Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92256 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed]ánew IE windows opens automatically when open Firefox


  • This topic is locked This topic is locked
12 replies to this topic

#1 Laren

Laren

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 27 September 2009 - 09:24 AM

When I open Firefox or IE, a new IE window opens automatically to an anti-spyware site, a mortgage site, a dating site (not sites I've ever visited). I've run Norton and Spybot and they've found nothing. Please help!

Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:58 AM, on 9/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\rundll32.exe
C:\Users\Laren\Desktop\HJTInstall.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [Sticky Pad] C:\Program Files\StickyPad\StickyPad.exe
O4 - HKCU\..\Run: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1995541288-3546384092-2540530509-501\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (User 'Guest')
O4 - S-1-5-21-1995541288-3546384092-2540530509-501 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Guest')
O4 - S-1-5-21-1995541288-3546384092-2540530509-501 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Guest')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://weis.coupons....oad/cscmv5X.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.h...osticsVista.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://towson.webex...ng/ieatgpc1.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...691/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,C:\Windows\System32\credssp32.dll
O23 - Service: McAfee Application Installer Cleanup (0275061253149554) (0275061253149554mcinstcleanup) - Unknown owner - C:\Users\Laren\AppData\Local\Temp\027506~1.EXE (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9776 bytes

    Advertisements

Register to Remove


#2 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,214 posts

Posted 01 October 2009 - 11:42 AM

Hi Laren,

:welcome:

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

Then

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also please describe how your computer behaves at the moment.
Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif



WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

#3 Laren

Laren

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 01 October 2009 - 04:07 PM

Tomk, So far, I'm not noticing the popups. I've opened IE and Firefox, opened multiple tabs in each, did some random Google searches, clicked on links, visited my regular sites, and I'm not showing signs of problems, yet. Below is the Malwarebytes' Anti-Malware log: Malwarebytes' Anti-Malware 1.41 Database version: 2889 Windows 6.0.6002 Service Pack 2 10/1/2009 5:49:45 PM mbam-log-2009-10-01 (17-49-45).txt Scan type: Quick Scan Objects scanned: 97770 Time elapsed: 6 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Windows\System32\credssp32.dll (Trojan.Tracur) -> Delete on reboot. C:\Users\Laren\AppData\Local\Temp\F68E.tmp (Trojan.Dropper) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\credssp32.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\credssp32.dll -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Windows\System32\credssp32.dll (Trojan.Tracur) -> Delete on reboot. C:\Users\Laren\AppData\Local\Temp\F68E.tmp (Trojan.Dropper) -> Delete on reboot. Thank you.

#4 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,214 posts

Posted 01 October 2009 - 05:36 PM

Laren,

Let's dig a little deeper.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://forums.whatth...ams_t96260.html

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif



WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

#5 Laren

Laren

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 01 October 2009 - 06:31 PM

I followed the instructions for the Combofix. I can no longer click on or open anything on my desktop - ie or firefix icons. I receive an error. Obvisouly I can't access the internet. I cannot open pictures or documents. Please advise

#6 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,214 posts

Posted 01 October 2009 - 07:03 PM

Laren,

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine,
amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Last Known Good Configuration using the arrow keys.
Then press enter on your keyboard.

Then let me know that your computer started back up.
Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif



WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

#7 Laren

Laren

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 01 October 2009 - 07:36 PM

I restarted my computer several times. On the third attempt I was prompted with an error saying something that certain programs needed permission to start, I enabled all and finally was able to connect to the internet. Here is the combofix log:

ComboFix 09-10-01.01 - Laren 10/01/2009 20:02.2.2 - NTFSx86
Microsoft« Windows VistaÖ Home Basic 6.0.6002.2.1252.1.1033.18.2036.916 [GMT -4:00]
Running from: c:\users\Laren\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-10-02 00:07 . 2009-10-02 00:07 -------- d-----w- c:\users\Laren\AppData\Local\temp
2009-10-02 00:07 . 2009-10-02 00:07 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-02 00:07 . 2009-10-02 00:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-02 00:07 . 2009-10-02 00:07 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-10-01 21:42 . 2009-10-01 21:42 -------- d-----w- c:\users\Laren\AppData\Roaming\Malwarebytes
2009-10-01 21:42 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-01 21:42 . 2009-10-01 21:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-01 21:42 . 2009-10-01 21:42 -------- d-----w- c:\programdata\Malwarebytes
2009-10-01 21:42 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-27 14:58 . 2009-09-27 14:58 -------- d-----w- c:\program files\Trend Micro
2009-09-24 04:09 . 2009-09-24 04:09 -------- d-----w- c:\windows\system32\N360_BACKUP
2009-09-19 00:10 . 2009-09-19 00:11 -------- d-----w- c:\windows\system32\ca-ES
2009-09-19 00:10 . 2009-09-19 00:11 -------- d-----w- c:\windows\system32\eu-ES
2009-09-19 00:10 . 2009-09-19 00:11 -------- d-----w- c:\windows\system32\vi-VN
2009-09-18 12:34 . 2009-09-18 12:34 -------- d-----w- c:\windows\system32\EventProviders
2009-09-17 21:09 . 2009-09-19 00:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-17 21:09 . 2009-09-17 21:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-17 11:02 . 2009-09-17 11:02 -------- d-----w- c:\users\Laren\AppData\Local\Mozilla
2009-09-17 07:10 . 2009-09-17 07:10 -------- d-----w- c:\programdata\Symantec
2009-09-17 06:28 . 2009-04-11 06:32 1083880 ----a-w- c:\windows\system32\drivers\ntfs.sys
2009-09-17 06:27 . 2009-04-11 06:28 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2009-09-17 06:27 . 2009-04-11 06:28 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2009-09-17 06:27 . 2009-04-11 06:28 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2009-09-17 06:27 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2009-09-17 06:27 . 2009-04-11 06:28 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
2009-09-17 06:27 . 2009-04-11 06:28 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-09-17 06:27 . 2009-04-11 06:28 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
2009-09-17 06:27 . 2009-04-11 06:28 705536 ----a-w- c:\windows\system32\SmiEngine.dll
2009-09-17 06:27 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-09-17 06:27 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-09-17 06:27 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2009-09-17 01:09 . 2009-09-17 01:09 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-17 01:09 . 2009-09-17 01:08 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-17 01:09 . 2009-09-17 01:08 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-09-17 01:09 . 2009-09-17 01:08 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-09-17 01:09 . 2009-09-17 01:08 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-17 01:08 . 2009-09-17 01:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-17 01:08 . 2009-09-17 01:09 -------- d-----w- c:\program files\Symantec
2009-09-17 01:08 . 2009-09-17 01:08 -------- d-----w- c:\windows\system32\drivers\N360
2009-09-17 01:08 . 2009-09-17 01:08 -------- d-----w- c:\program files\Norton 360
2009-09-17 01:04 . 2009-09-17 01:08 -------- d-----w- c:\programdata\Norton
2009-09-17 01:04 . 2009-09-17 01:04 -------- d-----w- c:\programdata\NortonInstaller
2009-09-17 01:04 . 2009-09-17 01:04 -------- d-----w- c:\program files\NortonInstaller
2009-09-17 01:01 . 2009-09-17 01:01 -------- d-----w- c:\programdata\Symantec Temporary Files
2009-09-14 23:42 . 2009-09-14 23:42 -------- d-----w- c:\users\Laren\AppData\Roaming\Amazon
2009-09-14 23:42 . 2009-09-14 23:42 -------- d-----w- c:\program files\Amazon
2009-09-09 02:21 . 2009-09-09 02:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-08 20:39 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-08 20:39 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-08 20:39 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-08 20:39 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-08 20:39 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-08 20:39 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-08 20:39 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-08 20:39 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-08 20:39 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-08 20:39 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-08 20:39 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-08 20:37 . 2009-07-11 19:01 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-08 20:37 . 2009-07-11 19:01 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-08 20:37 . 2009-07-11 19:01 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-08 20:37 . 2009-07-11 17:03 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-08 20:37 . 2009-04-11 06:28 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2009-09-08 20:37 . 2009-07-11 19:01 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-08 20:37 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-08 20:37 . 2009-04-11 06:28 98816 ----a-w- c:\windows\system32\mfps.dll
2009-09-08 20:37 . 2009-04-11 06:27 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2009-09-08 20:37 . 2009-04-11 06:27 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-09-08 20:37 . 2009-04-11 04:54 2048 ----a-w- c:\windows\system32\mferror.dll
2009-09-02 21:26 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 21:26 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-02 02:00 . 2009-06-15 14:52 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-09-02 02:00 . 2009-06-15 14:53 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-02 02:00 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-09-02 02:00 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-09-02 02:00 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-09-02 02:00 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-09-02 02:00 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2009-09-02 02:00 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 21:54 . 2008-02-27 00:52 680 ----a-w- c:\users\Laren\AppData\Local\d3d9caps.dat
2009-10-01 21:50 . 2008-01-30 08:33 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-24 22:30 . 2009-03-05 23:27 -------- d-----w- c:\users\Laren\AppData\Roaming\webex
2009-09-19 00:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-09-19 00:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-09-19 00:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-19 00:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-19 00:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-09-19 00:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-09-17 01:32 . 2008-03-08 04:00 -------- d-----w- c:\program files\TechSmith
2009-09-17 01:31 . 2008-04-17 01:25 -------- d-----w- c:\programdata\TechSmith
2009-09-17 01:08 . 2009-09-17 01:09 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-17 01:08 . 2009-09-17 01:09 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-17 00:48 . 2008-01-30 08:37 -------- d-----w- c:\program files\Google
2009-09-17 00:02 . 2009-06-16 03:11 -------- d-----w- c:\program files\Rhapsody
2009-09-16 23:45 . 2008-03-09 05:06 101856 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-15 01:09 . 2008-07-25 23:59 -------- d-----w- c:\program files\FrostWire
2009-09-14 23:34 . 2008-07-25 23:59 -------- d-----w- c:\users\Laren\AppData\Roaming\FrostWire
2009-09-10 07:01 . 2008-02-02 06:16 -------- d-----w- c:\programdata\Microsoft Help
2009-09-09 07:11 . 2009-07-30 23:04 -------- d-----w- c:\program files\McAfee
2009-09-09 07:11 . 2009-06-14 14:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-09 02:23 . 2009-03-05 23:27 -------- d-----w- c:\programdata\WebEx
2009-09-09 02:20 . 2008-01-30 08:34 -------- d-----w- c:\program files\Java
2009-09-07 01:17 . 2008-01-30 08:39 -------- d-----w- c:\programdata\McAfee
2009-07-29 12:43 . 2008-02-02 06:03 101856 ----a-w- c:\users\Laren\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-29 02:57 . 2009-07-29 02:57 93 ----a-w- c:\users\Guest\AppData\Local\fusioncache.dat
2009-07-21 21:52 . 2009-07-29 12:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 12:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 12:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 12:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-14 00:24 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-14 00:24 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-14 00:24 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-14 00:24 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-14 00:24 7680 ----a-w- c:\windows\system32\spwmp.dll
2008-01-30 16:17 . 2008-01-30 16:08 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2008-01-19 49664]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-09 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-14 4452352]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\users\Laren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2008-1-30 7168]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(B):bb,26,40,2a,be,38,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D902F709-CBD8-4249-BC32-22A1E9BD9A02}"= UDP:c:\program files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{BFD55663-18DA-44A9-9687-33FE9494F374}"= TCP:c:\program files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{EB637DAA-FDCE-445C-B220-3B1D73CB7D83}"= TCP:10421:SingleClick Discovery Protocol
"{0244C72C-DA57-48DA-BB08-094C9AD854C2}"= UDP:139:NetBIOS File/Printer Sharing
"{248E4CFF-424A-4685-803D-AFBF92AD5561}"= TCP:10426:SingleClick ICC
"{8C52AD8E-C1C6-4539-A9EE-1EF5F2484A2A}"= UDP:445:Microsoft Directory Services
"{ADF6489C-9DBF-46B3-9498-628D84B9048A}"= TCP:138:NetBIOS Datagram Service
"{6400D970-A530-4A88-8C5B-0E4EC6124118}"= TCP:137:NetBIOS Name Service
"{A3D88263-221E-4A54-9F35-3371B898334C}"= UDP:c:\program files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{4F036DE2-DAF0-482E-B691-DE3345179896}"= TCP:c:\program files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{E413D141-52D8-4528-B71D-731229740F94}"= TCP:10421:SingleClick Discovery Protocol
"{AEFA2D6D-5A1D-4333-B00E-C9B48DABEB24}"= UDP:139:NetBIOS File/Printer Sharing
"{DCE3D566-1A76-4F94-AEFB-E9665E0FF675}"= TCP:10426:SingleClick ICC
"{F082E224-37A8-45EC-8257-413A4F1F0730}"= UDP:445:Microsoft Directory Services
"{097D14FA-9C32-4591-8A68-B5B74A81A181}"= TCP:138:NetBIOS Datagram Service
"{9DF459A1-1ED5-4407-A8C9-C4D2FFF5ECDF}"= TCP:137:NetBIOS Name Service
"{CD913CEE-B822-46C5-ADF3-64DBA6A123AD}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B91FAAE6-4953-418F-A5C5-CC3DCC89CF49}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{13958D37-E009-4EB5-AA5A-AAE7249E465C}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{06A67C53-02D3-441F-9311-A6A109597C64}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4DEFFCD1-5627-4430-978E-27CDF30D38AA}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D98D7DA6-A8A0-438B-8EF4-6D47E9F4ED89}"= UDP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"{D709B295-DA8E-4213-854C-89D347C1B269}"= TCP:c:\program files\Ruckus Player\Ruckus.exe:Ruckus
"{55ECA0A4-0366-4242-8AEC-1D3AE21B31E1}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{E2057AE3-156D-4135-9637-F75CD2F9002A}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0305020.00B\SymEFA.sys [9/16/2009 9:08 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0305020.00B\BHDrvx86.sys [9/16/2009 9:08 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0305020.00B\cchpx86.sys [9/16/2009 9:08 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSvix86.sys [9/16/2009 11:14 PM 342576]
R2 datunidr;DellAutomatedPCTuneUp UniDriver;c:\windows\System32\drivers\datunidr.sys [8/23/2007 7:29 PM 5376]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [9/16/2009 9:08 PM 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/17/2009 5:09 PM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/18/2009 1:42 PM 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0305020.00B\symndisv.sys [9/16/2009 9:08 PM 48688]
S2 0275061253149554mcinstcleanup;McAfee Application Installer Cleanup (0275061253149554);c:\users\Laren\AppData\Local\Temp\027506~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\users\Laren\AppData\Local\Temp\027506~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\User_Feed_Synchronization-{D7C1E928-B8D4-410E-823D-99D9DD2B0BD6}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Laren\AppData\Roaming\Mozilla\Firefox\Profiles\p82wn65r.default\
FF - prefs.js: browser.startup.homepage - hxxp://igoogle.com
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\users\Laren\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 20:07
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4016)
c:\windows\system32\authui.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-10-02 20:09
ComboFix-quarantined-files.txt 2009-10-02 00:09
ComboFix2.txt 2009-10-01 23:56

Pre-Run: 77,828,841,472 bytes free
Post-Run: 77,784,334,336 bytes free

269 --- E O F --- 2009-09-18 12:53

Thanks! So what's next?

#8 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,214 posts

Posted 01 October 2009 - 08:45 PM

Laren,

Your symptoms are indicative of an infection that I don't see signs of. Let's run a couple scan to be sure.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Please download the Win32kDiag.exe tool from the following location and save it to your desktop:

http://download.blee.../Win32kDiag.exe

Once downloaded, double-click on the program and let it finish. When it states Finished! Press any key to exit..., you can press any key on your keyboard to close the program. On your desktop should now be a file called Win32kDiag.txt.

Double-click on this file and post the contents as a reply to this topic.
Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif



WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

#9 Laren

Laren

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 01 October 2009 - 09:01 PM

I downloaded exeHelper to my desktop. Double-clicked on exeHelper.com to run the fix. A black window popped up..It ran until "Checking for bad proacesses.... Then stopped working. Tried several more times and it wouldn't finish Thanks.

#10 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,214 posts

Posted 01 October 2009 - 10:12 PM

Laren,

Try one more time by right-clicking on it and selecting Run as Administrator...

Then, whether it works or not..

Go ahead and attempt to run Win32kDiag.exe.
Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif



WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

#11 Laren

Laren

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 02 October 2009 - 05:07 AM

Exehelper does not have the open 'run as administrator'. Win32kdiag does have the option to run as administator. I tried to run both. Exehelper - without the run as administrator option stops working after a few seconds. win32diag gets to: Cannot access c:/windows/bthservsdp.dat Thanks.

#12 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,214 posts

Posted 02 October 2009 - 08:28 AM

Laren,

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from one of the following locations and save it to your desktop.
    • Here
    • Here
    • or Here
    • Open Posted Image on your desktop.
    • Click the Posted Image tab.
    • Click the Posted Image button.
    • In the Select Scan dialog, check
      Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.

Copy/paste the log (that you've previously saved to your desktop) from RootRepeal onto your post.
Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif



WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

#13 Tomk

Tomk

    Beguilement Monitor

  • Classroom Admin
  • 20,214 posts

Posted 08 October 2009 - 09:44 AM

Due to inactivity this topic will be closed. If you need help please start a new thread.
Tomk
------------------------------------------------------------

mvplogo1_zpsea7gtc7e.gif



WTT-Grad1.jpg

Topics are closed after 5 days without response
unite_blue_zpsbfd3cd98.png

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users