pcyouzer
2011-05-05, 03:23
(This is a little long)
I had this problem before but i forgot how i got rid of it. i didnt reformat my hard drive. Problem is in Internet Explorer too, not just Firefox.
i ran mbam and tdskiller about 10 times, ccleaner, just ran combo fix. i saw this youtube video http://www.youtube.com/watch?v=TLVifFbLIso and did everything it said. tried doin a google search on another drive but there's so many methods.
First, I had a few bugs long before this. I think it started with Winrar, I tried googling a free original version of winrar (not the demo) and I d/l'ed what i thought to be a real winrar, but it was a demo. Then a day later (or something i dunno) i get some pop up windows everytime i boot my computer. One window was a winrar installation window, another was a windows explorer error. The last was a firefox error, it would randomly be the same 1-4 windows, the one where it says "send error report". I was too lazy to deal with it then so i just ignored it and closed the windows when they came up. but finally yesterday my computer got too messed up to use. I googled a sports streaming site for something i wanted to watch, my other streams were too laggy or had other problems. I forgot the site, but within 30 minutes my screen went blue, and had a
Yesterday I got the google redirect virus, not sure how. I was on a sports streaming website, this one i googled what i wanted to watch cause my other streams were too slow or had problems. Then maybe 20 minutes a virus got on my system tray and turned the screen blue. I cant remember what it was, i dealt with things like that and all i had to do was run mbam to get rid of it. It was probably "windows virus removal" or something like that. so after i run mbam it's gone and it got rid of the pop up windows that show up when the computer starts up. so the computer's back to normal. but then when i use google i see the redirect virus is back.
Also, everytime I close all of the firefox browsers i have running, it changes my "connection settings" to "manual proxy configuration to proxy 127.0.0.1". I have to change it back to "no proxy" to use firefox.
Other web search sites work, i tried yahoo and it was fine. I can still use the internet and normal speed. I just cant do anything through google. i have to type in or copy paste the url address if it's not in my bookmarks. when i use google search it takes awhile.
Here's the combofix log. didnt really read it, im not that good w/ computers. hoping someone here can help me get rid of this piece of ****. :)
ComboFix 11-05-04.02 - Sandesh 05/04/2011 14:13:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1510 [GMT -7:00]
Running from: c:\documents and settings\Sandesh\My Documents\Downloads\ComboFix.exe
FW: Sygate Personal Firewall *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614\bC28614ClCpD28614
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614\bC28614ClCpD28614.exe
c:\documents and settings\Sandesh\Application Data\chrtmp
c:\documents and settings\Sandesh\Application Data\SQLite3.dll
C:\Microsoft
c:\windows\system32\install
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-04 17:57 . 2011-05-04 17:57 -------- d-----w- c:\program files\CCleaner
2011-05-04 17:12 . 2011-05-04 17:12 -------- d-----w- c:\documents and settings\Sandesh\Local Settings\Application Data\Threat Expert
2011-05-04 01:06 . 2011-01-07 21:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-05-04 01:06 . 2011-01-07 21:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-05-04 01:06 . 2011-01-07 21:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-05-04 01:06 . 2011-01-07 21:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-05-04 01:05 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-05-04 01:05 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-05-04 01:05 . 2011-01-17 16:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-05-04 01:04 . 2010-12-10 23:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-05-04 01:04 . 2010-12-10 20:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-05-04 01:04 . 2010-12-16 15:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-05-04 01:04 . 2011-05-04 01:33 -------- d-----w- c:\program files\PC Tools Security
2011-05-04 01:04 . 2011-05-04 01:06 -------- d-----w- c:\program files\Common Files\PC Tools
2011-05-04 01:04 . 2011-05-04 01:04 -------- d-----w- c:\documents and settings\Sandesh\Application Data\PC Tools
2011-05-04 01:04 . 2011-05-04 21:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-05-04 01:03 . 2011-05-04 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-05-03 19:14 . 2011-05-03 19:14 55552 ---ha-w- c:\windows\system32\netding6.tmp
2011-05-03 02:54 . 2011-05-03 02:54 -------- d-----w- c:\documents and settings\Sandesh\Application Data\Malwarebytes
2011-05-03 02:54 . 2011-05-03 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-03 02:54 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-03 02:53 . 2011-05-03 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-03 02:53 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 01:34 . 2011-05-03 01:34 0 ---ha-w- c:\documents and settings\Sandesh\Local Settings\Application Data\BIT3.tmp
2011-04-30 22:49 . 2011-04-30 22:49 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-30 22:49 . 2011-04-30 22:49 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-30 22:49 . 2011-04-30 22:49 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-30 22:49 . 2011-04-30 22:49 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-30 22:49 . 2011-04-30 22:49 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-30 22:49 . 2011-04-30 22:49 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-30 22:49 . 2011-04-30 22:49 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-30 22:49 . 2011-04-30 22:49 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-19 04:22 . 2010-05-25 03:33 108032 ----a-w- c:\windows\system32\ff_vfw.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-30 22:49 . 2011-04-30 22:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-02-28 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2010-09-18 06:53 974848 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Sandesh^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Sandesh\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 07:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-10 01:06 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 08:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-08-04 02:24 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
2001-08-04 02:24 311296 ----a-w- c:\windows\system32\hphmon03.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-06-02 08:45 385024 ------r- c:\windows\system32\JMRaidTool.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2009-07-29 22:28 252424 ----a-w- c:\windows\system32\MAFWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-08 03:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-11-04 16:51 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 10:07 843776 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateUSB]
2006-06-23 06:48 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"wscsvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/3/2011 6:04 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [5/3/2011 6:05 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [5/3/2011 6:05 PM 656320]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [5/3/2011 6:06 PM 247760]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [1/28/2011 3:18 PM 34944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2011 5:43 PM 136176]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/3/2001 7:24 PM 18864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2011 5:43 PM 136176]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [5/3/2011 6:04 PM 366840]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 00:43]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:55333
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Sandesh\Application Data\Mozilla\Firefox\Profiles\l53s6wij.default\
FF - prefs.js: keyword.URL - hxxp://www.zumix2.com/s/?engine=web&src=IE-Address&site=Bing&cfg=2-471-0&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55333
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HKCU - c:\windows\system32\install\server.exe
MSConfigStartUp-HKLM - c:\windows\system32\install\server.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 14:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(756)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2011-05-04 14:17:55
ComboFix-quarantined-files.txt 2011-05-04 21:17
.
Pre-Run: 2,076,930,048 bytes free
Post-Run: 2,117,832,704 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1F70F3331E618A1AB3645C051DED0152
I had this problem before but i forgot how i got rid of it. i didnt reformat my hard drive. Problem is in Internet Explorer too, not just Firefox.
i ran mbam and tdskiller about 10 times, ccleaner, just ran combo fix. i saw this youtube video http://www.youtube.com/watch?v=TLVifFbLIso and did everything it said. tried doin a google search on another drive but there's so many methods.
First, I had a few bugs long before this. I think it started with Winrar, I tried googling a free original version of winrar (not the demo) and I d/l'ed what i thought to be a real winrar, but it was a demo. Then a day later (or something i dunno) i get some pop up windows everytime i boot my computer. One window was a winrar installation window, another was a windows explorer error. The last was a firefox error, it would randomly be the same 1-4 windows, the one where it says "send error report". I was too lazy to deal with it then so i just ignored it and closed the windows when they came up. but finally yesterday my computer got too messed up to use. I googled a sports streaming site for something i wanted to watch, my other streams were too laggy or had other problems. I forgot the site, but within 30 minutes my screen went blue, and had a
Yesterday I got the google redirect virus, not sure how. I was on a sports streaming website, this one i googled what i wanted to watch cause my other streams were too slow or had problems. Then maybe 20 minutes a virus got on my system tray and turned the screen blue. I cant remember what it was, i dealt with things like that and all i had to do was run mbam to get rid of it. It was probably "windows virus removal" or something like that. so after i run mbam it's gone and it got rid of the pop up windows that show up when the computer starts up. so the computer's back to normal. but then when i use google i see the redirect virus is back.
Also, everytime I close all of the firefox browsers i have running, it changes my "connection settings" to "manual proxy configuration to proxy 127.0.0.1". I have to change it back to "no proxy" to use firefox.
Other web search sites work, i tried yahoo and it was fine. I can still use the internet and normal speed. I just cant do anything through google. i have to type in or copy paste the url address if it's not in my bookmarks. when i use google search it takes awhile.
Here's the combofix log. didnt really read it, im not that good w/ computers. hoping someone here can help me get rid of this piece of ****. :)
ComboFix 11-05-04.02 - Sandesh 05/04/2011 14:13:34.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1510 [GMT -7:00]
Running from: c:\documents and settings\Sandesh\My Documents\Downloads\ComboFix.exe
FW: Sygate Personal Firewall *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614\bC28614ClCpD28614
c:\documents and settings\All Users\Application Data\bC28614ClCpD28614\bC28614ClCpD28614.exe
c:\documents and settings\Sandesh\Application Data\chrtmp
c:\documents and settings\Sandesh\Application Data\SQLite3.dll
C:\Microsoft
c:\windows\system32\install
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-04 17:57 . 2011-05-04 17:57 -------- d-----w- c:\program files\CCleaner
2011-05-04 17:12 . 2011-05-04 17:12 -------- d-----w- c:\documents and settings\Sandesh\Local Settings\Application Data\Threat Expert
2011-05-04 01:06 . 2011-01-07 21:54 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-05-04 01:06 . 2011-01-07 21:54 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-05-04 01:06 . 2011-01-07 21:54 2000848 ----a-w- c:\windows\PCTBDCore.dll
2011-05-04 01:06 . 2011-01-07 21:54 767952 ----a-w- c:\windows\BDTSupport.dll
2011-05-04 01:05 . 2010-07-16 21:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-05-04 01:05 . 2010-07-16 21:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-05-04 01:05 . 2011-01-17 16:10 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-05-04 01:04 . 2010-12-10 23:57 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-05-04 01:04 . 2010-12-10 20:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-05-04 01:04 . 2010-12-16 15:46 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-05-04 01:04 . 2011-05-04 01:33 -------- d-----w- c:\program files\PC Tools Security
2011-05-04 01:04 . 2011-05-04 01:06 -------- d-----w- c:\program files\Common Files\PC Tools
2011-05-04 01:04 . 2011-05-04 01:04 -------- d-----w- c:\documents and settings\Sandesh\Application Data\PC Tools
2011-05-04 01:04 . 2011-05-04 21:00 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-05-04 01:03 . 2011-05-04 01:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-05-03 19:14 . 2011-05-03 19:14 55552 ---ha-w- c:\windows\system32\netding6.tmp
2011-05-03 02:54 . 2011-05-03 02:54 -------- d-----w- c:\documents and settings\Sandesh\Application Data\Malwarebytes
2011-05-03 02:54 . 2011-05-03 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-03 02:54 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-03 02:53 . 2011-05-03 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-03 02:53 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-03 01:34 . 2011-05-03 01:34 0 ---ha-w- c:\documents and settings\Sandesh\Local Settings\Application Data\BIT3.tmp
2011-04-30 22:49 . 2011-04-30 22:49 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-30 22:49 . 2011-04-30 22:49 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-30 22:49 . 2011-04-30 22:49 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-30 22:49 . 2011-04-30 22:49 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-30 22:49 . 2011-04-30 22:49 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-30 22:49 . 2011-04-30 22:49 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-30 22:49 . 2011-04-30 22:49 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-30 22:49 . 2011-04-30 22:49 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-19 04:22 . 2010-05-25 03:33 108032 ----a-w- c:\windows\system32\ff_vfw.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-30 22:49 . 2011-04-30 22:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2006-02-28 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2010-09-18 06:53 974848 --sh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sh--w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sh--w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-16 2577632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-08 13880424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Sandesh^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Sandesh\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 07:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-01-05 17:11 4321112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CXMon]
2001-08-10 01:06 45056 ----a-w- c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_monitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 08:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2001-08-04 02:24 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon03]
2001-08-04 02:24 311296 ----a-w- c:\windows\system32\hphmon03.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X Configure]
2006-06-02 08:45 385024 ------r- c:\windows\system32\JMRaidTool.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
2009-07-29 22:28 252424 ----a-w- c:\windows\system32\MAFWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-01-08 03:56 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2010-11-04 16:51 1753192 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 10:07 843776 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateUSB]
2006-06-23 06:48 32768 ----a-r- c:\windows\inf\UpdateUSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"wscsvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/3/2011 6:04 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [5/3/2011 6:05 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [5/3/2011 6:05 PM 656320]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [5/3/2011 6:06 PM 247760]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [1/28/2011 3:18 PM 34944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2011 5:43 PM 136176]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/3/2001 7:24 PM 18864]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2011 5:43 PM 136176]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [5/3/2011 6:04 PM 366840]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 00:43]
.
2011-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-29 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyServer = http=127.0.0.1:55333
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Sandesh\Application Data\Mozilla\Firefox\Profiles\l53s6wij.default\
FF - prefs.js: keyword.URL - hxxp://www.zumix2.com/s/?engine=web&src=IE-Address&site=Bing&cfg=2-471-0&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55333
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-HKCU - c:\windows\system32\install\server.exe
MSConfigStartUp-HKLM - c:\windows\system32\install\server.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 14:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(756)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2011-05-04 14:17:55
ComboFix-quarantined-files.txt 2011-05-04 21:17
.
Pre-Run: 2,076,930,048 bytes free
Post-Run: 2,117,832,704 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1F70F3331E618A1AB3645C051DED0152