View Full Version : savetubevideo redirect
oculentum
2010-10-21, 18:01
Hi, I hope you can help with my laptop problem. It is a Toshiba Equium, Intel Pentium Dual CPU T2370 @ 1.73GHz 1.73GHz, 2.0 GB RAM. I'm running Windows Vista Home Premium with SP2, Internet Explorer 8.0.6001.18975, Mozilla Firefox 3.6.11, Avast! Free Antivirus 5.0.677, Spybot Search & Destroy 1.6.2 and Malwarebytes 1.46
A short while ago I downloaded and installed "Download Youtube Free" :oops:
Shortly after this I noticed that occasionally, when using the Bing search engine on Firefox, if I click on a website link it will initially load the expected website but almost immediately redirects to a Google search box with "landing.savetubevideo" in the address bar (actually it's a full web address, but I'm reluctant to type it out in full on here). The page flickers constantly as if it is trying to close or to move on elsewhere but can't quite manage it. It seems that IE is not affected (yet).
I have deleted the offending program and have used CCleaner to remove any remaining registry references. (That was before I read the advice on your website). Unfortunately the problem persists. Neither Spybot nor Malwarebytes can find any problem and I don't know what else to try.
Thanks in advance for any help you can give. :heart:
DDS (Ver_10-10-21.01) - NTFSx86
Run by Don at 15:07:59.72 on 21/10/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1153 [GMT 1:00]
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\fsproflt.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10k_ActiveX.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Don\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Disabled:{5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.85.dll
TB: {4974A391-29D6-4419-A63B-49C1C7142489} - No File
TB: {31C7D459-9CC3-44F2-9DCA-FC11795309B4} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\don\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
================= FIREFOX ===================
FF - ProfilePath - c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com/?ocid=hmlogout
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\FFExternalAlert.dll
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\RadioWMPCore.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2010-3-25 43792]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-13 165584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-11-5 25896]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-31 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-13 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-13 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2010-3-25 142648]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-11-6 1153368]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-2-26 187904]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-2-26 111616]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b90bc6621174;Google Update Service (gupdate1c9b90bc6621174);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-10-15 84832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-8-26 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [2009-10-6 41984]
S3 WipeFile;WipeFile;c:\windows\system32\drivers\WipeFile.sys [2007-3-3 57472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-10-20 18:55:03 -------- d-----w- c:\users\don\appdata\roaming\Malwarebytes
2010-10-20 18:54:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 18:54:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-10-20 18:54:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-20 18:54:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 20:35:13 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{842615c3-7176-461c-a29d-133ae26d34e2}\mpengine.dll
2010-10-18 21:46:59 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-10-17 12:02:58 -------- d-----w- c:\progra~2\STOPzilla!
2010-10-16 16:25:20 -------- d-----w- c:\users\don\appdata\local\Paint.NET
2010-10-15 16:13:26 84832 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-10-15 16:13:26 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-10-15 16:13:12 -------- d-----w- c:\program files\Free DVD Ripper
2010-10-15 15:47:41 -------- d-----w- c:\users\don\Copied Films and Discs
2010-10-14 12:55:59 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-10-14 12:55:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 12:55:17 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-14 12:55:16 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-14 12:55:16 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-14 12:55:16 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-14 12:55:15 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-14 12:55:05 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-14 12:55:03 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-10-14 12:55:03 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-14 12:55:01 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-13 14:27:54 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2010-10-08 22:51:35 -------- d-----w- c:\users\don\Fireshot captures
2010-10-08 22:46:44 -------- d-----w- c:\users\don\appdata\roaming\FireShot
2010-10-08 16:51:17 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-10-08 16:51:17 21312 ----a-w- c:\windows\system32\authuitu.dll
2010-10-06 21:20:31 -------- d-----w- c:\program files\Tracker Software
2010-10-06 21:18:20 -------- d-----w- c:\program files\DVDSmith Movie Backup
2010-10-06 20:49:48 290816 ----a-w- c:\windows\system32\cyviewer.ocx
2010-10-06 20:49:47 -------- d-----w- c:\program files\Ashampoo
2010-09-28 18:45:37 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 18:45:23 13312 ----a-w- c:\program files\internet explorer\iecompat.dll
==================== Find3M ====================
2010-10-21 13:57:57 44544 ----a-w- c:\windows\system32\agremove.exe
2010-09-30 15:15:06 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
============= FINISH: 15:08:47.80 ===============
Hi,
Does this issue happen only with Firefox or is IE affected too? Please update MBAM, run a full scan with it and delete found items (if any). Post back report + fresh dds log.
oculentum
2010-10-27, 16:40
Hello Blade81, thanks for giving your time to try and help me solve my problem.
The problem seems to affect only Firefox - I have tried to replicate it on IE but so far it seems ok.
Here are the logs you asked for:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4963
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
27/10/2010 15:07:45
mbam-log-2010-10-27 (15-07-45).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 286167
Time elapsed: 1 hour(s), 26 minute(s), 35 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
DDS (Ver_10-10-21.01) - NTFSx86
Run by Don at 15:18:35.39 on 27/10/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1027 [GMT 1:00]
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\fsproflt.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Don\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Disabled:{5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.85.dll
TB: {4974A391-29D6-4419-A63B-49C1C7142489} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {31C7D459-9CC3-44F2-9DCA-FC11795309B4} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Privacy Suite RiskMonitor]
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\don\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
================= FIREFOX ===================
FF - ProfilePath - c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com/?ocid=hmlogout
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\FFExternalAlert.dll
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\RadioWMPCore.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2010-3-25 43792]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-13 165584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-11-5 25896]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-31 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-13 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-13 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2010-3-25 142648]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-11-6 1153368]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-2-26 187904]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-2-26 111616]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b90bc6621174;Google Update Service (gupdate1c9b90bc6621174);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-10-15 84832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-22 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [2009-10-6 41984]
S3 WipeFile;WipeFile;c:\windows\system32\drivers\WipeFile.sys [2007-3-3 57472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-10-26 17:17:25 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 17:17:24 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-26 17:17:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-23 11:27:16 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-22 05:54:22 -------- d-----w- c:\windows\en
2010-10-22 05:53:56 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-22 05:50:05 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-22 05:50:05 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 05:50:05 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-22 05:43:21 469256 ----a-w- c:\program files\common files\windows live\.cache\730d7101cb71ac2c\InstallManager_WLE_WLE.exe
2010-10-22 05:42:54 15712 ----a-w- c:\program files\common files\windows live\.cache\f92d9ef01cb71ab1f\MeshBetaRemover.exe
2010-10-22 05:42:33 94040 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\DSETUP.dll
2010-10-22 05:42:33 525656 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\DXSETUP.exe
2010-10-22 05:42:33 1691480 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\dsetup32.dll
2010-10-22 05:42:31 94040 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\DSETUP.dll
2010-10-22 05:42:31 525656 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\DXSETUP.exe
2010-10-22 05:42:31 1691480 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\dsetup32.dll
2010-10-22 05:41:19 -------- d-----w- c:\users\don\appdata\local\Windows Live
2010-10-22 05:40:42 754688 ----a-w- c:\windows\system32\webservices.dll
2010-10-21 21:38:45 -------- d-----w- c:\users\don\appdata\local\Microsoft Corporation
2010-10-21 21:37:19 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-10-20 18:55:03 -------- d-----w- c:\users\don\appdata\roaming\Malwarebytes
2010-10-20 18:54:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 18:54:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-10-20 18:54:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-20 18:54:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 20:35:13 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{842615c3-7176-461c-a29d-133ae26d34e2}\mpengine.dll
2010-10-18 21:46:59 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-10-17 12:02:58 -------- d-----w- c:\progra~2\STOPzilla!
2010-10-16 16:25:20 -------- d-----w- c:\users\don\appdata\local\Paint.NET
2010-10-15 16:13:26 84832 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-10-15 16:13:26 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-10-15 16:13:12 -------- d-----w- c:\program files\Free DVD Ripper
2010-10-15 15:47:41 -------- d-----w- c:\users\don\Copied Films and Discs
2010-10-14 12:55:59 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-10-14 12:55:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 12:55:17 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-14 12:55:16 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-14 12:55:16 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-14 12:55:16 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-14 12:55:15 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-14 12:55:05 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-14 12:55:03 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-10-14 12:55:03 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-14 12:55:01 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-13 14:27:54 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2010-10-08 22:51:35 -------- d-----w- c:\users\don\Fireshot captures
2010-10-08 22:46:44 -------- d-----w- c:\users\don\appdata\roaming\FireShot
2010-10-08 16:51:17 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-10-08 16:51:17 21312 ----a-w- c:\windows\system32\authuitu.dll
2010-10-06 21:20:31 -------- d-----w- c:\program files\Tracker Software
2010-10-06 21:18:20 -------- d-----w- c:\program files\DVDSmith Movie Backup
2010-10-06 20:49:48 290816 ----a-w- c:\windows\system32\cyviewer.ocx
2010-10-06 20:49:47 -------- d-----w- c:\program files\Ashampoo
2010-09-28 18:45:37 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 18:45:23 13312 ----a-w- c:\program files\internet explorer\iecompat.dll
==================== Find3M ====================
2010-10-27 12:25:13 44544 ----a-w- c:\windows\system32\agremove.exe
2010-09-30 15:15:06 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-09-22 23:47:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 23:32:56 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-15 03:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
============= FINISH: 15:19:32.57 ===============
Thanks for the logs. Let's continue.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
oculentum
2010-10-27, 21:01
Thanks for your continued support. Here are the latest log files:
ComboFix 10-10-26.04 - Don 27/10/2010 19:24:08.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1162 [GMT 1:00]
Running from: c:\users\Don\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Don\AppData\Local\cqqwuag.dat
c:\users\Don\AppData\Local\cqqwuag_nav.dat
c:\users\Don\AppData\Local\cqqwuag_navps.dat
D:\install.exe
D:\resycled
c:\windows\System32\autochk.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.
2010-10-27 18:44 . 2010-10-27 18:44 -------- d-----w- c:\users\Don\AppData\Local\temp
2010-10-27 18:19 . 2010-10-27 18:19 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-10-27 18:19 . 2010-10-27 18:19 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-10-26 17:17 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 17:17 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-26 17:17 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-22 05:54 . 2010-10-22 05:54 -------- d-----w- c:\windows\en
2010-10-22 05:53 . 2010-09-22 23:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-22 05:50 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-22 05:50 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 05:50 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-22 05:43 . 2010-10-22 05:43 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\730d7101cb71ac2c\InstallManager_WLE_WLE.exe
2010-10-22 05:42 . 2010-10-22 05:42 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\f92d9ef01cb71ab1f\MeshBetaRemover.exe
2010-10-22 05:42 . 2010-10-22 05:42 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\ebda8c901cb71ab18\DSETUP.dll
2010-10-22 05:42 . 2010-10-22 05:42 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\ebda8c901cb71ab18\DXSETUP.exe
2010-10-22 05:42 . 2010-10-22 05:42 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\ebda8c901cb71ab18\dsetup32.dll
2010-10-22 05:42 . 2010-10-22 05:42 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\ea568c701cb71ab17\DSETUP.dll
2010-10-22 05:42 . 2010-10-22 05:42 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\ea568c701cb71ab17\DXSETUP.exe
2010-10-22 05:42 . 2010-10-22 05:42 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\ea568c701cb71ab17\dsetup32.dll
2010-10-22 05:41 . 2010-10-22 05:41 -------- d-----w- c:\users\Don\AppData\Local\Windows Live
2010-10-22 05:40 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2010-10-21 21:38 . 2010-10-21 21:38 -------- d-----w- c:\users\Don\AppData\Local\Microsoft Corporation
2010-10-21 21:37 . 2010-10-21 21:37 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-10-21 21:24 . 2010-10-21 21:24 -------- d-----w- c:\programdata\Microsoft Corporation
2010-10-21 14:02 . 2010-10-21 14:02 -------- d-----w- c:\program files\ERUNT
2010-10-20 18:55 . 2010-10-20 18:55 -------- d-----w- c:\users\Don\AppData\Roaming\Malwarebytes
2010-10-20 18:54 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 18:54 . 2010-10-20 18:54 -------- d-----w- c:\programdata\Malwarebytes
2010-10-20 18:54 . 2010-10-20 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-20 18:54 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 20:35 . 2010-10-18 08:41 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{842615C3-7176-461C-A29D-133AE26D34E2}\mpengine.dll
2010-10-18 21:46 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-10-17 12:02 . 2010-10-17 15:47 -------- d-----w- c:\programdata\STOPzilla!
2010-10-16 16:25 . 2010-10-17 12:52 -------- d-----w- c:\users\Don\AppData\Local\Paint.NET
2010-10-15 16:13 . 2002-07-17 14:23 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-10-15 16:13 . 2002-07-17 14:20 84832 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-10-15 16:13 . 2010-10-16 09:17 -------- d-----w- c:\program files\Free DVD Ripper
2010-10-15 15:48 . 2010-10-15 15:48 -------- d-----w- c:\users\Don\AppData\Roaming\dvdcss
2010-10-15 15:47 . 2010-10-15 15:48 -------- d-----w- c:\users\Don\Copied Films and Discs
2010-10-14 12:55 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-14 12:55 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 12:55 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-14 12:55 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-14 12:55 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-14 12:55 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-14 12:55 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-14 12:55 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-14 12:55 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-14 12:55 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-14 12:55 . 2010-08-26 16:37 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-08 22:51 . 2010-10-08 22:52 -------- d-----w- c:\users\Don\Fireshot captures
2010-10-08 22:46 . 2010-10-08 22:46 -------- d-----w- c:\users\Don\AppData\Roaming\FireShot
2010-10-08 16:51 . 2010-09-30 15:09 21312 ----a-w- c:\windows\system32\authuitu.dll
2010-10-08 16:51 . 2010-09-30 15:09 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-10-06 21:20 . 2010-10-06 21:20 -------- d-----w- c:\program files\Tracker Software
2010-10-06 21:18 . 2010-10-06 21:18 -------- d-----w- c:\program files\DVDSmith Movie Backup
2010-10-06 20:49 . 2008-05-07 15:03 290816 ----a-w- c:\windows\system32\cyviewer.ocx
2010-10-06 20:49 . 2010-10-06 20:49 -------- d-----w- c:\program files\Ashampoo
2010-09-28 18:45 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 18:45 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-27 17:10 . 2008-11-20 18:42 44544 ----a-w- c:\windows\system32\agremove.exe
2010-09-30 15:15 . 2010-06-07 14:26 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-09-22 23:47 . 2010-09-22 23:47 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 23:32 . 2010-09-22 23:32 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-15 03:50 . 2010-04-17 15:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-06-29 15:18 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2009-03-13 15:12 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2009-03-13 15:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2009-03-13 15:12 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2009-03-13 15:12 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2009-03-13 15:12 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-07 14:47 . 2009-03-13 15:12 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-26 16:33 . 2010-10-26 17:17 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-26 17:17 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33 . 2010-10-26 17:17 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-26 17:17 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-17 14:11 . 2010-09-15 13:36 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-05 17:10 . 2010-08-05 17:10 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-20 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-22 4240760]
c:\users\Don\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3255058789-4097180596-3726220330-1000]
"EnableNotificationsRef"=dword:00000002
R0 rpcnetp;rpcnetp; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9b90bc6621174;Google Update Service (gupdate1c9b90bc6621174);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-05 43792]
S1 aswSP;aswSP; [x]
S2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [2010-05-12 1872320]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2010-01-06 142648]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-05-04 503080]
S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-02-01 187904]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-01-15 48472]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2007-04-09 8192]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2010-10-27 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-11-06 10:14]
2010-09-11 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-09-11 17:08]
2010-10-27 c:\windows\Tasks\User_Feed_Synchronization-{C3424DA8-C7DF-4615-AD60-46AA957ED8B3}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\Nitro PDF\PDF Download\nitroweb.htm
FF - ProfilePath - c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com/?ocid=hmlogout
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - component: c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\FFExternalAlert.dll
FF - component: c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{4974A391-29D6-4419-A63B-49C1C7142489} - (no file)
WebBrowser-{31C7D459-9CC3-44F2-9DCA-FC11795309B4} - (no file)
HKCU-Run-Privacy Suite RiskMonitor - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 19:44
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\My Lockbox
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,d1,ba,c3,57,b6,70,4a,8b,33,4b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,d1,ba,c3,57,b6,70,4a,8b,33,4b,\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-10-27 19:47:29
ComboFix-quarantined-files.txt 2010-10-27 18:47
Pre-Run: 40,349,716,480 bytes free
Post-Run: 40,130,482,176 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
- - End Of File - - 168D35DA9C57F9F1B94F52837E007E1B
DDS (Ver_10-10-21.01) - NTFSx86
Run by Don at 19:54:13.66 on 27/10/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.988 [GMT 1:00]
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\fsproflt.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Don\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Disabled:{5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.85.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\don\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com/?ocid=hmlogout
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\FFExternalAlert.dll
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\RadioWMPCore.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2010-3-25 43792]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-13 165584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-11-5 25896]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-31 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-13 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-13 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2010-3-25 142648]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-11-6 1153368]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-2-26 187904]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-2-26 111616]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b90bc6621174;Google Update Service (gupdate1c9b90bc6621174);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-10-15 84832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-22 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [2009-10-6 41984]
S3 WipeFile;WipeFile;c:\windows\system32\drivers\WipeFile.sys [2007-3-3 57472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
SUnknown rpcnetp;rpcnetp; [x]
=============== Created Last 30 ================
2010-10-27 18:47:37 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-27 18:47:31 -------- d-----w- c:\users\don\appdata\local\temp
2010-10-27 18:21:33 98816 ----a-w- c:\windows\sed.exe
2010-10-27 18:21:33 79872 ----a-w- c:\windows\MBR.exe
2010-10-27 18:21:33 256512 ----a-w- c:\windows\PEV.exe
2010-10-27 18:21:33 161792 ----a-w- c:\windows\SWREG.exe
2010-10-27 18:19:33 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-10-27 18:19:19 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-10-27 18:17:52 -------- d-----w- C:\ComboFix
2010-10-26 17:17:25 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 17:17:24 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-26 17:17:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-23 11:27:16 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-22 05:54:22 -------- d-----w- c:\windows\en
2010-10-22 05:53:56 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-22 05:50:05 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-22 05:50:05 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 05:50:05 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-22 05:43:21 469256 ----a-w- c:\program files\common files\windows live\.cache\730d7101cb71ac2c\InstallManager_WLE_WLE.exe
2010-10-22 05:42:54 15712 ----a-w- c:\program files\common files\windows live\.cache\f92d9ef01cb71ab1f\MeshBetaRemover.exe
2010-10-22 05:42:33 94040 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\DSETUP.dll
2010-10-22 05:42:33 525656 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\DXSETUP.exe
2010-10-22 05:42:33 1691480 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\dsetup32.dll
2010-10-22 05:42:31 94040 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\DSETUP.dll
2010-10-22 05:42:31 525656 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\DXSETUP.exe
2010-10-22 05:42:31 1691480 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\dsetup32.dll
2010-10-22 05:41:19 -------- d-----w- c:\users\don\appdata\local\Windows Live
2010-10-22 05:40:42 754688 ----a-w- c:\windows\system32\webservices.dll
2010-10-21 21:38:45 -------- d-----w- c:\users\don\appdata\local\Microsoft Corporation
2010-10-21 21:37:19 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-10-20 18:55:03 -------- d-----w- c:\users\don\appdata\roaming\Malwarebytes
2010-10-20 18:54:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 18:54:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-10-20 18:54:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-20 18:54:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 20:35:13 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{842615c3-7176-461c-a29d-133ae26d34e2}\mpengine.dll
2010-10-18 21:46:59 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-10-17 12:02:58 -------- d-----w- c:\progra~2\STOPzilla!
2010-10-16 16:25:20 -------- d-----w- c:\users\don\appdata\local\Paint.NET
2010-10-15 16:13:26 84832 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-10-15 16:13:26 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-10-15 16:13:12 -------- d-----w- c:\program files\Free DVD Ripper
2010-10-15 15:47:41 -------- d-----w- c:\users\don\Copied Films and Discs
2010-10-14 12:55:59 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-10-14 12:55:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 12:55:17 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-14 12:55:16 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-14 12:55:16 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-14 12:55:16 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-14 12:55:15 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-14 12:55:05 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-14 12:55:03 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-10-14 12:55:03 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-14 12:55:01 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-13 14:27:54 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2010-10-08 22:51:35 -------- d-----w- c:\users\don\Fireshot captures
2010-10-08 22:46:44 -------- d-----w- c:\users\don\appdata\roaming\FireShot
2010-10-08 16:51:17 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-10-08 16:51:17 21312 ----a-w- c:\windows\system32\authuitu.dll
2010-10-06 21:20:31 -------- d-----w- c:\program files\Tracker Software
2010-10-06 21:18:20 -------- d-----w- c:\program files\DVDSmith Movie Backup
2010-10-06 20:49:48 290816 ----a-w- c:\windows\system32\cyviewer.ocx
2010-10-06 20:49:47 -------- d-----w- c:\program files\Ashampoo
2010-09-28 18:45:37 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 18:45:23 13312 ----a-w- c:\program files\internet explorer\iecompat.dll
==================== Find3M ====================
2010-10-27 17:10:23 44544 ----a-w- c:\windows\system32\agremove.exe
2010-09-30 15:15:06 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-09-22 23:47:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 23:32:56 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-15 03:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
============= FINISH: 19:54:52.03 ===============
Hi,
Upload c:\windows\System32\autochk.exe file to http://www.virustotal.com (reanalyze if asked) and post back the results or a link to the results.
Open notepad and copy/paste the text in the quotebox below into it:
Firefox::
FF - ProfilePath - c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\
FF - prefs.js: keyword.URL - hxxp://www.veerboo.com/results.php?q=
DDS::
BHO: Disabled:{5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall these old Javas:
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 7
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
oculentum
2010-10-28, 07:53
Sorry for the delay, the Kaspersky scan took a long time!
The old Javas have been unistalled.
Reports as follows:
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: autochk.exe
Submission date: 2010-10-27 19:39:13 (UTC)
Current status: queued (#25) queued (#15) analysing finished
Result: 0/ 40 (0.0%)
VT Community
not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AntiVir 7.10.13.59 2010.10.27 -
Antiy-AVL 2.0.3.7 2010.10.27 -
Authentium 5.2.0.5 2010.10.27 -
Avast 4.8.1351.0 2010.10.27 -
Avast5 5.0.594.0 2010.10.27 -
BitDefender 7.2 2010.10.27 -
CAT-QuickHeal 11.00 2010.10.26 -
ClamAV 0.96.2.0-git 2010.10.27 -
Comodo 6530 2010.10.27 -
Comodo 6530 2010.10.27 -
Comodo 6530 2010.10.27 -
DrWeb 5.0.2.03300 2010.10.27 -
Emsisoft 5.0.0.50 2010.10.27 -
eTrust-Vet 36.1.7939 2010.10.27 -
F-Prot 4.6.2.117 2010.10.26 -
F-Secure 9.0.16160.0 2010.10.27 -
Fortinet 4.2.249.0 2010.10.27 -
GData 21 2010.10.27 -
Ikarus T3.1.1.90.0 2010.10.27 -
Jiangmin 13.0.900 2010.10.27 -
K7AntiVirus 9.66.2847 2010.10.27 -
Kaspersky 7.0.0.125 2010.10.27 -
McAfee 5.400.0.1158 2010.10.27 -
McAfee-GW-Edition 2010.1C 2010.10.27 -
Microsoft 1.6301 2010.10.27 -
NOD32 5568 2010.10.27 -
nProtect 2010-10-27.01 2010.10.27 -
Panda 10.0.2.7 2010.10.27 -
PCTools 7.0.3.5 2010.10.27 -
Prevx 3.0 2010.10.27 -
Rising 22.71.01.04 2010.10.27 -
Sophos 4.58.0 2010.10.27 -
SUPERAntiSpyware 4.40.0.1006 2010.10.27 -
Symantec 20101.2.0.161 2010.10.27 -
TheHacker 6.7.0.1.069 2010.10.27 -
TrendMicro 9.120.0.1004 2010.10.27 -
TrendMicro-HouseCall 9.120.0.1004 2010.10.27 -
VBA32 3.12.14.1 2010.10.27 -
ViRobot 2010.10.25.4110 2010.10.27 -
VirusBuster 12.70.8.0 2010.10.27 -
Additional information
MD5 : 4268ea2e81a50d929ec17ef7eb92616a
SHA1 : 188bbd66cc7907c5e58296961e602d9bfcc1f3f3
SHA256: ba7ec81d0c0f2e2abdbc60386901ac4b7574ee39345613eebfe3435164009058
ssdeep: 12288:3ASEAtt25iCeWblH8BYP7JcCAUC6B+KYQmvFNo:3A4/u/VbbPdcC/XBbYFv3
File size : 643072 bytes
First seen: 2010-10-27 19:39:13
Last seen : 2010-10-27 19:39:13
TrID:
Unknown!
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
ComboFix 10-10-26.04 - Don 27/10/2010 21:18:03.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1133 [GMT 1:00]
Running from: c:\users\Don\Desktop\ComboFix.exe
Command switches used :: c:\users\Don\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.
((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.
2010-10-27 20:27 . 2010-10-27 20:31 -------- d-----w- c:\users\Don\AppData\Local\temp
2010-10-27 20:27 . 2010-10-27 20:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-27 18:19 . 2010-10-27 20:29 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-10-27 18:19 . 2010-10-27 20:28 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-10-26 17:17 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 17:17 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-26 17:17 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-22 05:54 . 2010-10-22 05:54 -------- d-----w- c:\windows\en
2010-10-22 05:53 . 2010-09-22 23:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-22 05:50 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-22 05:50 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 05:50 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-22 05:43 . 2010-10-22 05:43 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\730d7101cb71ac2c\InstallManager_WLE_WLE.exe
2010-10-22 05:42 . 2010-10-22 05:42 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\f92d9ef01cb71ab1f\MeshBetaRemover.exe
2010-10-22 05:42 . 2010-10-22 05:42 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\ebda8c901cb71ab18\DSETUP.dll
2010-10-22 05:42 . 2010-10-22 05:42 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\ebda8c901cb71ab18\DXSETUP.exe
2010-10-22 05:42 . 2010-10-22 05:42 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\ebda8c901cb71ab18\dsetup32.dll
2010-10-22 05:42 . 2010-10-22 05:42 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\ea568c701cb71ab17\DSETUP.dll
2010-10-22 05:42 . 2010-10-22 05:42 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\ea568c701cb71ab17\DXSETUP.exe
2010-10-22 05:42 . 2010-10-22 05:42 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\ea568c701cb71ab17\dsetup32.dll
2010-10-22 05:41 . 2010-10-22 05:41 -------- d-----w- c:\users\Don\AppData\Local\Windows Live
2010-10-22 05:40 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2010-10-21 21:38 . 2010-10-21 21:38 -------- d-----w- c:\users\Don\AppData\Local\Microsoft Corporation
2010-10-21 21:37 . 2010-10-21 21:37 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-10-21 21:24 . 2010-10-21 21:24 -------- d-----w- c:\programdata\Microsoft Corporation
2010-10-20 18:55 . 2010-10-20 18:55 -------- d-----w- c:\users\Don\AppData\Roaming\Malwarebytes
2010-10-20 18:54 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 18:54 . 2010-10-20 18:54 -------- d-----w- c:\programdata\Malwarebytes
2010-10-20 18:54 . 2010-10-20 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-20 18:54 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 20:35 . 2010-10-18 08:41 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{842615C3-7176-461C-A29D-133AE26D34E2}\mpengine.dll
2010-10-18 21:46 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-10-17 12:02 . 2010-10-17 15:47 -------- d-----w- c:\programdata\STOPzilla!
2010-10-16 16:25 . 2010-10-17 12:52 -------- d-----w- c:\users\Don\AppData\Local\Paint.NET
2010-10-15 16:13 . 2002-07-17 14:23 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-10-15 16:13 . 2002-07-17 14:20 84832 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-10-15 16:13 . 2010-10-16 09:17 -------- d-----w- c:\program files\Free DVD Ripper
2010-10-15 15:48 . 2010-10-15 15:48 -------- d-----w- c:\users\Don\AppData\Roaming\dvdcss
2010-10-15 15:47 . 2010-10-15 15:48 -------- d-----w- c:\users\Don\Copied Films and Discs
2010-10-14 12:55 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2010-10-14 12:55 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 12:55 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-14 12:55 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-14 12:55 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-14 12:55 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-14 12:55 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-14 12:55 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-14 12:55 . 2010-06-28 17:00 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-14 12:55 . 2010-06-28 14:54 339968 ----a-w- c:\program files\Windows NT\Accessories\wordpad.exe
2010-10-14 12:55 . 2010-08-26 16:37 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-08 22:51 . 2010-10-08 22:52 -------- d-----w- c:\users\Don\Fireshot captures
2010-10-08 22:46 . 2010-10-08 22:46 -------- d-----w- c:\users\Don\AppData\Roaming\FireShot
2010-10-08 16:51 . 2010-09-30 15:09 21312 ----a-w- c:\windows\system32\authuitu.dll
2010-10-08 16:51 . 2010-09-30 15:09 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-10-06 21:20 . 2010-10-06 21:20 -------- d-----w- c:\program files\Tracker Software
2010-10-06 21:18 . 2010-10-06 21:18 -------- d-----w- c:\program files\DVDSmith Movie Backup
2010-10-06 20:49 . 2008-05-07 15:03 290816 ----a-w- c:\windows\system32\cyviewer.ocx
2010-10-06 20:49 . 2010-10-06 20:49 -------- d-----w- c:\program files\Ashampoo
2010-09-28 18:45 . 2010-06-22 13:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 18:45 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-27 17:10 . 2008-11-20 18:42 44544 ----a-w- c:\windows\system32\agremove.exe
2010-09-30 15:15 . 2010-06-07 14:26 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-09-22 23:47 . 2010-09-22 23:47 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 23:32 . 2010-09-22 23:32 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-15 03:50 . 2010-04-17 15:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-08 10:17 . 2010-09-08 10:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-07 15:12 . 2010-06-29 15:18 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2009-03-13 15:12 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2009-03-13 15:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2009-03-13 15:12 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2009-03-13 15:12 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2009-03-13 15:12 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-09-07 14:47 . 2009-03-13 15:12 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-26 16:33 . 2010-10-26 17:17 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-26 17:17 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33 . 2010-10-26 17:17 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-26 17:17 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-17 14:11 . 2010-09-15 13:36 128000 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-05 17:10 . 2010-08-05 17:10 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-20 413696]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-09-22 4240760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3255058789-4097180596-3726220330-1000]
"EnableNotificationsRef"=dword:00000002
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9b90bc6621174;Google Update Service (gupdate1c9b90bc6621174);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S0 FSProFilter;FSPro File Filter;c:\windows\System32\Drivers\FSPFltd.sys [2008-06-05 43792]
S0 rpcnetp;rpcnetp; [x]
S1 aswSP;aswSP; [x]
S2 a2free;a-squared Free Service;c:\program files\a-squared Free\a2service.exe [2010-05-12 1872320]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-09-07 50768]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2010-01-06 142648]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-05-04 503080]
S3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-02-01 187904]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2007-06-06 111616]
S3 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-01-15 48472]
S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2007-04-09 8192]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2010-10-27 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-11-06 10:14]
2010-10-27 c:\windows\Tasks\User_Feed_Synchronization-{C3424DA8-C7DF-4615-AD60-46AA957ED8B3}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\Nitro PDF\PDF Download\nitroweb.htm
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com/?ocid=hmlogout
FF - component: c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\FFExternalAlert.dll
FF - component: c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\RadioWMPCore.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,d1,ba,c3,57,b6,70,4a,8b,33,4b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,d1,ba,c3,57,b6,70,4a,8b,33,4b,\
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\O2Micro Flash Memory Card Driver\o2flash.exe
c:\windows\System32\rpcnetp.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\TalkTalk\bin\sprtsvc.exe
c:\program files\Common Files\Supportsoft\bin\tgsrvc.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\conime.exe
c:\program files\Alwil Software\Avast5\AvastUI.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-10-27 21:35:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-27 20:35
ComboFix2.txt 2010-10-27 18:47
Pre-Run: 40,179,585,024 bytes free
Post-Run: 40,122,572,800 bytes free
- - End Of File - - 75037A6F01940A07EDD3A1F9BA29127D
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, October 28, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, October 27, 2010 14:50:57
Records in database: 4179029
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 155193
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:19:00
No threats found. Scanned area is clean.
Selected area has been scanned.
DDS (Ver_10-10-21.01) - NTFSx86
Run by Don at 6:41:30.85 on 28/10/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2038.1237 [GMT 1:00]
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\fsproflt.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Don\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Disabled:{5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.85.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.msn.com/?ocid=hmlogout
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\FFExternalAlert.dll
FF - component: c:\users\don\appdata\roaming\mozilla\firefox\profiles\dbhpypvr.default\extensions\{4974a391-29d6-4419-a63b-49c1c7142489}\components\RadioWMPCore.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [2010-3-25 43792]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-3-13 165584]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\drivers\RtlProt.sys [2007-11-5 25896]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-31 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-13 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-3-13 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [2010-3-25 142648]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-11-6 1153368]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-2-26 187904]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-2-26 111616]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-1-15 48472]
R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-4-9 8192]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b90bc6621174;Google Update Service (gupdate1c9b90bc6621174);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-10-15 84832]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-8 40384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-22 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [2009-10-6 41984]
S3 WipeFile;WipeFile;c:\windows\system32\drivers\WipeFile.sys [2007-3-3 57472]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-10-27 20:36:01 -------- d-----w- c:\users\don\appdata\local\temp
2010-10-27 20:30:59 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-27 18:21:33 98816 ----a-w- c:\windows\sed.exe
2010-10-27 18:21:33 79872 ----a-w- c:\windows\MBR.exe
2010-10-27 18:21:33 256512 ----a-w- c:\windows\PEV.exe
2010-10-27 18:21:33 161792 ----a-w- c:\windows\SWREG.exe
2010-10-27 18:19:33 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2010-10-27 18:19:19 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-10-26 17:17:25 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-26 17:17:24 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-26 17:17:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-23 11:27:16 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-22 05:54:22 -------- d-----w- c:\windows\en
2010-10-22 05:53:56 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-22 05:50:05 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-22 05:50:05 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 05:50:05 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-22 05:43:21 469256 ----a-w- c:\program files\common files\windows live\.cache\730d7101cb71ac2c\InstallManager_WLE_WLE.exe
2010-10-22 05:42:54 15712 ----a-w- c:\program files\common files\windows live\.cache\f92d9ef01cb71ab1f\MeshBetaRemover.exe
2010-10-22 05:42:33 94040 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\DSETUP.dll
2010-10-22 05:42:33 525656 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\DXSETUP.exe
2010-10-22 05:42:33 1691480 ----a-w- c:\program files\common files\windows live\.cache\ebda8c901cb71ab18\dsetup32.dll
2010-10-22 05:42:31 94040 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\DSETUP.dll
2010-10-22 05:42:31 525656 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\DXSETUP.exe
2010-10-22 05:42:31 1691480 ----a-w- c:\program files\common files\windows live\.cache\ea568c701cb71ab17\dsetup32.dll
2010-10-22 05:41:19 -------- d-----w- c:\users\don\appdata\local\Windows Live
2010-10-22 05:40:42 754688 ----a-w- c:\windows\system32\webservices.dll
2010-10-21 21:38:45 -------- d-----w- c:\users\don\appdata\local\Microsoft Corporation
2010-10-21 21:37:19 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-10-20 18:55:03 -------- d-----w- c:\users\don\appdata\roaming\Malwarebytes
2010-10-20 18:54:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-20 18:54:47 -------- d-----w- c:\progra~2\Malwarebytes
2010-10-20 18:54:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-20 18:54:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 20:35:13 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{842615c3-7176-461c-a29d-133ae26d34e2}\mpengine.dll
2010-10-18 21:46:59 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-10-17 12:02:58 -------- d-----w- c:\progra~2\STOPzilla!
2010-10-16 16:25:20 -------- d-----w- c:\users\don\appdata\local\Paint.NET
2010-10-15 16:13:26 84832 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-10-15 16:13:26 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-10-15 16:13:12 -------- d-----w- c:\program files\Free DVD Ripper
2010-10-15 15:47:41 -------- d-----w- c:\users\don\Copied Films and Discs
2010-10-14 12:55:59 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-10-14 12:55:44 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-14 12:55:17 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-14 12:55:16 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-14 12:55:16 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-14 12:55:16 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-14 12:55:15 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-14 12:55:05 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-14 12:55:03 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-10-14 12:55:03 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-14 12:55:01 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-10-13 14:27:54 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2010-10-08 22:51:35 -------- d-----w- c:\users\don\Fireshot captures
2010-10-08 22:46:44 -------- d-----w- c:\users\don\appdata\roaming\FireShot
2010-10-08 16:51:17 30016 ----a-w- c:\windows\system32\uxtuneup.dll
2010-10-08 16:51:17 21312 ----a-w- c:\windows\system32\authuitu.dll
2010-10-06 21:20:31 -------- d-----w- c:\program files\Tracker Software
2010-10-06 21:18:20 -------- d-----w- c:\program files\DVDSmith Movie Backup
2010-10-06 20:49:48 290816 ----a-w- c:\windows\system32\cyviewer.ocx
2010-10-06 20:49:47 -------- d-----w- c:\program files\Ashampoo
2010-09-28 18:45:37 2048 ----a-w- c:\windows\system32\tzres.dll
2010-09-28 18:45:23 13312 ----a-w- c:\program files\internet explorer\iecompat.dll
==================== Find3M ====================
2010-10-27 20:58:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-27 17:10:23 44544 ----a-w- c:\windows\system32\agremove.exe
2010-09-30 15:15:06 30528 ----a-w- c:\windows\system32\TURegOpt.exe
2010-09-22 23:47:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 23:32:56 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-08 10:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
============= FINISH: 6:42:22.05 ===============
Good. Does redirecting still occur?
oculentum
2010-10-28, 18:53
Yes, redirecting does still occur sporadically.
Hi,
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe) Ensure all Firefox windows are closed. To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista). When prompted to run the scan, click Yes. GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
oculentum
2010-10-28, 19:58
GooredFix by jpshortstuff (03.07.10.1)
Log created at 18:55 on 28/10/2010 (Don)
Firefox version 3.6.11 (en-GB)
========== GooredScan ==========
========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
updater@foxstart.com [14:27 13/10/2010]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [14:27 13/10/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [20:58 27/10/2010]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)
-=E.O.F=-
Hi,
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Copy-paste following contents into custom scan -area:
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
c:\users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\dbhpypvr.default\extensions\*.* /s
C:\Program Files\Mozilla Firefox\extensions\*.* /s
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Attach OTL.txt to your post.
oculentum
2010-10-28, 21:13
OTL.txt attached
Hi,
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Start OTL
Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
FF - prefs.js..browser.search.defaultenginename: "www.google-feed.net"
FF - prefs.js..browser.search.order.1: "Web Search"
FF - prefs.js..browser.search.order.2: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..keyword.URL: "http://www.veerboo.com/results.php?q="
:Commands
[emptytemp]
Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post results and a new OTL log (the latter one requires new run with OTL).
oculentum
2010-10-28, 22:36
I hope I understood your instructions for the new OTL log :confused:
All processes killed
========== OTL ==========
Prefs.js: "www.google-feed.net" removed from browser.search.defaultenginename
Prefs.js: "Web Search" removed from browser.search.order.1
Prefs.js: "Google" removed from browser.search.order.2
Prefs.js: true removed from browser.search.useDBForOrder
Prefs.js: "http://www.veerboo.com/results.php?q=" removed from keyword.URL
========== COMMANDS ==========
[EMPTYTEMP]
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6 bytes
->Flash cache emptied: 2877 bytes
User: Don
->Temp folder emptied: 108865779 bytes
->Temporary Internet Files folder emptied: 53188702 bytes
->Java cache emptied: 35810777 bytes
->FireFox cache emptied: 42567776 bytes
->Flash cache emptied: 23414 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 52610 bytes
Total Files Cleaned = 229.00 mb
OTL by OldTimer - Version 3.2.17.1 log created on 10282010_210705
Files\Folders moved on Reboot...
C:\Users\Don\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\88MGX2YI\showthread[1].htm moved successfully.
C:\Users\Don\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Yes, you understood it right :)
Did that help with redirect issue?
oculentum
2010-10-29, 08:10
Hi, thanks for the reassurance!
Has it helped? ... well, not really ... the redirect still happens but it now takes about 5 or 6 seconds before it kicks in, instead of immediately.
Hi,
Time to reinstall Firefox I think. You have to do a complete uninstall first. Backup bookmarks (http://support.mozilla.com/en-US/kb/Backing+up+and+restoring+bookmarks) if needed and then follow instructions here (support.mozilla.com/kb/uninstalling+Firefox) (make sure you select Remove my Firefox personal data option while uninstalling).
Reinstall Firefox and see if problem still occurs (post fresh OTL.txt).
oculentum
2010-10-29, 20:48
Hi, old Firefox uninstalled, new installation completed and so far, so good - it hasn't yet redirected. I think maybe you have worked your magic once again! :rockon:
Here's the OTL log, too.
Good to hear that had some effect :)
If no other issues, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
A To disable the System Restore feature:
1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.
B. Reboot.
C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Double-click OTL.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
oculentum
2010-10-30, 00:37
Well, I've worked through all the steps (surprisingly, the internet security settings were already as you suggested they should be) and updated/patched the programs which Secunia PSI found to be wanting. The only program which repeatedly comes up in the scan is ... you guessed it ... Firefox! :rolleyes:
I guess I can live with that, so thanks for all your help over the past few days.
You're welcome :)
The only program which repeatedly comes up in the scan is ... you guessed it ... Firefox! :rolleyes:What does it say about that?
oculentum
2010-10-30, 13:24
Secunia PSI (in Simple Mode) is reporting that Mozilla Firefox 3.6.x is an Insecure Program (security threat), Category 5.
I have downloaded/applied the suggested Solution twice but the warning remains.
Have a try in advanced mode and see if it shows where the bad item is. Seems that someone else has a similar issue (http://secunia.com/community/forum/thread/show/6190/detects_3_6_12_as_3_6_11).
oculentum
2010-10-30, 14:18
In Advanced Mode, on the Insecure tab, PSI gives the installation path as C:\Windows\ERDNT\cache\firefox.exe and detects the version as 3.6.11
When I start Firefox and look at the About Firefox information it shows that I am using version 3.6.12
Please delete C:\Windows\ERDNT\cache\firefox.exe file.
oculentum
2010-10-30, 15:39
Success! Firefox is no longer showing as insecure.
However, on the Secure Browsing tab there are two instances of Microsoft Internet Explorer 8.x marked as not secure for browsing with at least 4 critical attack vectors, and one instance of Mozilla Firefox 3.6.x with at least one critical attack vector.
The IE 8.x instances both report the same vulnerabilities:
Adobe Flash Player 10.x
(C:\Windows\System32\Macromed\Flash\Flash10k.ocx)
Microsoft Internet Explorer 8.x
(C:\Program Files\Internet Explorer\iexplore.exe)
Microsoft Internet Explorer 8.x
(C:\Windows\ERDNT\cache\iexplore.exe)
SupportSoft ActiveX Controls 6.x
(C:\Program Files\Common Files\SupportSoft\bin\ssctlsma.dll)
The Mozilla Firefox 3.6.x instance reports the following vulnerability:
Adobe Flash Player 10.x
(C:\Windows\System32\Macromed\Flash\NPSWF32.dll)
Hi,
Those remaining ones are likely issues that haven't got a patch available yet. Secunia program shows such things too.
oculentum
2010-10-30, 16:39
In that case, once again please accept my grateful thanks for helping to clear and clean my computer. I'll have no hesitation in using this site again (although I hope I shan't have to!) or in recommending it to anybody else having problems!
I wish you well.
:)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.