Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91981 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] 9 trojans, a worm, and corrupt antivirus! Help!


  • This topic is locked This topic is locked
89 replies to this topic

#16 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 05 November 2009 - 11:08 AM

Okay, I went ahead and started in safe mode. I found the ComboFix.txt file but all it sais was the headers. No log in it. :-) This is so frustrating. I can tell I'm gonna be a real pain in your butt. lol

    Advertisements

Register to Remove


#17 chamber

chamber

    G2G Staff

  • Authentic Member
  • PipPip
  • 140 posts

Posted 05 November 2009 - 04:21 PM

Ok,

Lets try something else.


  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware. Posted Image

#18 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 05 November 2009 - 04:58 PM

Okay, I did what you said and it ran for about 10 minutes then an error message popped up that says "Out of memory." I may put a hammer through this computer before we're done lol. Should I click okay? I'm not doing anything until you tell me to.

#19 chamber

chamber

    G2G Staff

  • Authentic Member
  • PipPip
  • 140 posts

Posted 05 November 2009 - 05:00 PM

Post a fresh DDS log

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware. Posted Image

#20 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 05 November 2009 - 05:11 PM

DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by Wenninger at 18:07:29.20 on Thu 11/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.195 [GMT -5:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Wenninger\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: FCToolbarURLSearchHook Class: {19a0f032-27d7-4227-bbb5-51aa9e5904f5} -
uURLSearchHooks: H - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: This BHO has been enabled by BHODemon. - No File
TB: Dogpile Toolbar: {c53fe659-316a-4f56-a194-a5be491be866} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [rundll32.exe]
uRun: [WAB] c:\documents and settings\wenninger\application data\macromedia\common\ec0fe01c19.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [<NO NAME>] "c:\program files\internet explorer\iexplore.exe" http://www.symantec....000028.000000D8
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; IEMB3; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; NET_mmhpset)" -"http://www.cartoonne...ase/index.html"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\2.bin\M3PLUGIN.DLL,UPF
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HostManager] c:\program files\common files\aol\1157574114\ee\AOLSoftware.exe
mRun: [DwlClient] "c:\program files\common files\dell\eusw\Support.exe"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [WildTangent CDA] RUNDLL32.exe "c:\program files\wildtangent\apps\cda\cdaEngine0400.dll",cdaEngineMain
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LimeShop] wjview /cp:p "c:\program files\limeshop\system\code" main lp: "c:\program files\LimeShop"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Detect Kbd Daemon] SK2000DM.EXE
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mPolicies-explorer: <NO NAME> =
IE:
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104984549012
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157565582500
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {F55C25D3-D16A-11D3-81DF-00A0C91F5E7D} - hxxp://www.kiddonet.com/kiddonet/GtekPrt.ocx
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

S2 McShield;McAfee Real-time Scanner; [x]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2009-1-3 68954]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\rkpavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\system32\drivers\skusbkbf.sys [2001-7-27 14048]
S4 McSysmon;McAfee SystemGuards; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-19 24652]

=============== Created Last 30 ================

2009-11-04 23:50 <DIR> --d----- c:\program files\ESET
2009-11-04 23:23 <DIR> --ds---- C:\ComboFix
2009-11-04 22:32 195,456 -------- c:\windows\system32\MpSigStub.exe
2009-11-04 22:29 <DIR> --d----- c:\program files\Microsoft Security Essentials
2009-11-04 16:16 50,176 a------- c:\windows\system32\proquota.exe
2009-11-04 14:14 <DIR> a-d--r-- C:\cmdcons
2009-11-04 13:49 267,264 a------- c:\windows\PEV.exe
2009-11-04 13:49 161,792 a------- c:\windows\SWREG.exe
2009-11-04 13:49 98,816 a------- c:\windows\sed.exe
2009-11-04 13:49 77,312 a------- c:\windows\MBR.exe
2009-11-04 13:48 <DIR> --d----- C:\Combo-Fix
2009-11-04 12:50 <DIR> --d----- C:\32788R22FWJFW.1.tmp
2009-11-03 22:57 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 22:57 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-03 22:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 21:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-03 01:23 <DIR> --d----- c:\docume~1\wennin~1\applic~1\AVG8
2009-11-02 14:32 <DIR> --d----- c:\program files\Panda Security
2009-11-02 05:07 18,525 a------- c:\windows\system32\wifigewor.db
2009-11-02 05:07 17,974 a------- c:\windows\system32\ubohinake.lib
2009-11-02 05:07 16,269 a------- c:\windows\system32\imukyboq.db
2009-11-02 05:07 11,462 a------- c:\windows\bevepotah.dat
2009-11-02 05:07 13,387 a------- c:\windows\linusimypo.dat
2009-11-02 02:16 <DIR> --d----- c:\docume~1\wennin~1\applic~1\Malwarebytes
2009-11-01 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-01 02:40 552 a------- c:\windows\system32\d3d8caps.dat
2009-10-31 22:56 12,211 a------- c:\windows\abipy.lib
2009-10-31 22:56 19,953 a------- c:\windows\system32\wifaru.db

==================== Find3M ====================

2009-10-31 22:56 13,578 a------- c:\program files\common files\abawogyrob.lib
2008-12-16 16:22 139,112 ac------ c:\docume~1\wennin~1\applic~1\GDIPFONTCACHEV1.DAT
2004-12-25 19:47 35,121,138 a------- c:\program files\NIS_Retail.EXE
2008-10-17 01:18 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101720081018\index.dat

============= FINISH: 18:09:03.56 ===============

#21 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 05 November 2009 - 09:51 PM

Can anyone help me??

#22 chamber

chamber

    G2G Staff

  • Authentic Member
  • PipPip
  • 140 posts

Posted 06 November 2009 - 01:58 AM

Can anyone help me??


Sorry, I took some time out to sleep.

Lets see if we can get ComboFix to run in a slightly different way.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\RkPavproc1.sys
c:\program files\common files\abawogyrob.lib
c:\windows\system32\wifigewor.db
c:\windows\system32\ubohinake.lib
c:\windows\system32\imukyboq.db
c:\windows\bevepotah.dat
c:\windows\linusimypo.dat

Folder::

Registry::

Driver::
RkPavproc1

DDS::
uURLSearchHooks: H - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: This BHO has been enabled by BHODemon. - No File
TB: Dogpile Toolbar: {c53fe659-316a-4f56-a194-a5be491be866} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

KILLALL::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware. Posted Image

#23 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 06 November 2009 - 10:23 AM

Oh I figured. I know you have life besides this lol. I just didnt know if anyone else is allowed to help. I really appreciate you helping. :-) I'll try this out and let you know how it goes.

#24 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 06 November 2009 - 10:48 AM

ummmmmm a window popped up that says there is a newer version of ComboFix available. Would I like to update ComboFix? Yes or No. This didnt happen before. What should I do?

#25 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 06 November 2009 - 11:20 AM

I did some research, couldnt find ANYTHING about needing to update combofix so I clicked No. It says it is preparing to run now.

    Advertisements

Register to Remove


#26 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 06 November 2009 - 12:32 PM

Okay, it finished and rebooted the computer. It did not go back into safe mode which is where I was at first. It says "Preparing Log Report. Do not run any programs until ComboFix has finished". Since it didn't log on to Safe mode I got a bunch of errors and aol trying to install software and my printer trying to install. I dont know if all these programs running on start up will hurt it. I'll give it a while to finish and post back here in about 30 minutes if it is still stuck on this screen.

#27 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 06 November 2009 - 03:53 PM

I think it worked!!! I left and went to the store, when I got home the comp had been restarted and I was able to find the log! Here it is:


ComboFix 09-11-04.02 - Wenninger 11/06/2009 12:25.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.225 [GMT -5:00]
Running from: c:\documents and settings\Wenninger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wenninger\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\program files\common files\abawogyrob.lib"
"c:\windows\bevepotah.dat"
"c:\windows\linusimypo.dat"
"c:\windows\system32\drivers\RkPavproc1.sys"
"c:\windows\system32\imukyboq.db"
"c:\windows\system32\ubohinake.lib"
"c:\windows\system32\wifigewor.db"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\common files\abawogyrob.lib
c:\windows\bevepotah.dat
c:\windows\linusimypo.dat
c:\windows\system32\imukyboq.db
c:\windows\system32\ubohinake.lib
c:\windows\system32\wifigewor.db
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\xobexoq.scr
c:\documents and settings\All Users\Application Data\ytajavojap._sy
c:\documents and settings\All Users\Documents\aryly.bat
c:\documents and settings\All Users\Documents\leza._dl
c:\documents and settings\All Users\Documents\ocydeselig.bin
c:\documents and settings\All Users\Documents\uboco.bin
c:\documents and settings\All Users\Documents\wotereq.ban
c:\documents and settings\HelpAssistant\Application Data\emosican.com
c:\documents and settings\HelpAssistant\Application Data\iniasd.txt
c:\documents and settings\HelpAssistant\Application Data\johoduzus.ban
c:\documents and settings\HelpAssistant\Application Data\ociqovax._dl
c:\documents and settings\HelpAssistant\Application Data\otudig._dl
c:\documents and settings\HelpAssistant\Application Data\usewygi.dll
c:\documents and settings\Wenninger\Application Data\emosican.com
c:\documents and settings\Wenninger\Application Data\iniasd.txt
c:\documents and settings\Wenninger\Application Data\johoduzus.ban
c:\documents and settings\Wenninger\Application Data\ociqovax._dl
c:\documents and settings\Wenninger\Application Data\otudig._dl
c:\documents and settings\Wenninger\Application Data\usewygi.dll
c:\documents and settings\Wenninger\Cookies\yvyjimuval.bat
c:\documents and settings\Wenninger\Local Settings\Application Data\perob.bin
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\jupa._dl
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\mumyrupad._sy
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\opyz.bat
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\qaraneja.inf
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\xogixosen.ban
c:\program files\Common Files\emytecos.bin
c:\program files\Common Files\ijeq.dl
c:\program files\Common Files\itawiqimy._sy
c:\program files\Common Files\jewicelimu.scr
c:\program files\INSTALL.LOG
c:\windows\a3kebook.ini
c:\windows\ajogiz.vbs
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\ezihojekiv.exe
c:\windows\ipuba.ban
c:\windows\ixozak.ban
c:\windows\izotepoz.reg
c:\windows\Palace.reg
c:\windows\rasqervy.dll
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_003900_.tmp.dll
c:\windows\system32\_003901_.tmp.dll
c:\windows\system32\_003902_.tmp.dll
c:\windows\system32\_003903_.tmp.dll
c:\windows\system32\_003910_.tmp.dll
c:\windows\system32\_003911_.tmp.dll
c:\windows\system32\_003912_.tmp.dll
c:\windows\system32\_003913_.tmp.dll
c:\windows\system32\_003914_.tmp.dll
c:\windows\system32\_003915_.tmp.dll
c:\windows\system32\_003916_.tmp.dll
c:\windows\system32\_003917_.tmp.dll
c:\windows\system32\_003918_.tmp.dll
c:\windows\system32\_003919_.tmp.dll
c:\windows\system32\_003920_.tmp.dll
c:\windows\system32\_003921_.tmp.dll
c:\windows\system32\_003922_.tmp.dll
c:\windows\system32\_003923_.tmp.dll
c:\windows\system32\_003924_.tmp.dll
c:\windows\system32\_003925_.tmp.dll
c:\windows\system32\_003926_.tmp.dll
c:\windows\system32\_003927_.tmp.dll
c:\windows\system32\_003928_.tmp.dll
c:\windows\system32\_003929_.tmp.dll
c:\windows\system32\_003930_.tmp.dll
c:\windows\system32\_003931_.tmp.dll
c:\windows\system32\_003933_.tmp.dll
c:\windows\system32\_003934_.tmp.dll
c:\windows\system32\_003935_.tmp.dll
c:\windows\system32\_003936_.tmp.dll
c:\windows\system32\_003937_.tmp.dll
c:\windows\system32\_003938_.tmp.dll
c:\windows\system32\_003939_.tmp.dll
c:\windows\system32\_003940_.tmp.dll
c:\windows\system32\_003941_.tmp.dll
c:\windows\system32\_003942_.tmp.dll
c:\windows\system32\_003943_.tmp.dll
c:\windows\system32\_003944_.tmp.dll
c:\windows\system32\_003945_.tmp.dll
c:\windows\system32\_003946_.tmp.dll
c:\windows\system32\_003947_.tmp.dll
c:\windows\system32\_003948_.tmp.dll
c:\windows\system32\_003949_.tmp.dll
c:\windows\system32\_003950_.tmp.dll
c:\windows\system32\_003951_.tmp.dll
c:\windows\system32\_003952_.tmp.dll
c:\windows\system32\_003953_.tmp.dll
c:\windows\system32\_003954_.tmp.dll
c:\windows\system32\_003955_.tmp.dll
c:\windows\system32\_003956_.tmp.dll
c:\windows\system32\_003957_.tmp.dll
c:\windows\system32\_003958_.tmp.dll
c:\windows\system32\_003959_.tmp.dll
c:\windows\system32\_003961_.tmp.dll
c:\windows\system32\_003962_.tmp.dll
c:\windows\system32\_003963_.tmp.dll
c:\windows\system32\_003964_.tmp.dll
c:\windows\system32\_003965_.tmp.dll
c:\windows\system32\_003966_.tmp.dll
c:\windows\system32\_003967_.tmp.dll
c:\windows\system32\_003968_.tmp.dll
c:\windows\system32\_003969_.tmp.dll
c:\windows\system32\_003970_.tmp.dll
c:\windows\system32\_003971_.tmp.dll
c:\windows\system32\_003973_.tmp.dll
c:\windows\system32\_003974_.tmp.dll
c:\windows\system32\_003975_.tmp.dll
c:\windows\system32\_003976_.tmp.dll
c:\windows\system32\_003977_.tmp.dll
c:\windows\system32\_003979_.tmp.dll
c:\windows\system32\_003981_.tmp.dll
c:\windows\system32\_003982_.tmp.dll
c:\windows\system32\_003983_.tmp.dll
c:\windows\system32\_003984_.tmp.dll
c:\windows\system32\_003985_.tmp.dll
c:\windows\system32\_003986_.tmp.dll
c:\windows\system32\_003987_.tmp.dll
c:\windows\system32\_003988_.tmp.dll
c:\windows\system32\_003989_.tmp.dll
c:\windows\system32\_003990_.tmp.dll
c:\windows\system32\_003991_.tmp.dll
c:\windows\system32\_003993_.tmp.dll
c:\windows\system32\_003994_.tmp.dll
c:\windows\system32\_003995_.tmp.dll
c:\windows\system32\_003996_.tmp.dll
c:\windows\system32\_003998_.tmp.dll
c:\windows\system32\_003999_.tmp.dll
c:\windows\system32\_004000_.tmp.dll
c:\windows\system32\_004001_.tmp.dll
c:\windows\system32\_004002_.tmp.dll
c:\windows\system32\_004003_.tmp.dll
c:\windows\system32\_004004_.tmp.dll
c:\windows\system32\_004005_.tmp.dll
c:\windows\system32\_004006_.tmp.dll
c:\windows\system32\_004008_.tmp.dll
c:\windows\system32\_004009_.tmp.dll
c:\windows\system32\_004010_.tmp.dll
c:\windows\system32\_004011_.tmp.dll
c:\windows\system32\_004012_.tmp.dll
c:\windows\system32\_004014_.tmp.dll
c:\windows\system32\_004016_.tmp.dll
c:\windows\system32\_004017_.tmp.dll
c:\windows\system32\_004018_.tmp.dll
c:\windows\system32\_004019_.tmp.dll
c:\windows\system32\_004020_.tmp.dll
c:\windows\system32\_004021_.tmp.dll
c:\windows\system32\_004022_.tmp.dll
c:\windows\system32\_004023_.tmp.dll
c:\windows\system32\_004024_.tmp.dll
c:\windows\system32\_004025_.tmp.dll
c:\windows\system32\_004026_.tmp.dll
c:\windows\system32\_004028_.tmp.dll
c:\windows\system32\_004029_.tmp.dll
c:\windows\system32\_004030_.tmp.dll
c:\windows\system32\_004031_.tmp.dll
c:\windows\system32\_004033_.tmp.dll
c:\windows\system32\_004034_.tmp.dll
c:\windows\system32\_004035_.tmp.dll
c:\windows\system32\_004036_.tmp.dll
c:\windows\system32\_004038_.tmp.dll
c:\windows\system32\_004039_.tmp.dll
c:\windows\system32\_004043_.tmp.dll
c:\windows\system32\_004044_.tmp.dll
c:\windows\system32\_004046_.tmp.dll
c:\windows\system32\_004049_.tmp.dll
c:\windows\system32\_004051_.tmp.dll
c:\windows\system32\_004052_.tmp.dll
c:\windows\system32\_004053_.tmp.dll
c:\windows\system32\_004054_.tmp.dll
c:\windows\system32\_004057_.tmp.dll
c:\windows\system32\_004058_.tmp.dll
c:\windows\system32\_004059_.tmp.dll
c:\windows\system32\_004060_.tmp.dll
c:\windows\system32\_004061_.tmp.dll
c:\windows\system32\_004066_.tmp.dll
c:\windows\system32\_004068_.tmp.dll
c:\windows\system32\_004069_.tmp.dll
c:\windows\system32\_006235_.tmp.dll
c:\windows\system32\_006236_.tmp.dll
c:\windows\system32\_006237_.tmp.dll
c:\windows\system32\_006238_.tmp.dll
c:\windows\system32\_006245_.tmp.dll
c:\windows\system32\_006246_.tmp.dll
c:\windows\system32\_006247_.tmp.dll
c:\windows\system32\_006248_.tmp.dll
c:\windows\system32\_006250_.tmp.dll
c:\windows\system32\_006251_.tmp.dll
c:\windows\system32\_006254_.tmp.dll
c:\windows\system32\_006255_.tmp.dll
c:\windows\system32\_006257_.tmp.dll
c:\windows\system32\_006258_.tmp.dll
c:\windows\system32\_006259_.tmp.dll
c:\windows\system32\_006261_.tmp.dll
c:\windows\system32\_006263_.tmp.dll
c:\windows\system32\_006264_.tmp.dll
c:\windows\system32\_006265_.tmp.dll
c:\windows\system32\_006269_.tmp.dll
c:\windows\system32\_006270_.tmp.dll
c:\windows\system32\_006272_.tmp.dll
c:\windows\system32\_006275_.tmp.dll
c:\windows\system32\_006277_.tmp.dll
c:\windows\system32\_006278_.tmp.dll
c:\windows\system32\_006279_.tmp.dll
c:\windows\system32\_006280_.tmp.dll
c:\windows\system32\_006281_.tmp.dll
c:\windows\system32\_006284_.tmp.dll
c:\windows\system32\_006285_.tmp.dll
c:\windows\system32\_006286_.tmp.dll
c:\windows\system32\_006287_.tmp.dll
c:\windows\system32\_006288_.tmp.dll
c:\windows\system32\_006293_.tmp.dll
c:\windows\system32\_006295_.tmp.dll
c:\windows\system32\_006296_.tmp.dll
c:\windows\system32\logs\Events.dat
c:\windows\system32\Ultra.dll
c:\windows\tepavil.pif
c:\windows\ycizuxyk._sy

-- Previous Run --

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_RKPAVPROC1
-------\Service_RkPavproc1


((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-06 18:18 . 2009-11-06 18:18 -------- d-----w- c:\windows\LastGood
2009-11-05 04:50 . 2009-11-05 04:50 -------- d-----w- c:\program files\ESET
2009-11-05 03:32 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 03:29 . 2009-11-05 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-04 21:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-04 18:48 . 2009-11-04 22:11 -------- d-----w- C:\Combo-Fix
2009-11-04 17:50 . 2009-11-04 17:56 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-11-04 04:35 . 2009-11-04 04:35 -------- d-----w- c:\program files\ERUNT
2009-11-04 03:57 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 03:57 . 2009-11-04 03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 03:57 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 02:38 . 2009-11-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-04 02:32 . 2009-11-04 02:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-03 16:35 . 2009-11-03 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\AVG8
2009-11-03 06:23 . 2009-11-03 06:23 -------- d-----w- c:\documents and settings\Wenninger\Application Data\AVG8
2009-11-03 04:27 . 2009-11-06 18:31 16384 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Macromedia\Common\ec0fe01c19.exe
2009-11-03 04:27 . 2009-11-03 03:14 101888 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Macromedia\Common\ec0fe01c1.dll
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2009-11-03 03:14 . 2009-11-06 18:48 16384 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
2009-11-03 03:14 . 2009-11-03 03:14 101888 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
2009-11-02 19:32 . 2009-11-03 04:00 -------- d-----w- c:\program files\Panda Security
2009-11-02 09:37 . 2009-11-02 09:37 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\AOL
2009-11-02 07:27 . 2009-11-02 07:27 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Malwarebytes
2009-11-02 07:16 . 2009-11-04 03:58 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Malwarebytes
2009-11-02 04:30 . 2009-11-02 04:30 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Malwarebytes
2009-11-02 04:29 . 2009-11-04 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 04:22 . 2009-11-02 04:22 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\PrivacIE
2009-11-01 23:15 . 2009-11-02 01:30 -------- d-----w- c:\windows\BDOSCAN8
2009-11-01 07:40 . 2009-11-01 07:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-01 06:41 . 2009-11-01 06:41 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\IETldCache
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\Shareaza
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Shareaza
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-11 05:45 . 2009-10-11 05:45 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-10-11 05:45 . 2009-10-11 05:45 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-10-11 05:45 . 2009-10-11 05:45 -------- d-----w- c:\documents and settings\HelpAssistant\System
2009-10-11 05:44 . 2009-11-02 07:29 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-10-08 23:41 . 2009-10-08 23:41 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-10-08 23:41 . 2009-10-08 23:41 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2009-10-08 23:20 . 2009-10-08 23:20 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\SmartDraw
2009-10-08 23:20 . 2009-10-08 23:20 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Shareaza
2009-10-08 23:08 . 2009-10-08 23:20 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\SecondLife
2009-10-08 23:08 . 2009-10-08 23:08 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Roxio
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\PokerCreations
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\PlayFirst
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\NLOP
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Netscape
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\NCH Swift Sound
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\MSN6
2009-10-08 23:04 . 2008-10-18 04:40 34063 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\Uninst.exe
2009-10-08 23:04 . 2008-09-17 16:03 975736 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\qsp2ie071101000055.dll
2009-10-08 23:04 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Move Networks
2009-10-08 23:04 . 2008-09-17 16:03 99704 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-08 23:04 . 2008-03-19 22:03 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}\ARPPRODUCTICON.exe
2009-10-08 23:04 . 2007-06-24 15:51 19360 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2009-10-08 23:03 . 2009-10-08 23:03 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Microgaming
2009-10-08 22:47 . 2009-10-08 23:01 -------- d-----w- c:\documents and settings\HelpAssistant\.jpi_cache
2009-10-08 22:47 . 2009-10-08 22:47 -------- d-----w- c:\documents and settings\HelpAssistant\.javaws
2009-10-08 22:47 . 2009-10-08 22:47 -------- d-----w- c:\documents and settings\HelpAssistant\.java
2009-10-08 22:46 . 2009-10-08 22:47 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2009-10-08 22:43 . 2009-11-06 18:13 -------- d-----w- c:\documents and settings\HelpAssistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 04:05 . 2008-06-25 18:15 -------- d-----w- c:\program files\Freecell Buddy Pogo
2009-11-03 04:02 . 2008-02-15 19:49 -------- d-----w- c:\program files\PokerStars
2009-11-03 02:41 . 2003-06-11 00:45 -------- d-----w- c:\program files\Common Files\aol
2009-11-02 09:59 . 2008-02-09 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-02 09:41 . 2005-11-17 22:25 139112 -c--a-w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Zero Knowledge
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\You've Got Pictures Screensaver
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Yahoo! Messenger
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Yahoo!
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\WeatherBug
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Viewpoint
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Uniblue
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Ulead Systems
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\U3
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\test
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\teamspeak2
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\System Tweaker
2009-09-11 14:18 . 2009-09-11 14:18 136192 ------w- c:\windows\system32\SET22.tmp
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:51 . 2003-06-13 01:33 139112 -c--a-w- c:\documents and settings\Wenninger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-12-26 00:47 . 2004-12-26 00:47 35121138 ----a-w- c:\program files\NIS_Retail.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe" [2009-11-06 16384]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LimeShop"="wjview" [X]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-23 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-09-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-09-03 455168]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 59392]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"HostManager"="c:\program files\Common Files\AOL\1157574114\ee\AOLSoftware.exe" [2008-06-24 41824]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-10-06 741376]
"Detect Kbd Daemon"="SK2000DM.EXE" - c:\windows\SYSTEM32\SK2000DM.EXE [2001-04-28 36864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"midi1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"mixer1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"wave2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"midi2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"aux2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"mixer2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"aux1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]
backup=c:\windows\pss\Verizon Online.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus Pro 2010
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CasinoDownloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\saap
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TBPSSvc"=2 (0x2)
"WinToolsSvc"=2 (0x2)
"MyWebSearchService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

R3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\system32\DRIVERS\SKUSBKBF.sys [2001-07-27 14048]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{C62C59F5-FD1B-4823-805FE6BFD520860D}
.
Contents of the 'Scheduled Tasks' folder

2009-11-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2009-11-06 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE:
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{19A0F032-27D7-4227-BBB5-51AA9E5904F5} - (no file)
HKCU-Run-rundll32.exe - (no file)
HKLM-Run-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
AddRemove-VivoActivePlayer20DeinstKey - c:\program files\NETSCAPE\NETSCAPE\Plugins\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 13:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\_000012_.tmp.dll 729088 bytes executable
c:\windows\system32\SETF.tmp 56832 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82A1BE40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82a1be40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBFEFE
malicious code @ sector 0x06FBFF01 !
PE file found in sector at 0x06FBFF17 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp

- - - - - - - > 'explorer.exe'(3920)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Sktempdm.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-11-06 15:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 20:41

Pre-Run: 14,749,184,000 bytes free
Post-Run: 13,790,769,152 bytes free

#28 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 06 November 2009 - 11:23 PM

So is that it?? Am I done or what do I do now??

#29 chamber

chamber

    G2G Staff

  • Authentic Member
  • PipPip
  • 140 posts

Posted 07 November 2009 - 04:14 AM

Hi,

1) CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LimeShop"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus Pro 2010]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]

Driver::
WinToolsSvc
MyWebSearchService

MBR::

KILLALL::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2) Malwarebytes

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

3) OTL


  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions
    %SYSTEMDRIVE%\eventlog.dll /s /md5
    %SYSTEMDRIVE%\scecli.dll /s /md5
    %SYSTEMDRIVE%\netlogon.dll /s /md5
    %SYSTEMDRIVE%\cngaudit.dll /s /md5
    %SYSTEMDRIVE%\sceclt.dll /s /md5
    %SYSTEMDRIVE%\ntelogon.dll /s /md5
    %SYSTEMDRIVE%\logevent.dll /s /md5
    %SYSTEMDRIVE%\iaStor.sys /s /md5
    %SYSTEMDRIVE%\nvstor.sys /s /md5
    %SYSTEMDRIVE%\atapi.sys /s /md5
    %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
    %SYSTEMDRIVE%\viasraid.sys /s /md5
    %SYSTEMDRIVE%\AGP440.sys /s /md5
    %SYSTEMDRIVE%\vaxscsi.sys /s /md5

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

In your reply I would like to see copied and pasted,

1) ComboFix log
2) Malwarebytes log
3) OTL logs

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware. Posted Image

#30 StormyHaze

StormyHaze

    Authentic Member

  • Authentic Member
  • PipPip
  • 50 posts

Posted 07 November 2009 - 09:32 AM

I got as far as creating the CFScript.txt file and trying to drag it to ComboFix and I got the Blue Screen of Death. I have restarted it in safe mode and will try to run it from there. *Edited to correct spelling *blush*

Edited by StormyHaze, 07 November 2009 - 09:33 AM.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users