View Full Version : My files are missing!!!
speedinc
2011-07-03, 09:50
OH My!!! Music, Pictures, Documents, all gone!
First, let me say that I think it started when my desktop profile got corrupted and I deleted it and created another one. When I did that, some of my browsers Add on would not work (Non Compatible) including my Anti Virus program (Free AVG) I uninstalled it, thinking I could reinstall. It would get to a point and I would get this pop up that said something like " Windows could not complete the instal because of unauthorized or unrecognized hardware installation. I did it several times, never getting past that point. I tried to get another program, but the same message kept me from installing an Anti Virus program. I continued using the box without any protection (Only for one day!) then I get this message that my Hard drive has crashed and that I need to download this program to fix it. That's when I noticed all my programs were gone and my documents too. I did a system restore and the programs came back, but not my Documents! Oh man! My wife is gonna KILL me if I don't get her files back!!! Please, can you help me?:sick:
DDS is posted, ATTACHED is attached. Running Spy-bot now. Will post if there is and infection that cannot be removed.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Dad at 2:02:43 on 2011-07-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.293 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe
C:\WINDOWS\System32\snmp.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: MasterCook Bar: {c92041c1-6d22-4069-ba0e-66246aa752b0} - c:\windows\system32\shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
Trusted Zone: trymedia.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{83D4BF65-7B5A-4107-A3C8-C8D22413698C} : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad.your-4dacd0ea75\application data\mozilla\firefox\profiles\37fti8ke.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2a\RpcAgentSrv.exe [2008-4-12 98488]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
.
=============== Created Last 30 ================
.
2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 21:03:40 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Malwarebytes
2011-07-02 20:51:54 -------- d-----w- c:\windows\system32\drivers\Avg
2011-07-02 20:50:25 -------- d-----w- c:\program files\Lavasoft
2011-07-01 04:33:24 -------- d-----w- c:\documents and settings\all users\application data\AVG10(2)
2011-07-01 03:59:47 -------- d-----w- c:\windows\system32\drivers\AVG(2)
2011-07-01 03:38:31 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-22 21:20:06 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-22 21:20:06 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-16 01:01:22 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-11 22:12:10 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\local settings\application data\Apple
2011-06-11 22:09:25 -------- d-----w- c:\program files\Amazon
2011-06-06 21:51:31 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\FrostWire
2011-06-06 21:49:51 -------- d-----w- c:\program files\FrostWire
2011-06-06 17:55:30 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-06 17:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-06-04 00:35:03 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\.ehdc
.
==================== Find3M ====================
.
2011-06-16 14:37:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 2:03:45.67 ===============
Hi,
If help still needed post fresh dds logs, please.
speedinc
2011-07-14, 23:48
Found the files. They were hidden. Had to change the properties to see them all again. But i still cannot download an anti-virus program. Here's the DDS log:
DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Dad at 16:36:53 on 2011-07-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.197 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ================
.
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} -
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
TB: FrostWire Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} -
EB: MasterCook Bar: {C92041C1-6D22-4069-BA0E-66246AA752B0} - c:\windows\system32\shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: trymedia.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{83D4BF65-7B5A-4107-A3C8-C8D22413698C} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ipp - <Clsid value has no data>
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: msdaipp - <Clsid value has no data>
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad.your-4dacd0ea75\application data\mozilla\firefox\profiles\37fti8ke.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2a\RpcAgentSrv.exe [2008-4-12 98488]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
.
=============== Created Last 30 ================
.
2011-07-10 03:10:50 -------- d-----w- c:\program files\iPod
2011-07-10 03:10:32 -------- d-----w- c:\program files\iTunes
2011-07-10 03:05:21 -------- d-----w- c:\program files\Bonjour
2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 21:03:40 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Malwarebytes
2011-07-02 20:51:54 -------- d-----w- c:\windows\system32\drivers\Avg
2011-07-02 20:50:25 -------- d-----w- c:\program files\Lavasoft
2011-07-01 04:33:24 -------- d-----w- c:\documents and settings\all users\application data\AVG10(2)
2011-07-01 03:59:47 -------- d-----w- c:\windows\system32\drivers\AVG(2)
2011-07-01 03:38:31 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-22 21:20:06 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-22 21:20:06 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-16 01:01:22 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-06-16 14:37:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ------w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 16:38:00.29 ===============
Hi,
First, run this (http://download.bleepingcomputer.com/grinler/unhide.exe) tool to make sure all files are properly visible now.
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
speedinc
2011-07-16, 23:47
Combo Fix says that I'm still running AVG Free, but I cannot find it to disable it. I ran the scan anyway. Here's the results:
ComboFix 11-07-15.03 - Dad 07/16/2011 16:13:11.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.342 [GMT -5:00]
Running from: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\oJ06511LbGgJ06511
c:\documents and settings\All Users\Application Data\oJ06511LbGgJ06511\oJ06511LbGgJ06511
c:\documents and settings\All Users\Application Data\oJ06511LbGgJ06511\oJ06511LbGgJ06511.exe
c:\documents and settings\Compaq_Administrator\Application Data\alot
c:\documents and settings\Compaq_Administrator\WINDOWS
c:\documents and settings\Dad.YOUR-4DACD0EA75\WINDOWS
c:\documents and settings\DAD\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\lexie\Application Data\alot
c:\documents and settings\lexie\WINDOWS
c:\documents and settings\MOM\Application Data\alot
c:\documents and settings\MOM\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\MOM\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\MOM\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\MOM\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\MOM\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\MOM\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\MOM\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\MOM\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\MOM\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\MOM\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\MOM\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\MOM\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\MOM\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\MOM\Application Data\alot\configurator\configurator.xml
c:\documents and settings\MOM\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\MOM\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\MOM\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\MOM\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\MOM\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\MOM\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\MOM\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\MOM\Application Data\alot\products\products.xml
c:\documents and settings\MOM\Application Data\alot\products\products.xml.backup
c:\documents and settings\MOM\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\MOM\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\MOM\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_image_search.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_image_search.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_news_search.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_news_search.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_shop_search.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_shop_search.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_videos_search.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_videos_search.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_web_search.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_1\images\alot_web_search.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_2\images\alot_configure.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_2\images\alot_configure.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_3\images\default_1462_www.bhg.com_button.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_3\images\default_1462_www.bhg.com_button.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_4\images\2989_icon.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_4\images\2989_icon.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_5\images\default_1923_default_1910_default_1510_www.bhg.com_button.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_5\images\default_1923_default_1910_default_1510_www.bhg.com_button.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_6\images\default_2113_default_1682_www.bhg.com_button.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_6\images\default_2113_default_1682_www.bhg.com_button.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_7\images\default_1105_alot_recipe_videos.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_7\images\default_1105_alot_recipe_videos.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_8\images\2065_icon.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Button_8\images\2065_icon.png
c:\documents and settings\MOM\Application Data\alot\Resources\Button_9\images\2827_icon.png
c:\documents and settings\MOM\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\MOM\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\intro_popup.png
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\MOM\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\MOM\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\MOM\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\MOM\Application Data\alot\toolbar.xml
c:\documents and settings\MOM\Application Data\alot\toolbar.xml.backup
c:\documents and settings\MOM\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\MOM\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\MOM\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\MOM\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup
c:\documents and settings\MOM\Application Data\alot\Updater\Updater.xml
c:\documents and settings\MOM\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\MOM\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\config\systemprofile\WINDOWS
E:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-06-16 to 2011-07-16 )))))))))))))))))))))))))))))))
.
.
2011-07-10 03:13 . 2011-07-10 03:13 -------- d-----w- c:\program files\Apple Software Update
2011-07-10 03:10 . 2011-07-10 03:10 -------- d-----w- c:\program files\iPod
2011-07-10 03:10 . 2011-07-10 03:12 -------- d-----w- c:\program files\iTunes
2011-07-10 03:05 . 2011-07-10 03:05 -------- d-----w- c:\program files\Bonjour
2011-07-03 07:01 . 2011-07-03 07:01 -------- d-----w- c:\program files\ERUNT
2011-07-03 06:34 . 2011-07-03 06:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 21:03 . 2011-07-02 21:03 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Malwarebytes
2011-07-02 20:51 . 2011-07-03 06:32 -------- d-----w- c:\windows\system32\drivers\Avg
2011-07-02 20:50 . 2011-07-02 20:50 -------- d-----w- c:\program files\Lavasoft
2011-07-01 04:33 . 2011-07-02 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10(2)
2011-07-01 03:59 . 2011-07-01 16:29 -------- d-----w- c:\windows\system32\drivers\AVG(2)
2011-07-01 03:38 . 2011-07-16 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-22 21:20 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-22 21:20 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 14:37 . 2011-05-18 17:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-08-10 04:00 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
2011-04-29 16:19 . 2004-08-10 04:00 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-10 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 04:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 04:00 105472 ------w- c:\windows\system32\drivers\mup.sys
2011-06-16 04:17 . 2011-05-07 06:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-31 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-06-06 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
c:\documents and settings\lexie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
.
c:\documents and settings\DAD\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'
.
[HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\DADs\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^Pandora.lnk]
path=c:\documents and settings\DADs\Start Menu\Programs\Startup\Pandora.lnk
backup=c:\windows\pss\Pandora.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MOM\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^PinMcLnk.lnk]
path=c:\documents and settings\MOM\Start Menu\Programs\Startup\PinMcLnk.lnk
backup=c:\windows\pss\PinMcLnk.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 18:08 49208 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 05:14 237568 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-31 22:37 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\RpcAgentSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe [4/12/2008 7:27 PM 98488]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [3/28/2008 5:39 PM 370360]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-07-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 02:34]
.
2011-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
.
2011-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
.
2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-05-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-30 16:43]
.
2011-07-16 c:\windows\Tasks\User_Feed_Synchronization-{A5BA4143-133C-40B2-AB6F-015DCEDD0290}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: trymedia.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\37fti8ke.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKLM-Run-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
Notify-avgrsstarter - avgrsstx.dll
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-CleverKeys - c:\program files\Dictionary.com\CleverKeys\CK.exe
MSConfigStartUp-Google Update - c:\documents and settings\DADs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\FlashUtil10s_Plugin.exe
AddRemove-AVG9Uninstall - c:\program files\AVG\AVG9\setup.exe
AddRemove-SoftwareUpdUtility - c:\program files\Common Files\Software Update Utility\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-16 16:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~�*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1296)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Avaya\Avaya one-X Communicator\QosServM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\System32\snmp.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-16 16:38:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-16 21:38
.
Pre-Run: 111,137,021,952 bytes free
Post-Run: 111,935,500,288 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - E9F88083414F87609BA94A83301BFC01
DDS Log:
DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Dad at 16:42:09 on 2011-07-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.260 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ================
.
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: trymedia.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{83D4BF65-7B5A-4107-A3C8-C8D22413698C} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ipp - <Clsid value has no data>
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: msdaipp - <Clsid value has no data>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad.your-4dacd0ea75\application data\mozilla\firefox\profiles\37fti8ke.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2a\RpcAgentSrv.exe [2008-4-12 98488]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys --> c:\windows\system32\drivers\avgldx86.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys --> c:\windows\system32\drivers\avgmfx86.sys [?]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\avg\avg9\avgwdsvc.exe" --> c:\program files\avg\avg9\avgwdsvc.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
.
=============== Created Last 30 ================
.
2011-07-16 21:04:21 -------- d-sha-r- C:\cmdcons
2011-07-16 21:00:51 98816 ----a-w- c:\windows\sed.exe
2011-07-16 21:00:51 256000 ----a-w- c:\windows\PEV.exe
2011-07-16 21:00:51 208896 ----a-w- c:\windows\MBR.exe
2011-07-10 03:10:50 -------- d-----w- c:\program files\iPod
2011-07-10 03:10:32 -------- d-----w- c:\program files\iTunes
2011-07-10 03:05:21 -------- d-----w- c:\program files\Bonjour
2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 21:03:40 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Malwarebytes
2011-07-02 20:51:54 -------- d-----w- c:\windows\system32\drivers\Avg
2011-07-02 20:50:25 -------- d-----w- c:\program files\Lavasoft
2011-07-01 04:33:24 -------- d-----w- c:\documents and settings\all users\application data\AVG10(2)
2011-07-01 03:59:47 -------- d-----w- c:\windows\system32\drivers\AVG(2)
2011-07-01 03:38:31 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-22 21:20:06 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-22 21:20:06 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-06-16 14:37:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ------w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 16:42:22.15 ===============
Hi,
Try to uninstall AVG remnants with removal tool (http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe) for it.
Open notepad and copy/paste the text in the quotebox below into it:
Folder::
c:\Program Files\FrostWire
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\FrostWire\\FrostWire.exe"=-
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 26 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u26-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
speedinc
2011-07-18, 20:13
Sorry about the delay. I ran the AVG removal tool several times, but Combo says it's still active. I ran the fix with the CFScript, but I didn't save the report. The box rebooted and I lost it! Ran it again and did the ESET scan. Here are the reports:
ComboFix 11-07-17.03 - Dad 07/18/2011 1:04.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.372 [GMT -5:00]
Running from: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-18 to 2011-07-18 )))))))))))))))))))))))))))))))
.
.
2011-07-18 05:48 . 2011-07-18 05:48 -------- d-----w- c:\program files\ESET
2011-07-18 05:44 . 2011-07-18 05:44 -------- d-----w- c:\program files\Common Files\Java
2011-07-18 05:44 . 2011-07-18 05:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-18 03:53 . 2011-07-18 03:53 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities
2011-07-18 03:53 . 2011-07-18 03:54 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu
2011-07-10 03:13 . 2011-07-10 03:13 -------- d-----w- c:\program files\Apple Software Update
2011-07-10 03:10 . 2011-07-10 03:10 -------- d-----w- c:\program files\iPod
2011-07-10 03:10 . 2011-07-10 03:12 -------- d-----w- c:\program files\iTunes
2011-07-10 03:05 . 2011-07-10 03:05 -------- d-----w- c:\program files\Bonjour
2011-07-03 07:01 . 2011-07-03 07:01 -------- d-----w- c:\program files\ERUNT
2011-07-03 06:34 . 2011-07-03 06:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 21:03 . 2011-07-02 21:03 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Malwarebytes
2011-07-02 20:50 . 2011-07-02 20:50 -------- d-----w- c:\program files\Lavasoft
2011-07-01 04:33 . 2011-07-02 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10(2)
2011-07-01 03:59 . 2011-07-01 16:29 -------- d-----w- c:\windows\system32\drivers\AVG(2)
2011-07-01 03:38 . 2011-07-16 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-06-22 21:20 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-22 21:20 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-18 05:43 . 2010-05-05 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-16 14:37 . 2011-05-18 17:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-08-10 04:00 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
2011-04-29 16:19 . 2004-08-10 04:00 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-10 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 04:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 04:00 105472 ------w- c:\windows\system32\drivers\mup.sys
2011-06-16 04:17 . 2011-05-07 06:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-16_21.33.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-18 05:30 . 2011-07-18 05:30 87951 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2011-06-10 14:01 . 2011-06-10 14:01 86016 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
- 2011-03-24 10:34 . 2011-03-24 10:34 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2011-06-10 13:47 . 2011-06-10 13:47 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2011-06-10 13:47 . 2011-06-10 13:47 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
- 2011-03-24 10:34 . 2011-03-24 10:34 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
+ 2011-06-10 14:02 . 2011-06-10 14:02 12288 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2011-07-18 05:30 . 2011-07-18 05:30 10134 c:\windows\Installer\{612C34C7-5E90-47D8-9B5C-0F717DD82726}\ARPPRODUCTICON.exe
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2011-07-18 05:44 . 2011-07-18 05:43 157472 c:\windows\system32\javaws.exe
+ 2011-07-18 05:44 . 2011-07-18 05:43 145184 c:\windows\system32\javaw.exe
- 2010-08-01 04:49 . 2010-07-17 10:00 145184 c:\windows\system32\javaw.exe
+ 2011-07-18 05:44 . 2011-07-18 05:43 145184 c:\windows\system32\java.exe
- 2010-08-01 04:49 . 2010-07-17 10:00 145184 c:\windows\system32\java.exe
+ 2011-06-10 13:47 . 2011-06-10 13:47 279992 c:\windows\system32\Adobe\Shockwave 11\SymCCIS.dll
+ 2011-06-10 14:01 . 2011-06-10 14:01 113664 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2011-06-13 08:49 . 2011-06-13 08:49 545208 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1160626.exe
+ 2011-06-10 14:03 . 2011-06-10 14:03 433664 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2011-06-10 14:02 . 2011-06-10 14:02 364544 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2011-06-10 13:51 . 2011-06-10 13:51 989184 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2011-06-10 14:03 . 2011-06-10 14:03 892416 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2011-06-10 14:01 . 2011-06-10 14:01 541696 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2011-06-13 08:50 . 2011-06-13 08:50 112568 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2011-06-13 08:50 . 2011-06-13 08:50 279480 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2011-06-10 14:02 . 2011-06-10 14:02 145920 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2011-07-18 05:30 . 2011-07-18 05:30 430592 c:\windows\Installer\d8070.msi
+ 2011-07-18 05:44 . 2011-07-18 05:44 203776 c:\windows\Installer\262d1.msi
+ 2011-07-18 05:43 . 2011-07-18 05:43 675840 c:\windows\Installer\262cb.msi
- 2011-03-24 10:34 . 2011-03-24 10:34 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2011-06-10 13:47 . 2011-06-10 13:47 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2011-06-10 13:53 . 2011-06-10 13:53 1732608 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-31 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-06-06 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\lexie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
.
c:\documents and settings\DAD\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'
.
[HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\DADs\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^Pandora.lnk]
path=c:\documents and settings\DADs\Start Menu\Programs\Startup\Pandora.lnk
backup=c:\windows\pss\Pandora.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MOM\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^PinMcLnk.lnk]
path=c:\documents and settings\MOM\Start Menu\Programs\Startup\PinMcLnk.lnk
backup=c:\windows\pss\PinMcLnk.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 18:08 49208 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 05:14 237568 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-31 22:37 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\RpcAgentSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe [4/12/2008 7:27 PM 98488]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [3/28/2008 5:39 PM 370360]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-07-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 02:34]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
.
2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-18 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-12 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-05-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-30 16:43]
.
2011-07-18 c:\windows\Tasks\User_Feed_Synchronization-{A5BA4143-133C-40B2-AB6F-015DCEDD0290}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: trymedia.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\37fti8ke.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-18 01:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~�*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-18 01:20:29
ComboFix-quarantined-files.txt 2011-07-18 06:20
ComboFix2.txt 2011-07-18 05:22
ComboFix3.txt 2011-07-16 21:38
.
Pre-Run: 111,722,295,296 bytes free
Post-Run: 111,719,706,624 bytes free
.
- - End Of File - - 48F548E327F3994E60C6AE860475EFF6
ESET log:
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\oJ06511LbGgJ06511\oJ06511LbGgJ06511.exe.vir a variant of Win32/Kryptik.OIE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Dad.YOUR-4DACD0EA75\Application Data\Sayp\imob.exe.vir a variant of Win32/Kryptik.PCQ trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP447\A0039571.exe a variant of Win32/Kryptik.PVI trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP447\A0039574.exe a variant of Win32/Kryptik.PVI trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP471\A0041762.exe a variant of Win32/Kryptik.OIE trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP472\A0042292.exe a variant of Win32/Kryptik.PCQ trojan
E:\I386\APPS\APP17286\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
E:\I386\APPS\APP17286\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
DDS Log:
DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Dad at 13:01:46 on 2011-07-18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.190 [GMT -5:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*
.
============== Running Processes ================
.
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
BHO: hpWebHelper Class: {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E6EF5071-7647-4E85-9785-87B6CF5CB561} - {C92041C1-6D22-4069-BA0E-66246AA752B0}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: trymedia.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{83D4BF65-7B5A-4107-A3C8-C8D22413698C} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ipp - <Clsid value has no data>
Handler: msdaipp - <Clsid value has no data>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad.your-4dacd0ea75\application data\mozilla\firefox\profiles\37fti8ke.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2a\RpcAgentSrv.exe [2008-4-12 98488]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2008-3-28 370360]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\drivers\ubveo532.sys --> c:\windows\system32\drivers\ubVeo532.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-6 135664]
.
=============== Created Last 30 ================
.
2011-07-18 05:48:04 -------- d-----w- c:\program files\ESET
2011-07-18 05:44:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-18 03:53:55 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\local settings\application data\Identities
2011-07-18 03:53:51 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Ijewmu
2011-07-16 21:04:21 -------- d-sha-r- C:\cmdcons
2011-07-16 21:00:51 98816 ----a-w- c:\windows\sed.exe
2011-07-16 21:00:51 256000 ----a-w- c:\windows\PEV.exe
2011-07-16 21:00:51 208896 ----a-w- c:\windows\MBR.exe
2011-07-10 03:10:50 -------- d-----w- c:\program files\iPod
2011-07-10 03:10:32 -------- d-----w- c:\program files\iTunes
2011-07-10 03:05:21 -------- d-----w- c:\program files\Bonjour
2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-07-03 06:34:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 21:03:40 -------- d-----w- c:\documents and settings\dad.your-4dacd0ea75\application data\Malwarebytes
2011-07-02 20:50:25 -------- d-----w- c:\program files\Lavasoft
2011-07-01 04:33:24 -------- d-----w- c:\documents and settings\all users\application data\AVG10(2)
2011-07-01 03:59:47 -------- d-----w- c:\windows\system32\drivers\AVG(2)
2011-07-01 03:38:31 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-06-22 21:20:06 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-22 21:20:06 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-07-18 05:43:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-16 14:37:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
2011-04-29 16:19:43 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ------w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ------w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 13:02:44.93 ===============
Hi,
Since Norton doesn't seem to be installed anymore either it's recommended to remove its remnants with removal tool (http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN).
Open notepad and copy/paste the text in the quotebox below into it:
SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}
DirLook::
c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities
c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu
Folder::
c:\documents and settings\all users\application data\AVG10(2)
c:\windows\system32\drivers\AVG(2)
c:\documents and settings\all users\application data\MFAData
DDS::
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - <orphaned>
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log. How's the system running now?
speedinc
2011-07-19, 07:32
I keep getting these 'Windows" updates. I know I need them every now and then, however I'm getting them at each shut down. Is that normal!
Here's the Combo Log:
ComboFix 11-07-17.03 - Dad 07/18/2011 23:25:32.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.428 [GMT -5:00]
Running from: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dad.YOUR-4DACD0EA75\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\all users\application data\AVG10(2)
c:\documents and settings\all users\application data\AVG10(2)\Chjw(2)\d60849070848e7d7.dat
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgchjw.log
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgchjw.log.lock
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgchjwsrv.log
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgchjwsrv.log.lock
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgldr.log
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgldr.log.lock
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgrs.log
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgrs.log.lock
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgtdi.log
c:\documents and settings\all users\application data\AVG10(2)\log(2)\avgtdi.log.lock
c:\documents and settings\all users\application data\MFAData
c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-033831.log
c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-035540.log
c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-042630.log
c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-044128.log
c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-045354.log
c:\documents and settings\all users\application data\MFAData\logs\mfa-20110701-161943.log
c:\documents and settings\all users\application data\MFAData\logs\mfa-20110716-205514.log
c:\documents and settings\all users\application data\MFAData\logs\mfa-20110716-205558.log
c:\documents and settings\all users\application data\MFAData\logs\msi-20110701-033831.log
c:\documents and settings\all users\application data\MFAData\logs\msi-20110701-042630.log
c:\documents and settings\all users\application data\MFAData\logs\msi-20110701-044128.log
c:\documents and settings\all users\application data\MFAData\logs\msi-20110701-161943.log
c:\documents and settings\all users\application data\MFAData\logs\msi-20110716-205558.log
c:\documents and settings\all users\application data\MFAData\mfaurlconf.ini
c:\documents and settings\all users\application data\MFAData\mkt\hi\dm_marketing_message-hi.html
c:\documents and settings\all users\application data\MFAData\mkt\hi\Installation-Page_LinkScanner.html
c:\documents and settings\all users\application data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html
c:\documents and settings\all users\application data\MFAData\mkt\hi\Installation-Page_Social-Networking.html
c:\documents and settings\all users\application data\MFAData\mkt\hi\Toolbar_wotoolbar.html
c:\documents and settings\all users\application data\MFAData\mkt\res\LinkScanner-style.css
c:\documents and settings\all users\application data\MFAData\mkt\res\LinkScanner.jpg
c:\documents and settings\all users\application data\MFAData\mkt\res\OK.png
c:\documents and settings\all users\application data\MFAData\mkt\res\Smart-Scanning.jpg
c:\documents and settings\all users\application data\MFAData\mkt\res\SmartScanning-style.css
c:\documents and settings\all users\application data\MFAData\mkt\res\Social-Networking.jpg
c:\documents and settings\all users\application data\MFAData\mkt\res\SocialNetworking-style.css
c:\documents and settings\all users\application data\MFAData\mkt\res\Toolbar-Selected.jpg
c:\documents and settings\all users\application data\MFAData\mkt\res\Toolbar-Unselected.jpg
c:\documents and settings\all users\application data\MFAData\mkt\res\ToolbarSelected-style.css
c:\documents and settings\all users\application data\MFAData\mkt\res\ToolbarUnselected-style.css
c:\documents and settings\all users\application data\MFAData\mkt\us\dm_marketing_message-en-us.html
c:\documents and settings\all users\application data\MFAData\mkt\us\Installation-Page_LinkScanner.html
c:\documents and settings\all users\application data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html
c:\documents and settings\all users\application data\MFAData\mkt\us\Installation-Page_Social-Networking.html
c:\documents and settings\all users\application data\MFAData\mkt\us\Toolbar_wotoolbar.html
c:\documents and settings\all users\application data\MFAData\pack\avg10infoavi.ctf
c:\documents and settings\all users\application data\MFAData\pack\avg10infooi.ctf
c:\documents and settings\all users\application data\MFAData\pack\avg10infowin.ctf
c:\documents and settings\all users\application data\MFAData\pack\Avgx86.msi
c:\documents and settings\all users\application data\MFAData\pack\bins\f10antirkx1388ru.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10antivirx1388zm.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10avgx1388bi.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10avgx1390fi.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10avisx1388jc.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10basex1388zl.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10emailsx1388yq.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10guix1388nk.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10idatx1388hy.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10idpx1388wf.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10lng_usx1388qx.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10onlnscx1388ib.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10resshldx1388lb.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10srchsrfx1388ig.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10sshttpbx1388cu.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10tdidrvx1388nr.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10toolbarx1388ap.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10tuneupx1388nq.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10update2x1388qy.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10updatex1388km.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\f10xplx1388qs.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\foi10cnet_lic8dn.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\foi10cnet_mis36je.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\foi10cnet_mps31dn.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\foi10free_lic8mi.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\foi10free_mis36lo.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\foi10free_mps31xa.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\poi10ppc2_lic8ql.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\poi10ppc2_mis36or.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10alertmgx1388ru.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10antirkx1388qr.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10antivirx1388hj.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10avgx1388ah.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10basex1388lj.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10corex1516ro.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10emailsx1388sb.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10guix1388zp.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10idatx1388rg.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10idpx1388uh.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10lng_usx1388nr.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10onlnscx1388sb.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10rdstx1388um.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10resshldx1388oy.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10srchsrfx1388ws.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10sshttpbx1388ur.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10tdidrvx1388xw.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10tuneupx1388uy.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10update2x1388qs.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10updatex1388nq.bin
c:\documents and settings\all users\application data\MFAData\pack\bins\w10xplx1388tf.bin
c:\documents and settings\all users\application data\MFAData\pack\cnet_mis.mdf
c:\documents and settings\all users\application data\MFAData\pack\cnet_mps.mdf
c:\documents and settings\all users\application data\MFAData\pack\lic.mdf
c:\documents and settings\all users\application data\MFAData\public_installation_log.xml
c:\documents and settings\all users\application data\MFAData\public_installation_log_resume.xml
c:\documents and settings\all users\application data\MFAData\SelfUpd\avgmfapx.exe
c:\documents and settings\all users\application data\MFAData\SelfUpd\avgmfarx.dll
c:\documents and settings\all users\application data\MFAData\SelfUpd\avgntdumpx.exe
c:\documents and settings\all users\application data\MFAData\SelfUpd\avgrunasx.exe
c:\documents and settings\all users\application data\MFAData\SelfUpd\bins\f10mfa1390b1388ep.bin
c:\documents and settings\all users\application data\MFAData\SelfUpd\bins\f10mfa1390mu.bin
c:\documents and settings\all users\application data\MFAData\SelfUpd\bins\f10upd1390b1388gj.bin
c:\documents and settings\all users\application data\MFAData\SelfUpd\compat.ini
c:\documents and settings\all users\application data\MFAData\SelfUpd\htmlayout.dll
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_cz.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_da.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_es.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_fr.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_ge.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_hu.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_id.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_in.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_it.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_jp.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_ko.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_ms.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_nl.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_pb.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_pl.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_pt.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_ru.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_sc.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_sk.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_sp.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_tr.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_us.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_zh.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\license_zt.htm
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaconf.txt
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfacz.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfada.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaes.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfafr.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfage.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfahu.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaid.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfain.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfait.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfajp.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfako.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfams.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfanl.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfapb.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfapl.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfapt.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaru.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfasc.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfask.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfasp.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfatr.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaus.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfavera.txt
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfaverx.txt
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfazh.lns
c:\documents and settings\all users\application data\MFAData\SelfUpd\mfazt.lns
c:\documents and settings\all users\application data\MFAData\state.dat
c:\windows\system32\drivers\AVG(2)
c:\windows\system32\drivers\AVG(2)\iavichjw.avm
c:\windows\system32\drivers\AVG(2)\incavi.avm
.
.
((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
.
.
2011-07-18 05:48 . 2011-07-18 05:48 -------- d-----w- c:\program files\ESET
2011-07-18 05:44 . 2011-07-18 05:44 -------- d-----w- c:\program files\Common Files\Java
2011-07-18 05:44 . 2011-07-18 05:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-18 03:53 . 2011-07-18 03:53 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities
2011-07-18 03:53 . 2011-07-18 03:54 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu
2011-07-10 03:13 . 2011-07-10 03:13 -------- d-----w- c:\program files\Apple Software Update
2011-07-10 03:10 . 2011-07-10 03:10 -------- d-----w- c:\program files\iPod
2011-07-10 03:10 . 2011-07-10 03:12 -------- d-----w- c:\program files\iTunes
2011-07-10 03:05 . 2011-07-10 03:05 -------- d-----w- c:\program files\Bonjour
2011-07-03 07:01 . 2011-07-03 07:01 -------- d-----w- c:\program files\ERUNT
2011-07-03 06:34 . 2011-07-03 06:34 -------- d-----w- c:\windows\system32\wbem\Repository
2011-07-02 21:03 . 2011-07-02 21:03 -------- d-----w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Malwarebytes
2011-07-02 20:50 . 2011-07-02 20:50 -------- d-----w- c:\program files\Lavasoft
2011-06-22 21:20 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-22 21:20 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-18 05:43 . 2010-05-05 15:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-16 14:37 . 2011-05-18 17:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-08-10 04:00 692736 ------w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 17:25 . 2004-08-10 04:00 151552 ----a-w- c:\windows\system32\schannel(2)(2).dll
2011-04-29 16:19 . 2004-08-10 04:00 456320 ------w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-10 04:00 33280 ------w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2004-08-10 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 04:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 04:00 105472 ------w- c:\windows\system32\drivers\mup.sys
2011-06-16 04:17 . 2011-05-07 06:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu ----
.
2011-07-18 03:54 . 2011-07-18 04:34 17442 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu\fimeo.tuh
2010-09-04 09:38 . 2011-07-18 03:53 426 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu\fimeo.tuh.0
.
---- Directory of c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities ----
.
2011-07-18 03:53 . 2011-07-18 03:53 76500 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Sent Items.dbx
2011-07-18 03:53 . 2011-07-18 03:53 9656 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Offline.dbx
2011-07-18 03:53 . 2011-07-18 03:53 75204 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Folders.dbx
2011-07-18 03:53 . 2011-07-18 03:53 142036 ----a-w- c:\documents and settings\Dad.YOUR-4DACD0EA75\Local Settings\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\Microsoft\Outlook Express\Inbox.dbx
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-16_21.33.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-18 05:30 . 2011-07-18 05:30 87951 c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
+ 2011-06-10 14:01 . 2011-06-10 14:01 86016 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
- 2011-03-24 10:34 . 2011-03-24 10:34 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2011-06-10 13:47 . 2011-06-10 13:47 73408 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2011-06-10 13:47 . 2011-06-10 13:47 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
- 2011-03-24 10:34 . 2011-03-24 10:34 64512 c:\windows\system32\Adobe\Shockwave 11\gcapi_dll.dll
+ 2011-06-10 14:02 . 2011-06-10 14:02 12288 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2011-07-18 05:30 . 2011-07-18 05:30 10134 c:\windows\Installer\{612C34C7-5E90-47D8-9B5C-0F717DD82726}\ARPPRODUCTICON.exe
+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2011-07-18 05:44 . 2011-07-18 05:43 157472 c:\windows\system32\javaws.exe
+ 2011-07-18 05:44 . 2011-07-18 05:43 145184 c:\windows\system32\javaw.exe
- 2010-08-01 04:49 . 2010-07-17 10:00 145184 c:\windows\system32\javaw.exe
+ 2011-07-18 05:44 . 2011-07-18 05:43 145184 c:\windows\system32\java.exe
- 2010-08-01 04:49 . 2010-07-17 10:00 145184 c:\windows\system32\java.exe
+ 2011-06-10 13:47 . 2011-06-10 13:47 279992 c:\windows\system32\Adobe\Shockwave 11\SymCCIS.dll
+ 2011-06-10 14:01 . 2011-06-10 14:01 113664 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2011-06-13 08:49 . 2011-06-13 08:49 545208 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1160626.exe
+ 2011-06-10 14:03 . 2011-06-10 14:03 433664 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2011-06-10 14:02 . 2011-06-10 14:02 364544 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2011-06-10 13:51 . 2011-06-10 13:51 989184 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2011-06-10 14:03 . 2011-06-10 14:03 892416 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2011-06-10 14:01 . 2011-06-10 14:01 541696 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2011-06-13 08:50 . 2011-06-13 08:50 112568 c:\windows\system32\Adobe\Director\SWDNLD.EXE
+ 2011-06-13 08:50 . 2011-06-13 08:50 279480 c:\windows\system32\Adobe\Director\SwDir.dll
+ 2011-06-10 14:02 . 2011-06-10 14:02 145920 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2011-07-18 05:30 . 2011-07-18 05:30 430592 c:\windows\Installer\d8070.msi
+ 2011-07-18 05:44 . 2011-07-18 05:44 203776 c:\windows\Installer\262d1.msi
+ 2011-07-18 05:43 . 2011-07-18 05:43 675840 c:\windows\Installer\262cb.msi
- 2011-03-24 10:34 . 2011-03-24 10:34 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2011-06-10 13:47 . 2011-06-10 13:47 2314416 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2011-06-10 13:53 . 2011-06-10 13:53 1732608 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-31 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-06-06 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\lexie\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
.
c:\documents and settings\DAD\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-8-1 27136]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ 'autocheck autochk *'
.
[HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\DADs\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DADs^Start Menu^Programs^Startup^Pandora.lnk]
path=c:\documents and settings\DADs\Start Menu\Programs\Startup\Pandora.lnk
backup=c:\windows\pss\Pandora.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\MOM\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^MOM^Start Menu^Programs^Startup^PinMcLnk.lnk]
path=c:\documents and settings\MOM\Start Menu\Programs\Startup\PinMcLnk.lnk
backup=c:\windows\pss\PinMcLnk.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 18:08 49208 -c--a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46 172032 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 22:50 7311360 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-09 22:50 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 05:14 237568 -c--a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-05-31 22:37 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\RpcAgentSrv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2a\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2a\RpcAgentSrv.exe [4/12/2008 7:27 PM 98488]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [3/28/2008 5:39 PM 370360]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
S3 DCamUSBVeo532;Veo Web Camera;c:\windows\system32\Drivers\ubVeo532.sys --> c:\windows\system32\Drivers\ubVeo532.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 11:42 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-07-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-19 02:34]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 16:42]
.
2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1014.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1015.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-07-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2250449246-3165194149-3948157566-1016.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
2011-05-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-30 16:43]
.
2011-07-19 c:\windows\Tasks\User_Feed_Synchronization-{A5BA4143-133C-40B2-AB6F-015DCEDD0290}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=14196
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: trymedia.com
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Mozilla\Firefox\Profiles\37fti8ke.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?source=gama&hl=en#t_0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-18 23:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|ÿÿÿÿ¤•€|ù•A~�*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
.
Completion time: 2011-07-18 23:42:16
ComboFix-quarantined-files.txt 2011-07-19 04:42
ComboFix2.txt 2011-07-18 06:20
ComboFix3.txt 2011-07-18 05:22
ComboFix4.txt 2011-07-16 21:38
.
Pre-Run: 111,723,745,280 bytes free
Post-Run: 111,731,519,488 bytes free
.
- - End Of File - - 6778EEEB377433496ACC24465FDBD4A7
Hi,
Delete c:\documents and settings\Dad.YOUR-4DACD0EA75\Application Data\Ijewmu folder.
I keep getting these 'Windows" updates. I know I need them every now and then, however I'm getting them at each shut down. Is that normal!
All important updates offered by Windows Update should be installed asap. Have you installed them? Please install all important updates offered and see if you still get same ones after that.
speedinc
2011-07-20, 16:11
I do install them. But when I log on again, there's another update. How do I see if it's the same one or not?
Hi,
1. Double-click Windows Update icon on lower right corner.
2. Note down the update title for the items (KB number especially).
3. Install updates and reboot if necessary.
4. If updates are still offered after the reboot check if those are the same you just installed.
speedinc
2011-07-21, 19:19
It's the same one that I installed
(KB2538242) Security update for MS Visual C++2005 SP 1 Redistributable package. It either will not install or I'm installing the same thing over and over again.
Hi,
Please download and install the update manually here (http://www.microsoft.com/download/en/details.aspx?id=26347) (select vcredist_x86.EXE). Let me know how it goes.
speedinc
2011-07-21, 23:55
It wants me to find the folder containing the installation package 'vcredist.msi'
:oops:
Hi,
Make sure you have vcredist_x86.EXE file on your desktop (not in any separate folder there) and then do the following:
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
C:
CD %USERPROFILE%\Desktop
vcredist_x86.EXE /C /T:C:\TempFolder
DEL %0
Double-click on fixes.bat file to execute it (when it prompts for acception of license agreement click yes -button). If that went well you should have C:\TempFolder folder with vcredis1.cab and vcredist.msi files in it. If so, run the installer again and when it asks for vcredist.msi file location point it to look from C:\TempFolder.
speedinc
2011-07-22, 23:24
Ok, now I get a message saying : The file 'C:\ Tempfolder\ vcredist.msi' is not a valid installation package for the product Microsoft Visual C++2005 Redistributable.
When I open the Temp Folder, I only see one file, the 'vcredist.msi'. No 'vcredist1.CAB'
Now I'm also getting the 'Adobe Reader' updates rather frequently too. Is this because I do not have an anti-virus program installed?
Hi,
Try to uninstall currently installed Microsoft Visual C++2005 Redistributable and see what windows update offers after that.
Now I'm also getting the 'Adobe Reader' updates rather frequently too. Is this because I do not have an anti-virus program installed?
Adobe Reader's automatic checker may have been disabled earlier. Anyway, you should have an antivirus program installed.
speedinc
2011-07-24, 09:07
Try to uninstall currently installed Microsoft Visual C++2005 Redistributable and see what windows update offers after that.
Uninstalled it, went back to install the update, rebooted, and Update gave me two. 2005 and 2008. I installed them, rebooted, and the 2008 installed. The 2005 is still in the 'ready to install' mode on my computer. (The update history is saying that it installs each time however, but when I reboot, it's there, like a bad B horror movie :eek:)
Anyway, you should have an antivirus program installed.
This is the reason for the post in the first place. I couldn't reinstall AVG or any other anti virus program. kept getting an error message that said something like: 'Windows MSI is not installed.' With the clean up however, I have AVG re installed.
Hi,
Since I don't see any malware related remaining I'll give the final steps to take. After that I recommend to ask about update issue at Microsoft's forum here (http://answers.microsoft.com/en-us/windows/forum/windows_update).
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
speedinc
2011-07-24, 23:46
Ok, took care of the final steps. Looks as if she's good to go. I went to the Forum about the C++ issue. Looks as if this is an on going problem. Lot's of people complaining to Microsoft about their slothfulness with the issue. Two options to fix it. Either 'Hide' the update, or re install the entire machine! :confused: Go figure.
Anyway, thanks for the clean up! Always appreciate your work!
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.