l.exe
2006-09-06 14:12:24 125952 --sh--w- c:\windows\system32\846674885118l.exe
2008-04-14 13:42:02 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
2006-09-06 14:12:24 125952 --sha-w- c:\windows\system32\73556a\c3405100.cmd
2009-05-06 21:26:47 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
============= FINISH: 19:36:57.85 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/23/2009 12:16:04 AM
System Uptime: 3/30/2010 7:30:48 PM (0 hours ago)
Motherboard: Intel Corporation | | D845EPT2
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | X1 | 1993/100mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 39 GiB total, 14.375 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 73 GiB total, 55.333 GiB free.
G: is FIXED (NTFS) - 112 GiB total, 92.546 GiB free.
I: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7146&SUBSYS_000F11BD&REV_01\5&BD31167&0&2060F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7146&SUBSYS_000F11BD&REV_01\5&BD31167&0&2060F0
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_123F&DEV_8120&SUBSYS_000F11BD&REV_B1\5&BD31167&0&4060F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_123F&DEV_8120&SUBSYS_000F11BD&REV_B1\5&BD31167&0&4060F0
Service:
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Canon MX850 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX850 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
==== System Restore Points ===================
RP164: 3/29/2010 12:48:15 AM - Installed Kaspersky Anti-Virus 2010.
==== Installed Programs ======================
AAC Decoder
AbiWord 2.6.8
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Premiere 6.0
Adobe Stock Photos 1.0
Advanced RealMedia Export Plug-in for Premiere 6.0
Amazon Unbox Video
Apple Application Support
Apple Software Update
Aspell 0.6 Dictionary (Language: en)
Aspell Data
AutoUpdate
BitZipper 2009
BitZipperSearch Toolbar
Browser Highlighter - Firefox
Canon MX850 series
CD-LabelPrint
Cleaner 5 EZ
Compatibility Pack for the 2007 Office system
Corel WinDVD 9
Dasher
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Dragon NaturallySpeaking 9
DVD Decrypter (Remove Only)
ERUNT 1.1j
FileZilla Client 3.3.0.1
Final Draft 7
GIMP 2.6.6
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
ImgBurn
Impression DVD SE
Junk Mail filter update
Kaspersky Anti-Virus 2010
LeechFTP
LyX 1.6.2-1
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Small Business
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MiKTeX 2.7
MKV Splitter
Move Media Player
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Driver
OpenOffice.org 3.1
Picture Resize Genius 2.9.5
QuickTime
Rainlendar2 (remove only)
RealOne Player
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Segoe UI
Skype web features
Skype™ 4.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.6e
Visual C++ 8.0 CRT (x86) WinSXS MSM
Visual C++ 8.0 CRT.Policy (x86) WinSXS MSM
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip 12.1
==== Event Viewer Messages From Past Week ========
3/30/2010 7:31:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: KLIF
3/29/2010 12:48:14 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000011E' while processing the file 'Track08.lnk' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/27/2010 2:49:32 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000011E' while processing the file 'Recordare.lnk' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/27/2010 12:31:47 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
3/25/2010 11:02:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000011E' while processing the file 'Track02.lnk' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/25/2010 1:25:35 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000011E' while processing the file 'Track 30.lnk' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/24/2010 1:11:43 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ABP470N5\0000 disappeared from the system without first being prepared for removal.
==== End Of File ===========================
Hi,
Please run ComboFix with the script as instructed (in safe mode if needed).
Demetrius
2010-04-01, 23:41
Done - here is the log, thank you!
ComboFix 10-03-28.03 - Ed 04/01/2010 18:36:45.10.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.465 [GMT -7:00]
Running from: c:\documents and settings\Ed\Desktop\Demetrius4.exe
Command switches used :: c:\documents and settings\Ed\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FILE ::
"c:\documents and settings\Ed\Start Menu\Programs\Startup\A9DA21.lnk"
"c:\documents and settings\Guest\Start Menu\Programs\Startup\A9DA21.lnk"
"c:\windows\035348525.exe"
"c:\windows\l077410.exe"
"c:\windows\l644166.exe"
"c:\windows\system32\016276534852l.exe"
"c:\windows\system32\340510867285l.exe"
"c:\windows\system32\moonlight.scr"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\033226405.exe
c:\windows\035348525.exe
c:\windows\lsass.exe
c:\windows\MooNlight.txt
c:\windows\system\msvbvm60.dll
c:\windows\system32\016276534852l.exe
c:\windows\system32\37012a
c:\windows\system32\37012a\c8841540.cmd
c:\windows\system32\40223a
c:\windows\system32\40223a\c0162760.cmd
c:\windows\system32\crtsys.dll
c:\windows\system32\moonlight.scr
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))
.
2010-03-31 06:05 . 2010-03-31 06:05 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 02:46 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l744176.exe
2010-03-31 02:46 . 2010-03-31 02:46 -------- d-sh--r- c:\windows\13516
2010-03-31 02:37 . 2010-03-31 02:52 -------- d-----w- C:\ComboFixRenamed2
2010-03-31 02:22 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\562732180417l.exe
2010-03-31 02:22 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l200622.exe
2010-03-31 02:22 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\New Folder.scr
2010-03-31 02:22 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\Data Ed.exe
2010-03-31 02:22 . 2010-03-31 02:22 -------- d-sh--r- c:\windows\25727
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\846674885118l.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\451621878306l.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l516211.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l188511.exe
2010-03-31 02:08 . 2010-03-31 02:08 -------- d-sh--r- c:\windows\70373
2010-03-30 05:44 . 2010-03-30 05:59 -------- d-----w- C:\Demetrius
2010-03-28 00:29 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\Guest Porn.exe
2010-03-28 00:19 . 2010-03-28 00:19 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-28 00:19 . 2010-03-28 00:19 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-28 00:17 . 2010-03-28 00:17 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-28 00:17 . 2010-03-28 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-28 00:14 . 2010-03-28 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-03-27 07:15 . 2010-03-27 07:15 -------- d--h--w- c:\windows\system32\73556a
2010-03-27 07:15 . 2006-09-06 14:12 134144 ----a-w- c:\documents and settings\Ed\Application Data\Azureus\shares\Foto Ed.exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.slidesharecdn.com\New Folder(2).exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.slidesharecdn.com\Ed Porn.exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.slideshare.net\Data Ed.exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\E5N28QX9\static.slidesharecdn.com\Foto Ed.exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\New Folder.scr
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\New Folder(2).exe
2010-03-20 00:09 . 2010-03-20 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2010-03-18 05:29 . 2010-03-18 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-03-18 05:29 . 2010-03-31 06:02 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-03-17 05:23 . 2010-03-17 05:23 -------- d-----w- C:\Amazon Unbox
2010-03-16 00:40 . 2003-09-06 01:16 815104 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll
2010-03-16 00:40 . 2003-09-06 01:16 757760 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
2010-03-16 00:39 . 2010-03-31 06:02 -------- d-----w- c:\program files\Common Files\Macromedia Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-01 08:39 . 2009-04-05 05:31 -------- d-----w- c:\documents and settings\Ed\Application Data\dvdcss
2010-04-01 06:14 . 2010-01-16 03:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 23:38 . 2009-03-28 06:22 1914 ----a-w- c:\documents and settings\Ed\Application Data\SAS7_000.DAT
2010-03-31 06:04 . 2009-06-03 04:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 05:40 . 2009-03-23 21:57 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-30 00:47 . 2009-04-07 08:32 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-30 00:47 . 2009-04-04 01:30 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-03-28 00:22 . 2009-05-06 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-27 07:32 . 2009-03-25 08:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-20 00:03 . 2009-05-01 23:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 21:02 . 2009-03-23 11:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-16 21:01 . 2009-03-23 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 07:28 . 2009-05-21 00:35 -------- d-----w- c:\documents and settings\Ed\Application Data\gtk-2.0
2010-03-16 00:39 . 2009-03-25 03:29 -------- d-----w- c:\program files\Common Files\Macromedia
2010-03-16 00:39 . 2009-03-25 03:26 -------- d-----w- c:\program files\Macromedia
2010-03-16 00:37 . 2009-03-24 00:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 07:38 . 2010-04-02 01:24 144312 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
2010-03-13 03:18 . 2009-04-20 06:16 -------- d-----w- c:\program files\PestPatrol
2010-02-03 18:20 . 2009-05-11 00:17 -------- d-----w- c:\documents and settings\Ed\Application Data\Skype
2010-02-03 16:09 . 2009-05-11 00:18 -------- d-----w- c:\documents and settings\Ed\Application Data\skypePM
2010-02-02 22:21 . 2009-12-02 00:54 -------- d-----w- c:\program files\Cleaner 5 EZ
2010-01-30 04:31 . 2010-01-30 04:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-18 22:59 . 2009-11-10 23:53 79488 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-08 12:26 . 2010-01-04 10:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 23:07 . 2009-05-06 23:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2009-05-06 23:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 05:47 . 2009-05-01 05:47 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10 . 2009-05-01 05:10 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-09-06 14:12 . 2010-04-02 01:45 125952 --sh--w- c:\windows\033126305.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\l188511.exe
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\l200622.exe
2006-09-06 14:12 . 2010-04-02 01:45 125952 --sh--w- c:\windows\l422844.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\l516211.exe
2006-09-06 14:12 . 2010-03-31 05:59 125952 --sh--w- c:\windows\l532055.exe
2006-09-06 14:12 . 2010-03-31 02:46 125952 --sh--w- c:\windows\l744176.exe
2006-09-06 14:12 . 2010-04-02 01:45 125952 --sh--w- c:\windows\02405\bb523587l.com
2006-09-06 14:12 . 2010-03-31 05:59 125952 --sh--w- c:\windows\13506\bb634507l.com
2006-09-06 14:12 . 2010-03-31 02:46 125952 --sh--w- c:\windows\13516\bb745710l.com
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\25727\bb301365l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\70373\bb280254l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\70373\bb783062l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sha-w- c:\windows\70373\smss.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sha-w- c:\windows\70373\system.exe
2008-04-14 13:42 . 2010-04-02 01:45 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\system32\451621878306l.exe
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\system32\562732180417l.exe
2006-09-06 14:12 . 2010-04-02 01:45 125952 --sh--w- c:\windows\system32\784054312630l.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\system32\846674885118l.exe
2006-09-06 14:12 . 2010-03-31 05:59 125952 --sh--w- c:\windows\system32\884154322640l.exe
2008-04-14 13:42 . 2001-08-18 12:00 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
2006-09-06 14:12 . 2010-03-27 07:15 125952 --sha-w- c:\windows\system32\73556a\c3405100.cmd
.
((((((((((((((((((((((((((((( SnapShot_2010-03-30_05.53.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-02 01:45 . 2010-04-02 01:45 16384 c:\windows\temp\Perflib_Perfdata_b4.dat
+ 2010-04-02 01:45 . 2010-04-02 01:45 16384 c:\windows\temp\Perflib_Perfdata_654.dat
- 2001-08-18 12:00 . 2010-03-30 05:42 67516 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2010-04-02 01:37 67516 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2010-03-30 05:42 432686 c:\windows\system32\perfh009.dat
+ 2001-08-18 12:00 . 2010-04-02 01:37 432686 c:\windows\system32\perfh009.dat
+ 2010-03-31 06:05 . 2010-03-31 06:04 153376 c:\windows\system32\javaws.exe
+ 2010-03-31 06:05 . 2010-03-31 06:04 145184 c:\windows\system32\javaw.exe
+ 2010-03-31 06:05 . 2010-03-31 06:04 145184 c:\windows\system32\java.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\system32\27001a\c7840540.cmd
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\Foto Ed.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\cda90f10771552805738884d22496388\cda90f10771552805738884d22496388.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\72eb6a06ed5f96cfe5470fb5a9801995\72eb6a06ed5f96cfe5470fb5a9801995.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\127e503e3f80c0d9923e937ca2857f6b\update\update.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\127e503e3f80c0d9923e937ca2857f6b\SP3QFE\SP3QFE.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\127e503e3f80c0d9923e937ca2857f6b\SP3GDR\SP3GDR.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\127e503e3f80c0d9923e937ca2857f6b\127e503e3f80c0d9923e937ca2857f6b.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\AuthCabs\Downloaded\Foto Ed.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\New Folder(2).exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Config\Config.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Config\Config.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Binaries\Binaries.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Binaries\Binaries.exe
+ 2010-03-31 06:05 . 2010-03-31 06:05 180224 c:\windows\Installer\56a25.msi
+ 2010-03-31 06:04 . 2010-03-31 06:04 577536 c:\windows\Installer\56a1e.msi
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\ime\shared\res\res.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\ime\shared\res\res.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\ime\shared\New Folder(2).exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\ime\shared\New Folder(2).exe
+ 2010-04-02 01:16 . 2010-04-02 01:16 241664 c:\windows\ERDNT\AutoBackup\4-1-2010\Users\00000002\UsrClass.dat
+ 2010-04-02 01:16 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-1-2010\ERDNT.EXE
+ 2010-03-31 23:03 . 2010-03-31 23:03 241664 c:\windows\ERDNT\AutoBackup\3-31-2010\Users\00000002\UsrClass.dat
+ 2010-03-31 23:03 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\3-31-2010\ERDNT.EXE
+ 2010-03-31 02:08 . 2010-03-31 02:08 233472 c:\windows\ERDNT\AutoBackup\3-30-2010\Users\00000002\UsrClass.dat
+ 2010-03-31 02:08 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\3-30-2010\ERDNT.EXE
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\Ed Porn.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\Ed Porn.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.3\CONFLICT.3.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.3\CONFLICT.3.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\Data Ed.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}.exe
+ 2010-03-31 02:22 . 2006-09-06 14:12 125952 c:\windows\25727\system.exe
+ 2010-03-31 02:22 . 2006-09-06 14:12 125952 c:\windows\25727\smss.exe
+ 2010-03-31 02:46 . 2006-09-06 14:12 125952 c:\windows\13516\system.exe
+ 2010-03-31 02:46 . 2006-09-06 14:12 125952 c:\windows\13516\smss.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\13506\system.exe
+ 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\13506\smss.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\02405\system.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\02405\smss.exe
+ 2010-03-31 02:29 . 2010-03-31 02:29 3407360 c:\windows\Installer\3c677.msi
+ 2010-04-02 01:16 . 2010-04-02 01:16 8843264 c:\windows\ERDNT\AutoBackup\4-1-2010\Users\00000001\NTUSER.DAT
+ 2010-03-31 23:03 . 2010-03-31 23:03 8843264 c:\windows\ERDNT\AutoBackup\3-31-2010\Users\00000001\NTUSER.DAT
+ 2010-03-31 02:08 . 2010-03-31 02:08 8843264 c:\windows\ERDNT\AutoBackup\3-30-2010\Users\00000001\NTUSER.DAT
+ 2009-11-14 13:06 . 2009-11-14 13:06 71946752 c:\windows\Installer\3c66e.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
2009-11-21 02:01 2166296 ----a-w- c:\program files\BitZipperSearch\tbBit1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{97BCEB59-CFCD-4B16-A863-B3F72CF9F196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4411392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 4055888]
"12408440"="c:\windows\system32\784054312630l.exe" [2006-09-06 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 811008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2009-03-23 220160]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-06 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 151552]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 337448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 491520]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-04-02 1197352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 325864]
"0303840"="c:\windows\l422844.exe" [2006-09-06 125952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 508824]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
adodb.cmd [2006-9-6 125952]
c:\documents and settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 187392]
adodb.cmd [2006-9-6 125952]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2007-2-12 2618984]
ERUNT AutoBackup.lnk - c:\documents and settings\Ed\Desktop\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 465920]
c:\windows\system32\73556a\
c3405100.cmd [2006-9-6 125952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe, \"c:\documents and settings\Ed\Templates\30303\13430303.exe\""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\PROGRA~1\\Nuance\\NATURA~1\\Program\\natspeak.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\WinZip\\WZQKPICK.EXE"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\rndal.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Rainlendar2\\Rainlendar2.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\quickstart.exe"=
"c:\\WINDOWS\\system32\\devldr32.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhSystray.exe"=
"c:\\WINDOWS\\70373\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\68162\\service.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\63636\\13463636.exe"=
"c:\\WINDOWS\\25727\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\52635\\service.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\52635\\13452635.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\31414\\13431414.exe"=
"c:\\WINDOWS\\13506\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\31414\\service.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/6/2009 4:20 PM 38224]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Ed\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Ed\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
.
**************************************************************************
Ok.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 18:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\02405
c:\windows\033126305.exe 125952 bytes executable
c:\windows\l422844.exe 125952 bytes executable
c:\windows\MoonLight.txt 177 bytes
c:\windows\system32\784054312630l.exe 125952 bytes executable
scan completed successfully
hidden files: 5
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\devldr32.exe
c:\program files\WinZip\WZQKPICK.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\documents and settings\Ed\Templates\30303\service.exe
c:\windows\02405\smss.exe
c:\windows\02405\system.exe
c:\documents and settings\Ed\Templates\30303\winlogon.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\lsass.exe
.
**************************************************************************
.
Completion time: 2010-04-01 18:52:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-02 01:52
ComboFix2.txt 2010-03-31 02:52
ComboFix3.txt 2010-03-30 05:59
ComboFix4.txt 2010-03-24 20:19
Pre-Run: 14,982,520,832 bytes free
Post-Run: 14,634,377,216 bytes free
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - 65F759F8F594DA4095ECF8CF5280DC31
Hi,
Try to keep the system offline as much as possible.
If you have used external drive while being infected, have such drives plugged in so we can get those cleaned. Run ComboFix again and let it update itself.
Then run Malwarebytes' Anti-Malware, update it via update tab and run a quick scan letting it delete all found items. Post back logs of both runs.
Demetrius
2010-04-03, 22:26
The situation is as follows:
- I ran the CFScript file through Combofix again -- the log of this is in my last post.
- I then ran Combofix scan again -- the log for this is below.
- The symptoms are still present
- I downloaded and installed a fresh copy of Malwarebytes -- it invariably crashes after 4 seconds and 0 objects scanned. Repeatedly reinstalling it does not correct the issue.
- The computer is not directly connected to the Internet -- this is how I became infected in the first place (I relied on a USB drive to ferry information back and forth).
Running CFScript has not removed the symptoms. Task manager is still disabled and the folders created by the virus are still present. Kaspersky and Malwarebytes are not allowed to run: Malwarebytes crashes after 4 seconds and Kaspersky does not load at all, despite repeated attempts to download and re-install it.
I hope this helps – thank you so much for your patience!
ComboFix 10-04-01.02 - Ed 04/03/2010 0:21.11.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.425 [GMT -7:00]
Running from: c:\documents and settings\Ed\Desktop\Demetrius5.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\032015285.exe
c:\windows\033126305.exe
c:\windows\AppPatch\AcAdProc.dll
c:\windows\lsass.exe
c:\windows\MooNlight.txt
c:\windows\system\msvbvm60.dll
c:\windows\system32\27001a
c:\windows\system32\27001a\c7840540.cmd
c:\windows\system32\73556a
c:\windows\system32\73556a\c3405100.cmd
c:\windows\system32\crtsys.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.
2010-04-03 07:29 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\773043212530l.exe
2010-04-03 07:29 . 2006-09-06 14:12 125952 --sh--w- c:\windows\032125305.exe
2010-04-03 07:29 . 2010-04-03 07:29 -------- d--h--w- c:\windows\system32\27001a
2010-04-03 07:29 . 2008-04-14 13:42 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2010-04-02 01:45 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\784054312630l.exe
2010-04-02 01:35 . 2010-04-02 01:52 -------- d-----w- C:\Demetrius4
2010-03-31 06:05 . 2010-03-31 06:05 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 05:59 . 2010-03-31 05:59 -------- d-sh--r- c:\windows\13506
2010-03-31 05:59 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\884154322640l.exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l532055.exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.slideshare.net\Foto Ed.exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\Foto Ed.exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\Ed Porn.exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\E5N28QX9\www.monkeysee.com\play\KPShare.swf\New Folder.scr
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\E5N28QX9\static.slidesharecdn.com\New Folder(2).exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\E5N28QX9\static.slideshare.net\Foto Ed.exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Azureus\shares\New Folder(2).exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\Ed Porn.exe
2010-03-31 05:59 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\New Folder.scr
2010-03-31 02:46 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l744176.exe
2010-03-31 02:46 . 2010-03-31 02:46 -------- d-sh--r- c:\windows\13516
2010-03-31 02:37 . 2010-03-31 02:52 -------- d-----w- C:\ComboFixRenamed2
2010-03-31 02:22 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\562732180417l.exe
2010-03-31 02:22 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l200622.exe
2010-03-31 02:22 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\New Folder.scr
2010-03-31 02:22 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\Data Ed.exe
2010-03-31 02:22 . 2010-03-31 02:22 -------- d-sh--r- c:\windows\25727
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\846674885118l.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\system32\451621878306l.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l516211.exe
2010-03-31 02:08 . 2006-09-06 14:12 125952 --sh--w- c:\windows\l188511.exe
2010-03-31 02:08 . 2010-03-31 02:08 -------- d-sh--r- c:\windows\70373
2010-03-30 05:44 . 2010-03-30 05:59 -------- d-----w- C:\Demetrius
2010-03-28 00:29 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Amazon\Amazon Digital Video\Data\downloads\Guest Porn.exe
2010-03-28 00:19 . 2010-03-28 00:19 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-03-28 00:19 . 2010-03-28 00:19 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-03-28 00:17 . 2010-03-28 00:17 -------- d-----w- c:\program files\Kaspersky Lab
2010-03-28 00:17 . 2010-03-28 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-03-28 00:14 . 2010-03-28 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-03-27 07:15 . 2006-09-06 14:12 134144 ----a-w- c:\documents and settings\Ed\Application Data\Azureus\shares\Foto Ed.exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.slidesharecdn.com\New Folder(2).exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.slidesharecdn.com\Ed Porn.exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.slideshare.net\Data Ed.exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\#SharedObjects\E5N28QX9\static.slidesharecdn.com\Foto Ed.exe
2010-03-27 07:15 . 2006-09-06 14:12 125952 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\New Folder(2).exe
2010-03-20 00:09 . 2010-03-20 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ZA_PreservedFiles
2010-03-18 05:29 . 2010-03-18 05:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-03-18 05:29 . 2010-03-31 06:02 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2010-03-17 05:23 . 2010-03-17 05:23 -------- d-----w- C:\Amazon Unbox
2010-03-16 00:40 . 2003-09-06 01:16 815104 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\FlashPlayerW.dll
2010-03-16 00:40 . 2003-09-06 01:16 757760 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Dreamweaver MX 2004\Configuration\Flash Player\NPSWF32.dll
2010-03-16 00:39 . 2010-04-02 01:49 -------- d-----w- c:\program files\Common Files\Macromedia Shared
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-03 05:47 . 2009-05-06 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-03 03:10 . 2009-03-28 06:22 1914 ----a-w- c:\documents and settings\Ed\Application Data\SAS7_000.DAT
2010-04-02 01:49 . 2009-04-04 01:30 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-04-01 08:39 . 2009-04-05 05:31 -------- d-----w- c:\documents and settings\Ed\Application Data\dvdcss
2010-04-01 06:14 . 2010-01-16 03:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-31 06:04 . 2009-06-03 04:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-30 05:40 . 2009-03-23 21:57 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-30 00:47 . 2009-04-07 08:32 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-29 22:24 . 2009-05-06 23:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:24 . 2009-05-06 23:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 07:32 . 2009-03-25 08:58 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-20 00:03 . 2009-05-01 23:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-16 21:02 . 2009-03-23 11:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-16 21:01 . 2009-03-23 11:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-16 07:28 . 2009-05-21 00:35 -------- d-----w- c:\documents and settings\Ed\Application Data\gtk-2.0
2010-03-16 00:39 . 2009-03-25 03:29 -------- d-----w- c:\program files\Common Files\Macromedia
2010-03-16 00:39 . 2009-03-25 03:26 -------- d-----w- c:\program files\Macromedia
2010-03-16 00:37 . 2009-03-24 00:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 07:38 . 2010-04-02 01:24 144312 ----a-w- c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
2010-03-13 03:18 . 2009-04-20 06:16 -------- d-----w- c:\program files\PestPatrol
2010-02-03 18:20 . 2009-05-11 00:17 -------- d-----w- c:\documents and settings\Ed\Application Data\Skype
2010-02-03 16:09 . 2009-05-11 00:18 -------- d-----w- c:\documents and settings\Ed\Application Data\skypePM
2010-02-02 22:21 . 2009-12-02 00:54 -------- d-----w- c:\program files\Cleaner 5 EZ
2010-01-30 04:31 . 2010-01-30 04:31 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-18 22:59 . 2009-11-10 23:53 79488 ----a-w- c:\documents and settings\Ed\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-08 12:26 . 2010-01-04 10:21 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-01 05:47 . 2009-05-01 05:47 33174920 ----a-w- c:\program files\zapSetup_80_298_000_en.exe
2009-05-01 05:10 . 2009-05-01 05:10 37014408 ----a-w- c:\program files\zaAvSetup_80_298_035_en.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-09-06 14:12 . 2010-04-03 07:29 125952 --sh--w- c:\windows\032125305.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\l188511.exe
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\l200622.exe
2006-09-06 14:12 . 2010-04-03 03:04 125952 --sh--w- c:\windows\l311733.exe
2006-09-06 14:12 . 2010-04-02 01:45 125952 --sh--w- c:\windows\l422844.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\l516211.exe
2006-09-06 14:12 . 2010-03-31 05:59 125952 --sh--w- c:\windows\l532055.exe
2006-09-06 14:12 . 2010-03-31 02:46 125952 --sh--w- c:\windows\l744176.exe
2006-09-06 14:12 . 2010-04-03 07:29 125952 --sh--w- c:\windows\02405\bb523586l.com
2006-09-06 14:12 . 2010-04-02 01:45 125952 --sh--w- c:\windows\02405\bb523587l.com
2006-09-06 14:12 . 2010-03-31 05:59 125952 --sh--w- c:\windows\13506\bb634507l.com
2006-09-06 14:12 . 2010-03-31 02:46 125952 --sh--w- c:\windows\13516\bb745710l.com
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\25727\bb301365l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\70373\bb280254l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\70373\bb783062l.com
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sha-w- c:\windows\70373\smss.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sha-w- c:\windows\70373\system.exe
2006-09-06 14:12 . 2010-04-03 03:04 125952 --sh--w- c:\windows\81384\bb412476l.com
2008-04-14 13:42 . 2010-04-03 07:29 1384479 --sha-r- c:\windows\system\msvbvm60.dll
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\system32\451621878306l.exe
2006-09-06 14:12 . 2010-03-31 02:22 125952 --sh--w- c:\windows\system32\562732180417l.exe
2006-09-06 14:12 . 2010-04-03 03:04 125952 --sh--w- c:\windows\system32\673843201528l.exe
2006-09-06 14:12 . 2010-04-03 07:29 125952 --sh--w- c:\windows\system32\773043212530l.exe
2006-09-06 14:12 . 2010-04-02 01:45 125952 --sh--w- c:\windows\system32\784054312630l.exe
2006-09-06 14:12 . 2010-03-31 02:08 125952 --sh--w- c:\windows\system32\846674885118l.exe
2006-09-06 14:12 . 2010-03-31 05:59 125952 --sh--w- c:\windows\system32\884154322640l.exe
2008-04-14 13:42 . 2001-08-18 12:00 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-04-02_01.45.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-03 07:29 . 2010-04-03 07:29 16384 c:\windows\temp\Perflib_Perfdata_8a4.dat
+ 2010-04-03 07:29 . 2010-04-03 07:29 16384 c:\windows\temp\Perflib_Perfdata_658.dat
- 2001-08-18 12:00 . 2010-04-02 01:37 67516 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2010-04-03 05:51 67516 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2010-04-02 01:37 432686 c:\windows\system32\perfh009.dat
+ 2001-08-18 12:00 . 2010-04-03 05:51 432686 c:\windows\system32\perfh009.dat
+ 2010-04-03 03:04 . 2006-09-06 14:12 125952 c:\windows\system32\moonlight.scr
+ 2010-04-03 07:29 . 2006-09-06 14:12 125952 c:\windows\system32\27001a\c7730430.cmd
+ 2010-04-03 03:04 . 2006-09-06 14:12 125952 c:\windows\system32\16880a\c6738430.cmd
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\cda90f10771552805738884d22496388\cda90f10771552805738884d22496388.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\72eb6a06ed5f96cfe5470fb5a9801995\72eb6a06ed5f96cfe5470fb5a9801995.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\127e503e3f80c0d9923e937ca2857f6b\update\update.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\127e503e3f80c0d9923e937ca2857f6b\SP3QFE\SP3QFE.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\127e503e3f80c0d9923e937ca2857f6b\SP3GDR\SP3GDR.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\Download\127e503e3f80c0d9923e937ca2857f6b\127e503e3f80c0d9923e937ca2857f6b.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\AuthCabs\Downloaded\New Folder(2).exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\SoftwareDistribution\AuthCabs\Downloaded\New Folder(2).exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Data Ed.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Config\Config.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Config\Config.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Binaries\Binaries.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\PCHEALTH\UploadLB\Binaries\Binaries.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\ime\shared\res\res.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\ime\shared\res\res.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\ime\shared\New Folder(2).exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\ime\shared\New Folder(2).exe
+ 2010-04-03 07:29 . 2010-04-03 07:29 241664 c:\windows\ERDNT\AutoBackup\4-3-2010\Users\00000002\UsrClass.dat
+ 2010-04-03 07:29 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-3-2010\ERDNT.EXE
+ 2010-04-03 03:05 . 2010-04-03 03:05 241664 c:\windows\ERDNT\AutoBackup\4-2-2010\Users\00000002\UsrClass.dat
+ 2010-04-03 03:05 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\4-2-2010\ERDNT.EXE
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\Ed Porn.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\Ed Porn.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.3\CONFLICT.3.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.3\CONFLICT.3.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1.exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1.exe
- 2010-03-27 07:15 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\New Folder(2).exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\New Folder(2).exe
+ 2010-04-02 01:45 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}.exe
- 2010-03-31 05:59 . 2006-09-06 14:12 125952 c:\windows\Downloaded Installations\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}\{DB72AF8D-6D9B-4291-AA09-89320AA6BEA4}.exe
+ 2010-04-03 03:04 . 2006-09-06 14:12 125952 c:\windows\81384\system.exe
+ 2010-04-03 03:04 . 2006-09-06 14:12 125952 c:\windows\81384\smss.exe
+ 2010-04-03 06:01 . 2010-04-03 06:01 3407360 c:\windows\Installer\c2d95.msi
+ 2010-04-03 07:29 . 2010-04-03 07:29 8843264 c:\windows\ERDNT\AutoBackup\4-3-2010\Users\00000001\NTUSER.DAT
+ 2010-04-03 03:05 . 2010-04-03 03:05 8843264 c:\windows\ERDNT\AutoBackup\4-2-2010\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
2009-11-21 02:01 2166296 ----a-w- c:\program files\BitZipperSearch\tbBit1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{97bceb59-cfcd-4b16-a863-b3f72cf9f196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{97BCEB59-CFCD-4B16-A863-B3F72CF9F196}"= "c:\program files\BitZipperSearch\tbBit1.dll" [2009-11-21 2166296]
[HKEY_CLASSES_ROOT\clsid\{97bceb59-cfcd-4b16-a863-b3f72cf9f196}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2009-02-21 4411392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 4055888]
"12408440"="c:\windows\system32\773043212530l.exe" [2006-09-06 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 811008]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\evntsvc.exe" [2009-03-23 220160]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-06 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 294912]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 151552]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2006-11-27 337448]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 491520]
"tbhSystray"="c:\program files\tbh\base\bin\tbhSystray.exe" [2010-04-03 1348904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 325864]
"0303730"="c:\windows\l422844.exe" [2006-09-06 125952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 508824]
c:\documents and settings\Guest\Start Menu\Programs\Startup\
adodb.cmd [2006-9-6 125952]
c:\documents and settings\Ed\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 187392]
adodb.cmd [2006-9-6 125952]
Dragon NaturallySpeaking.lnk - c:\program files\Nuance\NaturallySpeaking9\Program\natspeak.exe [2007-2-12 2618984]
ERUNT AutoBackup.lnk - c:\documents and settings\Ed\Desktop\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 465920]
c:\windows\system32\16880a\
c6738430.cmd [2006-9-6 125952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe, \"c:\documents and settings\Ed\Templates\30303\13430303.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhDaemon.exe"=
"c:\\Program Files\\tbh\\monitor\\bin\\tbhMonitor.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.exe"=
"c:\\PROGRA~1\\Nuance\\NATURA~1\\Program\\natspeak.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\WinZip\\WZQKPICK.EXE"=
"c:\\Program Files\\Common Files\\InstallShield\\UpdateService\\agent.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\rndal.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\Rainlendar2\\Rainlendar2.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OSA.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\quickstart.exe"=
"c:\\WINDOWS\\system32\\devldr32.exe"=
"c:\\Program Files\\tbh\\base\\bin\\tbhSystray.exe"=
"c:\\WINDOWS\\70373\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\68162\\service.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\63636\\13463636.exe"=
"c:\\WINDOWS\\25727\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\52635\\service.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\52635\\13452635.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\31414\\13431414.exe"=
"c:\\WINDOWS\\13506\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\31414\\service.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\30303\\13430303.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\81384\\smss.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\28282\\13428282.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Documents and Settings\\Ed\\Templates\\28282\\winlogon.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 8:18 PM 36880]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 tbhMonitor.exe;The Browser Highlighter Monitor;c:\program files\tbh\monitor\bin\tbhMonitor.exe [10/22/2009 2:57 PM 70952]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 1:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 6:39 PM 19472]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/6/2009 4:20 PM 38224]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
2009-12-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\x0jjor2d.default\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Ed\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Ed\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 00:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
c:\program files\tbh\base\bin\tbhDaemon.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\WinZip\WZQKPICK.EXE
c:\windows\system32\devldr32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\documents and settings\Ed\Templates\30303\service.exe
c:\windows\02405\smss.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\lsass.exe
.
**************************************************************************
.
Completion time: 2010-04-03 00:36:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-03 07:36
ComboFix2.txt 2010-04-02 01:52
ComboFix3.txt 2010-03-31 02:52
ComboFix4.txt 2010-03-30 05:59
ComboFix5.txt 2010-04-03 07:20
Pre-Run: 13,592,391,680 bytes free
Post-Run: 13,491,879,936 bytes free
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,4,5,6
- - End Of File - - A955577CF538D11BE3307002E4A25355
Hi,
You have a Sality file infector infection there. That means there is no other solution than backup non infected important files and reformat.
1. Download Flash_Disinfector (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) and save it to your Desktop of your clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.
After that run Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/us/languages/english/check.html?n=1225554235248) on clean machine to check your USB drive.
If Kaspersky doesn't find anything bad on USB drive then you can use it to backup stuff from infected system keeping in mind that these filetypes are not allowed:
-.exe
-.scr
-all web page files (.htm, .html, .asp, .aspx etc.)
-archive files (.zip & .rar) with any of above mentioned file types
Demetrius
2010-04-06, 14:30
The computer does not allow Flash Disinfector to proceed.
I have a question: if I connect a portable hard disk to the computer and transfer Word files on it, will it become infected?
I want to get some word files out of the computer and then just reformat the whole thing -- it's the only way to be sure.
Thanks again!
Hi,
The computer does not allow Flash Disinfector to proceed.
It's possible that your antivirus protection is detecting Flash Disinfector harmful and prevents it from running. Disable protection first and then run the program.
I have a question: if I connect a portable hard disk to the computer and transfer Word files on it, will it become infected?
The drive will become infected if it isn't properly treated with Flash_Disinfector first. When drive is disinfected as instructed then you may transfer files keeping in mind those filetype limitations listed in previous post.
Demetrius
2010-04-08, 22:15
I ran Flash Disinfector, the screen went blank as predicted, then after some time I got the following message:
"Registry editing has been disabled by the administrator."
That message must be clicked on THREE times, then it says "Done!"
Does it sound as if Flash Disinfector was able to perform its task? I have never used it before so cannot make a comparison.
Thanks!
Hi,
Did autorun.inf folder get generated to your external drive after Flash Disinfector run?
Demetrius
2010-04-09, 16:17
There is no autorun.inf folder on the USB drive.
Bad sign?
Hi,
Do you have hidden files visible (instructions below)? If it still doesn't appear then I recommend to run Flash Disinfector on other system (first internal hard drive and then disinfect the external one).
Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Due to inactivity, this thread will now be closed.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.