Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91803 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Error404.com keeps popping up, underlying problem?


  • This topic is locked This topic is locked
13 replies to this topic

#1 Firepandaa

Firepandaa

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 12 November 2009 - 11:47 AM

Hi,

A few days a go I went onto a site and it initially prompted me to open Adobe to read a .pdf file, I had no idea what this was for so I chose not to open it. Although that didn't stop a LOT of .exe files and .tmp files from trying to open up on my computer. Naturally I didn't let any of them through that I could avoid. but some managed through and eventually my computer was going crazy. I fixed it in safe mode by removeing the obvious malware that was popping up on my screen that was stopping me from using my user account on Windows Vista.

That was 2 days ago, I've ran CCleaner, Spybot S&D, Ad-Aware and a one year old (hasn't been updated in a year since I have no subscription to it) Norton AV scan, several times.

It picked up a few initially, Spybot being the most helpful in finding them and since then none pick up anything.

But I still get the site

http://error404.com/index.php

popping up every say 10 minutes in a new tab on firefox. This happens only when I have just booted up my computer, only 4-5 times per boot, in a time-frame of about an hour, and then it just lays dormant again until I restart my PC.

It is extremely annoying, it doesn't look like much BUT I want to be sure it's not a sympton of a much larger problem lying in my PC.

Thanks

RootRepeal came up with an error in the scan that said 'Could not read System registry! Please contact the author'

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/12 17:30
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x974A8000 Size: 778240 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1288 Status: Locked to the Windows API!

SSDT
-------------------
#: 013 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x90d126a8

#: 014 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x90d12788

#: 018 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x90cf42e8

#: 021 Function Name: NtAlpcConnectPort
Status: Hooked by "<unknown>" at address 0x8e3fb830

#: 067 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x90d123f8

#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x90cf44f8

#: 116 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x90cfefd0

#: 147 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x90d12f80

#: 156 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x90d124e8

#: 158 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x90d125c8

#: 177 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x90d12ea0

#: 184 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x90d12318

#: 195 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x90d18a28

#: 197 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x90d120c8

#: 202 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x90d12c40

#: 282 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x90cf6608

#: 289 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x90d12b80

#: 305 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x90d12d10

#: 306 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x90d12a90

#: 330 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x90d121d8

#: 331 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x90d128d0

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x904054e8

#: 335 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x90d129b0

#: 348 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x90d12de0

#: 358 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x90cf4218

==EOF==




DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt at 17:15:16.42 on 12/11/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_03
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.880 [GMT 0:00]

AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
D:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
d:\matlab7\bin\win32\matlab.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wuauclt.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Matt\AppData\Local\Temp\RtkBtMnt.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Acer\Acer VCM\VC.exe
C:\Program Files\Acer\Acer VCM\acp2HID.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SymCUW.exe
C:\Program Files\Ghostgum\gsview\gsview32.exe
D:\MATLAB7\bin\win32\MATLAB.exe
C:\Program Files\Ghostgum\gsview\gsview32.exe
C:\Program Files\ERUNT\ERUNT.EXE
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Norton Internet Security\nisoptui.exe
C:\Windows\system32\FirewallControlPanel.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe
C:\Users\Matt\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.uk.acer.yahoo.com
uSEARCH PAGE = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Defence] "c:\programdata\defence\smss.exe" -SystemDefence
uRun: [Lsass Service] c:\users\matt\appdata\roaming\microsoft\windows\lsass.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} - hxxp://musicmix.messenger.msn.com/Medialogic.CAB
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: eNetHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\y95ct9y3.default\
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - component: c:\program files\mozilla firefox\components\MGSHelper.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\system32\drivers\iaNvStor.sys [2007-8-29 210432]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-10 64288]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20081210.002\IDSvix86.sys [2008-12-10 270384]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-5-10 50688]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-3-2 149352]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-10 1153368]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-5-9 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-5-9 43008]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-2 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2008-10-1 101504]

=============== Created Last 30 ================

2009-11-11 12:08 2,035,712 a------- c:\windows\system32\win32k.sys
2009-11-11 12:08 351,232 a------- c:\windows\system32\WSDApi.dll
2009-11-10 12:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-11-10 12:19 93,360 a------- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 02:50 64,288 a------- c:\windows\system32\drivers\Lbd.sys
2009-11-10 02:30 <DIR> -cd-h--- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-10 02:30 <DIR> -cd-h--- c:\progra~2\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-10 00:18 <DIR> --d----- c:\programdata\30945425
2009-11-10 00:18 <DIR> --d----- c:\progra~2\30945425
2009-11-10 00:18 <DIR> --dsh--- c:\users\matt\appdata\roaming\Windows System Defender
2009-11-10 00:18 <DIR> --dsh--- c:\programdata\WSDDSys
2009-11-10 00:18 <DIR> --dsh--- c:\progra~2\WSDDSys
2009-11-10 00:17 <DIR> --dsh--- c:\programdata\0431db2
2009-11-10 00:17 <DIR> --dsh--- c:\progra~2\0431db2
2009-11-10 00:07 <DIR> --d----- c:\programdata\Defence
2009-11-10 00:07 <DIR> --d----- c:\progra~2\Defence
2009-11-04 12:16 2,421,760 a------- c:\windows\system32\wucltux.dll
2009-11-04 12:16 87,552 a------- c:\windows\system32\wudriver.dll
2009-11-04 12:15 171,608 a------- c:\windows\system32\wuwebv.dll
2009-11-04 12:15 33,792 a------- c:\windows\system32\wuapp.exe
2009-10-28 13:13 310,784 a------- c:\windows\system32\unregmp2.exe
2009-10-28 13:13 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-10-22 17:14 <DIR> --d----- c:\program files\Gmask 1.70 English
2009-10-14 20:52 213,504 a------- c:\windows\system32\msv1_0.dll
2009-10-14 20:52 175,104 a------- c:\windows\system32\wdigest.dll
2009-10-14 20:52 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-10-14 20:52 439,896 a------- c:\windows\system32\drivers\ksecdd.sys
2009-10-14 20:52 72,704 a------- c:\windows\system32\secur32.dll
2009-10-14 20:52 9,728 a------- c:\windows\system32\lsass.exe
2009-10-14 20:50 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-10-14 20:50 604,672 a------- c:\windows\system32\WMSPDMOD.DLL

==================== Find3M ====================

2009-11-12 12:59 48,032 a------- c:\programdata\nvModes.dat
2009-11-12 12:59 48,032 a------- c:\progra~2\nvModes.dat
2009-11-10 12:19 15,880 a------- c:\windows\system32\lsdelete.exe
2009-11-02 20:42 195,456 -------- c:\windows\system32\MpSigStub.exe
2009-09-04 12:24 61,440 a------- c:\windows\system32\msasn1.dll
2009-08-31 13:55 293,376 a------- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 428,544 a------- c:\windows\system32\EncDec.dll
2009-08-28 12:39 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 12:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 12:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 12:38 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 12:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 10:15 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 833,024 a------- c:\windows\system32\wininet.dll
2009-08-27 13:29 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-27 10:58 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-08-17 22:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-06-24 17:37 56 a---h--- c:\programdata\ezsidmv.dat
2009-06-24 17:37 56 a---h--- c:\progra~2\ezsidmv.dat
2009-06-15 20:53 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-15 20:53 51,200 a------- c:\windows\inf\infpub.dat
2009-06-15 20:53 86,016 a------- c:\windows\inf\infstor.dat
2009-06-15 19:04 27,744 a------- c:\users\matt\appdata\roaming\nvModes.dat
2008-06-23 23:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-06-23 19:48 174 a--sh--- c:\program files\desktop.ini
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-12-30 20:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-12-30 20:07 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-12-30 20:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-06-21 21:27 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-06-21 21:27 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-06-21 21:27 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 17:17:32.46 ===============

Attached Files


Edited by Firepandaa, 12 November 2009 - 11:53 AM.

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 12 November 2009 - 06:55 PM

Hi,

please do the following:

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 Firepandaa

Firepandaa

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 12 November 2009 - 07:38 PM

Thanks for the reply.

ComboFix 09-11-13.04 - Matt 13/11/2009 1:14.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1007 [GMT 0:00]
Running from: c:\users\Matt\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1831425639-2358941220-248643541-500
c:\users\Matt\AppData\Local\{5DC121E4-7A2E-4673-812D-8515C006FE02}
c:\users\Matt\AppData\Local\{5DC121E4-7A2E-4673-812D-8515C006FE02}\chrome.manifest
c:\users\Matt\AppData\Local\{5DC121E4-7A2E-4673-812D-8515C006FE02}\chrome\content\_cfg.js
c:\users\Matt\AppData\Local\{5DC121E4-7A2E-4673-812D-8515C006FE02}\chrome\content\overlay.xul
c:\users\Matt\AppData\Local\{5DC121E4-7A2E-4673-812D-8515C006FE02}\install.rdf
c:\users\Matt\AppData\Roaming\Microsoft\Windows\lsass.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-13 01:24 . 2009-11-13 01:25 -------- d-----w- c:\users\Matt\AppData\Local\temp
2009-11-13 01:24 . 2009-11-13 01:24 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-13 01:24 . 2009-11-13 01:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-12 17:03 . 2009-11-12 17:03 4096 d-----w- c:\program files\ERUNT
2009-11-11 12:08 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 12:08 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 12:47 . 2009-11-12 12:52 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-10 12:19 . 2009-11-10 12:19 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 12:19 . 2009-11-10 12:19 93360 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-11-10 12:19 . 2009-11-10 12:19 554280 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
2009-11-10 12:19 . 2009-11-10 12:19 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-11-10 12:19 . 2009-11-10 12:19 283944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Vipre.dll
2009-11-10 12:19 . 2009-11-10 12:19 212480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2009-11-10 12:19 . 2009-11-10 12:19 1223976 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll
2009-11-10 12:19 . 2009-11-10 12:19 242984 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll
2009-11-10 02:50 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-10 02:31 . 2009-10-03 08:15 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-10 02:30 . 2009-11-10 02:31 4096 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-10 00:49 . 2009-11-10 00:49 -------- d-----w- c:\users\Guest\Tracing
2009-11-10 00:22 . 2009-11-10 00:22 0 ----a-w- c:\users\Matt\AppData\Local\Rjiyofiruj.bin
2009-11-10 00:22 . 2009-11-10 00:22 120 ----a-w- c:\users\Matt\AppData\Local\Qpufamolim.dat
2009-11-10 00:18 . 2009-11-10 00:18 56 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv
2009-11-10 00:18 . 2009-11-10 00:43 -------- d-sh--w- c:\users\Matt\AppData\Roaming\Windows System Defender
2009-11-10 00:18 . 2009-11-10 00:18 -------- d-sh--w- c:\programdata\WSDDSys
2009-11-10 00:17 . 2009-11-10 01:12 -------- d-sh--w- c:\programdata\0431db2
2009-11-10 00:07 . 2009-11-10 00:07 -------- d-----w- c:\programdata\Defence
2009-11-10 00:07 . 2009-11-09 22:26 24064 ----a-w- c:\programdata\Defence\smss.exe
2009-11-04 12:16 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-04 12:16 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-04 12:16 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-04 12:16 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-04 12:16 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-04 12:16 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-04 12:16 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-04 12:15 . 2009-08-06 19:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-04 12:15 . 2009-08-06 18:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-28 13:13 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 13:13 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-22 17:14 . 2009-10-22 17:14 4096 d-----w- c:\program files\Gmask 1.70 English
2009-10-22 17:14 . 2009-10-22 17:14 366211 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Gmask 1.70 English\Gmsk170E.exe
2009-10-17 23:20 . 2009-10-18 00:44 4096 d-----w- c:\users\Matt\AppData\Roaming\FileZilla
2009-10-17 23:19 . 2009-10-17 23:19 4096 d-----w- c:\program files\FileZilla FTP Client
2009-10-14 20:52 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 20:52 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-10-14 20:52 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-10-14 20:52 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-10-14 20:52 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-10-14 20:52 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-10-14 20:50 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 20:50 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2098-01-01 00:00 . 2007-12-22 02:26 9584 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\IV20.dll
2098-01-01 00:00 . 2007-12-22 02:26 9048 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\FWLUReg.dll
2098-01-01 00:00 . 2007-12-13 00:05 9096 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\LUTPReg.dll
2009-11-12 17:29 . 2009-11-12 17:29 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-11-12 17:08 . 2007-11-27 23:15 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-12 12:59 . 2009-06-15 20:58 48032 ----a-w- c:\programdata\nvModes.dat
2009-11-12 04:02 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-12 03:04 . 2007-05-10 00:08 12288 d-----w- c:\programdata\Microsoft Help
2009-11-11 12:24 . 2009-07-03 16:52 4096 d-----w- c:\program files\VoiceChatter
2009-11-10 20:48 . 2009-10-11 02:11 4096 d-----w- c:\users\Matt\AppData\Roaming\vlc
2009-11-10 12:19 . 2009-06-23 11:45 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-11-10 12:19 . 2009-06-01 11:47 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-11-10 12:19 . 2007-04-13 14:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-10 12:19 . 2009-06-23 11:45 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-11-10 12:19 . 2009-06-23 11:45 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-11-10 12:19 . 2009-06-23 11:45 370744 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-11-10 12:19 . 2009-06-01 11:47 163728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-11-10 12:19 . 2009-06-23 11:45 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-11-10 12:18 . 2009-06-23 11:45 5908024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-10 12:18 . 2009-06-01 11:46 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-10 12:18 . 2009-06-01 11:46 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-10 12:18 . 2009-06-23 11:45 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-10 12:18 . 2009-10-05 11:46 640608 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-10 12:18 . 2009-06-23 11:45 815760 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-10 12:18 . 2009-06-23 11:45 822904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-10 12:18 . 2009-06-23 11:45 1638104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-10 12:18 . 2009-06-23 11:45 788368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-10 12:18 . 2009-06-23 11:45 1179232 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-10 02:23 . 2007-11-28 11:59 -------- d-----w- c:\program files\CCleaner
2009-11-10 01:12 . 2009-11-10 00:18 -------- d-----w- c:\programdata\30945425
2009-11-10 01:10 . 2007-11-16 03:01 1356 ----a-w- c:\users\Matt\AppData\Local\d3d9caps.dat
2009-11-10 00:46 . 2007-10-16 11:38 102176 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-10 00:19 . 2009-11-10 00:19 79 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
2009-11-10 00:19 . 2009-11-10 00:19 75 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\fix.exe
2009-11-10 00:19 . 2009-11-10 00:19 5 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
2009-11-10 00:19 . 2009-11-10 00:19 2 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.dll
2009-11-10 00:19 . 2009-11-10 00:18 33 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\SM.drv
2009-11-10 00:18 . 2009-11-10 00:18 60 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.exe
2009-11-10 00:18 . 2009-11-10 00:18 18 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys
2009-11-10 00:18 . 2009-11-10 00:18 13 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
2009-11-10 00:18 . 2009-11-10 00:18 78 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\cid.dll
2009-11-10 00:18 . 2009-11-10 00:18 44 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys
2009-11-10 00:18 . 2009-11-10 00:18 47 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
2009-11-10 00:18 . 2009-11-10 00:18 79 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.drv
2009-11-02 20:42 . 2009-10-03 00:28 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-15 11:55 . 2007-05-10 00:09 28672 d-----w- c:\program files\Microsoft Works
2009-10-13 19:10 . 2009-02-20 02:37 4096 d-----w- c:\program files\Crystal Player
2009-10-11 13:28 . 2009-10-11 02:46 4096 d-----w- c:\program files\Common Files\AVSMedia
2009-10-11 13:28 . 2009-10-11 02:46 -------- d-----w- c:\program files\AVS4YOU
2009-10-11 13:10 . 2009-10-11 02:14 -------- d-----w- c:\program files\GRETECH
2009-10-11 13:09 . 2009-10-11 01:52 4096 d-----w- c:\program files\SuperDVD Player 5.0
2009-10-11 03:37 . 2007-05-09 23:10 -------- d-----w- c:\program files\Intel
2009-10-11 03:07 . 2009-10-11 03:07 4096 d-----w- c:\program files\QuickTime
2009-10-11 03:07 . 2009-10-11 03:07 -------- d-----w- c:\programdata\Apple Computer
2009-10-11 03:01 . 2009-10-11 03:01 4096 d-----w- c:\program files\Apple Software Update
2009-10-11 03:01 . 2009-10-11 03:01 -------- d-----w- c:\programdata\Apple
2009-10-11 02:53 . 2009-10-11 02:53 -------- d-----w- c:\users\Matt\AppData\Roaming\AVS4YOU
2009-10-11 02:53 . 2009-10-11 02:53 -------- d-----w- c:\programdata\AVS4YOU
2009-10-11 02:20 . 2009-10-11 02:20 -------- d-----w- c:\program files\Ligos
2009-10-11 02:10 . 2009-10-11 02:10 -------- d-----w- c:\program files\VideoLAN
2009-10-11 01:50 . 2009-10-11 01:49 -------- d-----w- c:\users\Matt\AppData\Roaming\DivX
2009-10-11 01:49 . 2007-11-21 19:05 8192 d-----w- c:\program files\DivX
2009-10-11 01:48 . 2009-10-11 01:47 4096 d-----w- c:\program files\Common Files\DivX Shared
2009-10-11 01:46 . 2007-05-09 23:17 12288 d--h--w- c:\program files\InstallShield Installation Information
2009-10-11 01:43 . 2009-10-11 01:43 4096 d-----w- c:\program files\Common Files\Hypnotizer
2009-10-05 11:46 . 2009-10-05 11:46 17632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2009-10-05 11:46 . 2009-03-10 12:45 68640 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2009-10-05 11:46 . 2009-03-10 12:45 303976 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2009-10-05 11:46 . 2009-06-23 11:45 640760 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-10-03 13:36 . 2009-10-03 13:36 -------- d-----w- c:\users\Matt\AppData\Roaming\PeerNetworking
2009-10-02 00:07 . 2009-10-02 00:07 4096 d-----w- c:\program files\Microsoft Office Outlook Connector
2009-10-02 00:06 . 2008-02-27 10:45 4096 d-----w- c:\program files\Windows Live
2009-09-30 13:58 . 2007-08-25 05:07 9576 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\CCMSLLUM.DLL
2009-09-04 12:24 . 2009-10-14 20:51 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 13:55 . 2009-10-14 20:51 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-14 20:51 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-02 18:22 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 18:22 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-14 20:51 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-14 20:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-14 20:51 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2007-08-25 03:52 . 2007-12-12 23:52 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2007-11-09 16:25 . 2008-02-02 19:59 57344 ----a-w- c:\program files\mozilla firefox\components\MGSHelper.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2009-04-11 . D7673E4B38CE21EE54C59EEEB65E2483 . 242688 . . [6.0.6002.18005] . . c:\windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-tapiservice_31bf3856ad364e35_6.0.6002.18005_none_e52851e7e21463cb\tapisrv.dll
[-] 2008-01-19 . A3A200642AD813BA8589182BCF5219E6 . 242688 . . [6.0.6000.16386] . . c:\windows\System32\tapisrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Defence"="c:\programdata\Defence\smss.exe" [2009-11-09 24064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-13 457728]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-04-27 1286144]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-05-04 502544]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-03-13 33048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-10 788368]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-27 13781536]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-04-13 4431872]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-04-13 1822720]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2007-6-19 1208320]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-5-9 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\System32\drivers\iaNvStor.sys [29/08/2007 17:20 210432]
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/11/2009 02:50 64288]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081210.002\IDSvix86.sys [10/12/2008 21:20 270384]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [10/05/2007 00:28 50688]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1179232]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [02/03/2008 01:28 149352]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [10/11/2009 12:47 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/09/2008 01:47 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [19/02/2009 11:31 41008]
R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [09/05/2007 22:52 43008]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [09/05/2007 22:52 179712]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [29/05/2007 20:55 23888]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [02/10/2009 00:06 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\System32\drivers\hmvmdm.sys [01/10/2008 14:43 101504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Matt.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]

2009-11-13 c:\windows\Tasks\User_Feed_Synchronization-{2B9A8B39-2C16-44E0-B53C-6E7C2E244355}.job
- c:\windows\system32\msfeedssync.exe [2008-06-22 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.uk.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\y95ct9y3.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Mozilla Firefox\components\MGSHelper.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Lsass Service - c:\users\Matt\AppData\Roaming\Microsoft\Windows\lsass.exe
MSConfigStartUp-CrashBandicoot2NTrancedPrim - (no file)
AddRemove-Codec pack Base (DivX, Xvid, 3ivx) - c:\windows\system32\uninst Codec pack Base (DivX



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 01:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Lsass Service = c:\users\Matt\AppData\Roaming\Microsoft\Windows\lsass.exe???????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\TEMP\TMP000000ABE16BFEB1857701AA 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)
c:\windows\system32\eNetHook.dll

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\eNetHook.dll
.
Completion time: 2009-11-13 01:28
ComboFix-quarantined-files.txt 2009-11-13 01:28

Pre-Run: 8,908,275,712 bytes free
Post-Run: 10,590,457,856 bytes free

- - End Of File - - D498A532A90FFECEE98ECF0A783AD644

#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 12 November 2009 - 09:00 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Error404_com_keeps_popping_up_underlying_problem_t108239.html&view=findpost&p=610264#entry610264

Collect::
c:\users\Matt\AppData\Local\Qpufamolim.dat
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv
c:\programdata\Defence\smss.exe
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\fix.exe
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.dll
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\SM.drv
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.exe
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\cid.dll
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.drv

File::
c:\users\Matt\AppData\Local\Rjiyofiruj.bin

Folder::
c:\programdata\0431db2
c:\programdata\Defence
c:\users\Matt\AppData\Roaming\Windows System Defender
c:\programdata\WSDDSys
c:\programdata\0431db2
c:\users\Guest\Tracing
c:\programdata\30945425

FCopy::
c:\windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-tapiservice_31bf3856ad364e35_6.0.6002.18005_none_e52851e7e21463cb\tapisrv.dll | c:\windows\System32\tapisrv.dll

Rootkit::
c:\windows\TEMP\TMP000000ABE16BFEB1857701AA

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#5 Firepandaa

Firepandaa

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 12 November 2009 - 10:09 PM

ComboFix 09-11-13.04 - Matt 13/11/2009 3:36.2.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.1018 [GMT 0:00] Running from: c:\users\Matt\Desktop\ComboFix.exe Command switches used :: c:\users\Matt\Desktop\CFScript.txt AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22} SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A} SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} FILE :: "c:\users\Matt\AppData\Local\Rjiyofiruj.bin" file zipped: c:\programdata\Defence\smss.exe file zipped: c:\users\Matt\AppData\Local\Qpufamolim.dat file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\cid.dll file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.exe file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\fix.exe file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\FS.sys file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.dll file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\SM.drv file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.drv file zipped: c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\programdata\0431db2 c:\programdata\30945425 c:\programdata\Defence c:\programdata\Defence\smss.exe c:\programdata\WSDDSys c:\programdata\WSDDSys\wsd.cfg c:\users\Guest\Tracing c:\users\Guest\Tracing\WindowsLiveMessenger-uccapi-0.uccapilog c:\users\Matt\AppData\Local\Qpufamolim.dat c:\users\Matt\AppData\Local\Rjiyofiruj.bin c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\cid.dll c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.exe c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\fix.exe c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\FS.sys c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.dll c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\SM.drv c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.drv c:\users\Matt\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys c:\users\Matt\AppData\Roaming\Windows System Defender c:\users\Matt\AppData\Roaming\Windows System Defender\cookies.sqlite c:\users\Matt\AppData\Roaming\Windows System Defender\Instructions.ini . --------------- FCopy --------------- c:\windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-tapiservice_31bf3856ad364e35_6.0.6002.18005_none_e52851e7e21463cb\tapisrv.dll --> c:\windows\System32\tapisrv.dll . ((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 ))))))))))))))))))))))))))))))) . 2009-11-13 03:50 . 2009-11-13 03:53 -------- d-----w- c:\users\Matt\AppData\Local\temp 2009-11-13 03:50 . 2009-11-13 03:50 -------- d-----w- c:\users\Public\AppData\Local\temp 2009-11-13 03:50 . 2009-11-13 03:50 -------- d-----w- c:\users\Guest\AppData\Local\temp 2009-11-13 03:50 . 2009-11-13 03:50 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-11-12 17:29 . 2009-11-12 17:29 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys 2009-11-12 17:03 . 2009-11-12 17:03 4096 d-----w- c:\program files\ERUNT 2009-11-11 12:08 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys 2009-11-11 12:08 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll 2009-11-10 12:47 . 2009-11-12 12:52 8192 d-----w- c:\program files\Spybot - Search & Destroy 2009-11-10 12:19 . 2009-11-10 12:19 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2009-11-10 12:19 . 2009-11-10 12:19 93360 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys 2009-11-10 12:19 . 2009-11-10 12:19 554280 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll 2009-11-10 12:19 . 2009-11-10 12:19 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll 2009-11-10 12:19 . 2009-11-10 12:19 283944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Vipre.dll 2009-11-10 12:19 . 2009-11-10 12:19 212480 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\VipreBridge.dll 2009-11-10 12:19 . 2009-11-10 12:19 1223976 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBTE.dll 2009-11-10 12:19 . 2009-11-10 12:19 242984 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\SBRE.dll 2009-11-10 02:50 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-11-10 02:31 . 2009-10-03 08:15 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe 2009-11-10 02:30 . 2009-11-10 02:31 4096 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-11-04 12:16 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll 2009-11-04 12:16 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe 2009-11-04 12:16 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll 2009-11-04 12:16 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll 2009-11-04 12:16 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll 2009-11-04 12:16 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll 2009-11-04 12:16 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll 2009-11-04 12:15 . 2009-08-06 19:23 171608 ----a-w- c:\windows\system32\wuwebv.dll 2009-11-04 12:15 . 2009-08-06 18:44 33792 ----a-w- c:\windows\system32\wuapp.exe 2009-10-28 13:13 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe 2009-10-28 13:13 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL 2009-10-22 17:14 . 2009-10-22 17:14 4096 d-----w- c:\program files\Gmask 1.70 English 2009-10-22 17:14 . 2009-10-22 17:14 366211 ----a-w- c:\users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Gmask 1.70 English\Gmsk170E.exe 2009-10-17 23:20 . 2009-10-18 00:44 -------- d-----w- c:\users\Matt\AppData\Roaming\FileZilla 2009-10-17 23:19 . 2009-10-17 23:19 4096 d-----w- c:\program files\FileZilla FTP Client 2009-10-14 20:52 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll 2009-10-14 20:52 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll 2009-10-14 20:52 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll 2009-10-14 20:52 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-10-14 20:52 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll 2009-10-14 20:52 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe 2009-10-14 20:50 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys 2009-10-14 20:50 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2098-01-01 00:00 . 2007-12-22 02:26 9584 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\IV20.dll 2098-01-01 00:00 . 2007-12-22 02:26 9048 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\FWLUReg.dll 2098-01-01 00:00 . 2007-12-13 00:05 9096 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\LUTPReg.dll 2009-11-13 03:53 . 2009-06-15 20:58 48032 ----a-w- c:\programdata\nvModes.dat 2009-11-13 02:23 . 2009-10-11 02:11 4096 d-----w- c:\users\Matt\AppData\Roaming\vlc 2009-11-12 17:08 . 2007-11-27 23:15 4096 d-----w- c:\programdata\Spybot - Search & Destroy 2009-11-12 04:02 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail 2009-11-12 03:04 . 2007-05-10 00:08 12288 d-----w- c:\programdata\Microsoft Help 2009-11-11 12:24 . 2009-07-03 16:52 4096 d-----w- c:\program files\VoiceChatter 2009-11-10 12:19 . 2009-06-23 11:45 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-11-10 12:19 . 2009-06-01 11:47 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-11-10 12:19 . 2007-04-13 14:19 15880 ----a-w- c:\windows\system32\lsdelete.exe 2009-11-10 12:19 . 2009-06-23 11:45 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll 2009-11-10 12:19 . 2009-06-23 11:45 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-11-10 12:19 . 2009-06-23 11:45 370744 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2009-11-10 12:19 . 2009-06-01 11:47 163728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll 2009-11-10 12:19 . 2009-06-23 11:45 194104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Savapibridge.dll 2009-11-10 12:18 . 2009-06-23 11:45 5908024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll 2009-11-10 12:18 . 2009-06-01 11:46 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll 2009-11-10 12:18 . 2009-06-01 11:46 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2009-11-10 12:18 . 2009-06-23 11:45 933120 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll 2009-11-10 12:18 . 2009-10-05 11:46 640608 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2009-11-10 12:18 . 2009-06-23 11:45 815760 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2009-11-10 12:18 . 2009-06-23 11:45 822904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2009-11-10 12:18 . 2009-06-23 11:45 1638104 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2009-11-10 12:18 . 2009-06-23 11:45 788368 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe 2009-11-10 12:18 . 2009-06-23 11:45 1179232 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe 2009-11-10 02:23 . 2007-11-28 11:59 -------- d-----w- c:\program files\CCleaner 2009-11-10 01:10 . 2007-11-16 03:01 1356 ----a-w- c:\users\Matt\AppData\Local\d3d9caps.dat 2009-11-10 00:46 . 2007-10-16 11:38 102176 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT 2009-11-02 20:42 . 2009-10-03 00:28 195456 ------w- c:\windows\system32\MpSigStub.exe 2009-10-15 11:55 . 2007-05-10 00:09 28672 d-----w- c:\program files\Microsoft Works 2009-10-13 19:10 . 2009-02-20 02:37 4096 d-----w- c:\program files\Crystal Player 2009-10-11 13:28 . 2009-10-11 02:46 4096 d-----w- c:\program files\Common Files\AVSMedia 2009-10-11 13:28 . 2009-10-11 02:46 -------- d-----w- c:\program files\AVS4YOU 2009-10-11 13:10 . 2009-10-11 02:14 -------- d-----w- c:\program files\GRETECH 2009-10-11 13:09 . 2009-10-11 01:52 4096 d-----w- c:\program files\SuperDVD Player 5.0 2009-10-11 03:37 . 2007-05-09 23:10 -------- d-----w- c:\program files\Intel 2009-10-11 03:07 . 2009-10-11 03:07 4096 d-----w- c:\program files\QuickTime 2009-10-11 03:07 . 2009-10-11 03:07 -------- d-----w- c:\programdata\Apple Computer 2009-10-11 03:01 . 2009-10-11 03:01 4096 d-----w- c:\program files\Apple Software Update 2009-10-11 03:01 . 2009-10-11 03:01 -------- d-----w- c:\programdata\Apple 2009-10-11 02:53 . 2009-10-11 02:53 -------- d-----w- c:\users\Matt\AppData\Roaming\AVS4YOU 2009-10-11 02:53 . 2009-10-11 02:53 -------- d-----w- c:\programdata\AVS4YOU 2009-10-11 02:20 . 2009-10-11 02:20 -------- d-----w- c:\program files\Ligos 2009-10-11 02:10 . 2009-10-11 02:10 -------- d-----w- c:\program files\VideoLAN 2009-10-11 01:50 . 2009-10-11 01:49 -------- d-----w- c:\users\Matt\AppData\Roaming\DivX 2009-10-11 01:49 . 2007-11-21 19:05 8192 d-----w- c:\program files\DivX 2009-10-11 01:48 . 2009-10-11 01:47 4096 d-----w- c:\program files\Common Files\DivX Shared 2009-10-11 01:46 . 2007-05-09 23:17 12288 d--h--w- c:\program files\InstallShield Installation Information 2009-10-11 01:43 . 2009-10-11 01:43 4096 d-----w- c:\program files\Common Files\Hypnotizer 2009-10-05 11:46 . 2009-10-05 11:46 17632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\WSCUpdate.dll 2009-10-05 11:46 . 2009-03-10 12:45 68640 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys 2009-10-05 11:46 . 2009-03-10 12:45 303976 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe 2009-10-05 11:46 . 2009-06-23 11:45 640760 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe 2009-10-03 13:36 . 2009-10-03 13:36 -------- d-----w- c:\users\Matt\AppData\Roaming\PeerNetworking 2009-10-02 00:07 . 2009-10-02 00:07 4096 d-----w- c:\program files\Microsoft Office Outlook Connector 2009-10-02 00:06 . 2008-02-27 10:45 4096 d-----w- c:\program files\Windows Live 2009-09-30 13:58 . 2007-08-25 05:07 9576 ----a-w- c:\programdata\Symantec\LiveUpdate\LuRegManifests\Static\CCMSLLUM.DLL 2009-09-04 12:24 . 2009-10-14 20:51 61440 ----a-w- c:\windows\system32\msasn1.dll 2009-08-31 13:55 . 2009-10-14 20:51 293376 ----a-w- c:\windows\system32\psisdecd.dll 2009-08-31 13:55 . 2009-10-14 20:51 428544 ----a-w- c:\windows\system32\EncDec.dll 2009-08-28 12:39 . 2009-09-02 18:22 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-28 10:15 . 2009-09-02 18:22 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-27 13:32 . 2009-10-14 20:51 833024 ----a-w- c:\windows\system32\wininet.dll 2009-08-27 13:29 . 2009-10-14 20:51 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-27 10:58 . 2009-10-14 20:51 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL 2007-08-25 03:52 . 2007-12-12 23:52 300400 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll 2007-11-09 16:25 . 2008-02-02 19:59 57344 ----a-w- c:\program files\mozilla firefox\components\MGSHelper.dll 2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-13 457728] "eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-04-27 1286144] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-05-04 502544] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872] "IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-03-13 33048] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-11-10 788368] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-27 13781536] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-04-13 4431872] "Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-04-13 1822720] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2007-6-19 1208320] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696] Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-5-9 535336] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\eNetHook.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux1"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup backupExtension=.CommonStartup [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\System32\drivers\iaNvStor.sys [29/08/2007 17:20 210432] R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/11/2009 02:50 64288] R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081210.002\IDSvix86.sys [10/12/2008 21:20 270384] R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [10/05/2007 00:28 50688] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1179232] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [02/03/2008 01:28 149352] R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [10/11/2009 12:47 1153368] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [09/05/2007 22:52 179712] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [03/09/2008 01:47 99376] R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [19/02/2009 11:31 41008] R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [09/05/2007 22:52 43008] S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [29/05/2007 20:55 23888] S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [02/10/2009 00:06 54632] S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864] S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\System32\drivers\hmvmdm.sys [01/10/2008 14:43 101504] --- Other Services/Drivers In Memory --- *NewlyCreated* - COMHOST . Contents of the 'Scheduled Tasks' folder 2009-11-09 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Matt.job - c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19] 2009-11-13 c:\windows\Tasks\User_Feed_Synchronization-{2B9A8B39-2C16-44E0-B53C-6E7C2E244355}.job - c:\windows\system32\msfeedssync.exe [2008-06-22 07:33] . . ------- Supplementary Scan ------- . uStart Page = hxxp://en.uk.acer.yahoo.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://en.uk.acer.yahoo.com uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\users\Matt\AppData\Roaming\Mozilla\Firefox\Profiles\y95ct9y3.default\ FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll FF - component: c:\program files\Mozilla Firefox\components\MGSHelper.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - HKCU-Run-Defence - c:\programdata\Defence\smss.exe ************************************************************************** scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\windows\system32\nvvsvc.exe c:\acer\Empowering Technology\eDataSecurity\eDSService.exe c:\acer\Empowering Technology\eLock\Service\eLockServ.exe c:\acer\Empowering Technology\eNet\eNet Service.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\acer\Mobility Center\MobilityService.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe c:\windows\system32\DRIVERS\xaudio.exe c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe c:\acer\Empowering Technology\eSettings\Service\capuserv.exe c:\acer\Empowering Technology\ePower\ePowerSvc.exe d:\matlab7\bin\win32\matlab.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\windows\servicing\TrustedInstaller.exe . ************************************************************************** . Completion time: 2009-11-13 04:07 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-13 04:06 ComboFix2.txt 2009-11-13 01:28 Pre-Run: 9,101,856,768 bytes free Post-Run: 8,967,614,464 bytes free - - End Of File - - 3B1E403A1914CD17F9D8C8E24B173815 Upload was successful

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 November 2009 - 06:12 AM

Hi,

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT

**Vista users - right click on the IE icon and run as administrator

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply


In your next reply please include
  • MBAM Log
  • Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#7 Firepandaa

Firepandaa

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 13 November 2009 - 12:16 PM

Malwarebytes' Anti-Malware 1.41 Database version: 3160 Windows 6.0.6001 Service Pack 1 13/11/2009 14:50:41 mbam-log-2009-11-13 (14-50-41).txt Scan type: Quick Scan Objects scanned: 106654 Time elapsed: 4 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.c...q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Users\Matt\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Windows System Defender.lnk (Rogue.WindowsSystemDefender) -> Quarantined and deleted successfully. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Friday, November 13, 2009 Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Friday, November 13, 2009 13:42:04 Records in database: 3203466 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ F:\ Scan statistics: Objects scanned: 210678 Threats found: 1 Infected objects found: 1 Suspicious objects found: 0 Scan duration: 02:45:27 File name / Threat / Threats count C:\Users\Matt\AppData\Local\VirtualStore\Windows\System32\net.net Infected: Trojan-Clicker.Win32.VBiframe.ags 1 Selected area has been scanned.

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 November 2009 - 12:53 PM

Hi,

please do the following:

Press Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "C:\Users\Matt\AppData\Local\VirtualStore\Windows\System32\net.net"

Please post a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#9 Firepandaa

Firepandaa

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 13 November 2009 - 01:19 PM

I've had no problems as of today, computer seems to be running much smoother. Nothing more to add but say thankyou! :D DDS (Ver_09-06-26.01) - NTFSx86 Run by Matt at 19:14:12.06 on 13/11/2009 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_03 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2046.915 [GMT 0:00] AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22} SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A} FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Windows\system32\nvvsvc.exe C:\Windows\System32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Acer\ALaunch\ALaunchSvc.exe C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe C:\Acer\Empowering Technology\eNet\eNet Service.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe C:\Acer\Mobility Center\MobilityService.exe C:\Windows\system32\PnkBstrA.exe C:\Windows\system32\PnkBstrB.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe d:\matlab7\bin\win32\matlab.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe C:\Acer\Empowering Technology\ePower\ePowerSvc.exe C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe C:\Acer\Empowering Technology\eAudio\eAudio.exe C:\Program Files\Launch Manager\QtZgAcer.EXE C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Acer\Acer VCM\AcerVCM.exe C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Windows\system32\taskeng.exe C:\Users\Matt\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Acer\Acer VCM\VC.exe C:\Program Files\Acer\Acer VCM\acp2HID.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Matt\AppData\Local\temp\jkos-Matt\binaries\ScanningProcess.exe C:\Users\Matt\AppData\Local\temp\jkos-Matt\binaries\ScanningProcess.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\FirewallControlPanel.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Users\Matt\Downloads\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://en.uk.acer.yahoo.com uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://en.uk.acer.yahoo.com uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.0\coIEPlg.dll BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.0\CoIEPlg.dll TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe" mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [Skytel] Skytel.exe mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} - hxxp://musicmix.messenger.msn.com/Medialogic.CAB DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll AppInit_DLLs: c:\windows\system32\eNetHook.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\matt\appdata\roaming\mozilla\firefox\profiles\y95ct9y3.default\ FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll FF - component: c:\program files\mozilla firefox\components\MGSHelper.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\system32\drivers\iaNvStor.sys [2007-8-29 210432] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-10 64288] R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20081210.002\IDSvix86.sys [2008-12-10 270384] R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-5-10 50688] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232] R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-3-2 149352] R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-10 1153368] R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-5-9 179712] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376] R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008] R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-5-9 43008] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-29 23888] S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-2 54632] S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864] S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2008-10-1 101504] =============== Created Last 30 ================ 2009-11-13 14:44 <DIR> --d----- c:\users\matt\appdata\roaming\Malwarebytes 2009-11-13 14:44 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-11-13 14:44 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-11-13 14:44 <DIR> --d----- c:\programdata\Malwarebytes 2009-11-13 14:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-11-13 14:44 <DIR> --d----- c:\progra~2\Malwarebytes 2009-11-13 04:07 12,568 a------- c:\windows\system32\drivers\PROCEXP113.SYS 2009-11-13 01:11 260,608 a------- c:\windows\PEV.exe 2009-11-13 01:11 161,792 a------- c:\windows\SWREG.exe 2009-11-13 01:11 98,816 a------- c:\windows\sed.exe 2009-11-13 01:11 77,312 a------- c:\windows\MBR.exe 2009-11-12 17:29 34,816 a------- c:\windows\system32\drivers\rootrepeal.sys 2009-11-11 12:08 2,035,712 a------- c:\windows\system32\win32k.sys 2009-11-11 12:08 351,232 a------- c:\windows\system32\WSDApi.dll 2009-11-10 12:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-11-10 12:19 93,360 a------- c:\windows\system32\drivers\SBREDrv.sys 2009-11-10 02:50 64,288 a------- c:\windows\system32\drivers\Lbd.sys 2009-11-10 02:30 <DIR> -cd-h--- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-11-10 02:30 <DIR> -cd-h--- c:\progra~2\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-11-04 12:16 2,421,760 a------- c:\windows\system32\wucltux.dll 2009-11-04 12:16 87,552 a------- c:\windows\system32\wudriver.dll 2009-11-04 12:15 171,608 a------- c:\windows\system32\wuwebv.dll 2009-11-04 12:15 33,792 a------- c:\windows\system32\wuapp.exe 2009-10-28 13:13 310,784 a------- c:\windows\system32\unregmp2.exe 2009-10-28 13:13 8,147,456 a------- c:\windows\system32\wmploc.DLL 2009-10-22 17:14 <DIR> --d----- c:\program files\Gmask 1.70 English 2009-10-14 20:52 213,504 a------- c:\windows\system32\msv1_0.dll 2009-10-14 20:52 175,104 a------- c:\windows\system32\wdigest.dll 2009-10-14 20:52 1,256,448 a------- c:\windows\system32\lsasrv.dll 2009-10-14 20:52 439,896 a------- c:\windows\system32\drivers\ksecdd.sys 2009-10-14 20:52 72,704 a------- c:\windows\system32\secur32.dll 2009-10-14 20:52 9,728 a------- c:\windows\system32\lsass.exe 2009-10-14 20:50 144,896 a------- c:\windows\system32\drivers\srv2.sys 2009-10-14 20:50 604,672 a------- c:\windows\system32\WMSPDMOD.DLL ==================== Find3M ==================== 2009-11-13 14:53 48,032 a------- c:\programdata\nvModes.dat 2009-11-13 14:53 48,032 a------- c:\progra~2\nvModes.dat 2009-11-10 12:19 15,880 a------- c:\windows\system32\lsdelete.exe 2009-11-02 20:42 195,456 -------- c:\windows\system32\MpSigStub.exe 2009-09-04 12:24 61,440 a------- c:\windows\system32\msasn1.dll 2009-08-31 13:55 293,376 a------- c:\windows\system32\psisdecd.dll 2009-08-31 13:55 428,544 a------- c:\windows\system32\EncDec.dll 2009-08-28 12:39 28,672 a------- c:\windows\system32\Apphlpdm.dll 2009-08-28 12:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2009-08-28 12:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll 2009-08-28 12:38 541,696 a------- c:\windows\apppatch\AcLayers.dll 2009-08-28 12:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll 2009-08-28 10:15 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-27 13:32 833,024 a------- c:\windows\system32\wininet.dll 2009-08-27 13:29 78,336 a------- c:\windows\system32\ieencode.dll 2009-08-27 10:58 26,624 a------- c:\windows\system32\ieUnatt.exe 2009-08-17 22:33 1,193,832 a------- c:\windows\system32\FM20.DLL 2009-06-24 17:37 56 a---h--- c:\programdata\ezsidmv.dat 2009-06-24 17:37 56 a---h--- c:\progra~2\ezsidmv.dat 2009-06-15 20:53 143,360 a------- c:\windows\inf\infstrng.dat 2009-06-15 20:53 51,200 a------- c:\windows\inf\infpub.dat 2009-06-15 20:53 86,016 a------- c:\windows\inf\infstor.dat 2009-06-15 19:04 27,744 a------- c:\users\matt\appdata\roaming\nvModes.dat 2008-06-23 23:12 665,600 a------- c:\windows\inf\drvindex.dat 2008-06-23 19:48 174 a--sh--- c:\program files\desktop.ini 2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2007-12-30 20:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2007-12-30 20:07 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2007-12-30 20:07 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat 2008-06-21 21:27 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2008-06-21 21:27 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2008-06-21 21:27 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat ============= FINISH: 19:15:50.27 ===============

Attached Files


Edited by Firepandaa, 13 November 2009 - 01:20 PM.


#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 November 2009 - 04:32 PM

Hi,

You are clean.

just some housekeeping to do now,

please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version 9.2)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 17. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files
  • Click OK on Delete Temporary Files Window

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


Follow these steps to uninstall Combofix

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image




NEXT

Now to remove the rest of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them

    Then consider a password keeper, to keep all your passwords safe.
  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.

  • SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

    WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox, IE and chrome.

  • For Firefox, I highly recommend this add-on to keep your PC even more secure.
    • NoScript - for blocking ads and other potential website attacks
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
    Think Prevention.
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 November 2009 - 04:47 PM

Hi,

One additional thing:

I meant to address your outdated Norton Antivirus. Not having the latest virus definitions is much like not having an antivirus at all:
Remove the Norton anti Virus from your Add/Remove programs:

then use the Norton removal tool to get rid of the remnants:

  • Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
  • Next Double click on Norton_Removal_Tool.exe to run the tool.
  • Follow the on-screen instructions.
  • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.


Now choose ONE of the following Antivirus programs, they are both free and both excellent. Make sure you update them regularly:

Avira AntiVir
Avast

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#12 Firepandaa

Firepandaa

    New Member

  • Authentic Member
  • Pip
  • 6 posts

Posted 13 November 2009 - 06:14 PM

Thanks a lot! Everything works great and I replaced norton :)

#13 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 13 November 2009 - 07:27 PM

You are more than welcome stay safe :wavey: ~CB

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#14 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 17 November 2009 - 01:35 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users