Jump to content

Win32 Virus Or Not Win 32 Virus


socom2
 Share

Recommended Posts

Newbie here trying to chase down viruses and malware ghosts.

 

After purchasing ASO Advance System Optimizer, Webroot AVS / Spy Sweeper and installing Bitdefender, Removeit Pro trial, malare bytes and zone Alarm installed I have seem to be chasing ghosts.

 

I also did a housecall online scan as well and cleaned everything I could with all of the above. Still I have problems and some avs programs I don't trust even though they were rated good or suggested by other forums.

 

I have shut off system restore and scanned in safe mode, it seems like when one is cleaned another pops up on another scanner. Below is my dds txt file your forum asked me to post.

 

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Owner at 10:41:29 on 2011-07-25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.275 [GMT -7:00]

.

AV: Webroot AntiVirus with Spy Sweeper *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FW: ZoneAlarm Pro Firewall *Enabled*

.

============== Running Processes ===============

.

C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Advanced System Optimizer 3\ASO3DefragSrv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cincopa\cincopaAgent.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Wireless-N PCI Adapter\WLService.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Wireless-N PCI Adapter\WMP300N.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\Logi_MwX.Exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\WINDOWS\System32\WLTRAY.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Mouse Setting\Mouse Setting Software\4.0\ACQTMAPP.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Advanced System Optimizer 3\SystemProtector.exe

C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe

C:\Program Files\IO3O LLC\Who Is On My Wifi\mywifi.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Cincopa\cincopa.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Advanced System Optimizer 3\ASO3.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\DOCUME~1\Owner\LOCALS~1\Temp\HouseCall\housecall.bin

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.facebook.com/

uInternet Settings,ProxyOverride = *.local

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [RemoteCenter] "c:\program files\creative\mediasource\remotecontrol\RcMan.exe"

uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"

uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource\go\CTCMSGo.exe" /SYS

uRun: [Facebook Update] "c:\documents and settings\owner\local settings\application data\facebook\update\FacebookUpdate.exe" /c /nocrashserver

uRun: [RemoveIT Pro v7Ent] c:\program files\incode solutions\removeit pro v7 enterprise\removeit.exe

mRun: [sBDrvDet] "c:\program files\creative\sb drive det\SBDrvDet.exe" /r

mRun: [CTSysVol] "c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe"

mRun: [CTDVDDet] "c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE"

mRun: [NeroFilterCheck] "c:\program files\common files\nero\lib\NeroCheck.exe"

mRun: [Logitech Utility] "Logi_MwX.Exe"

mRun: [intuit SyncManager] "c:\program files\common files\intuit\sync\IntuitSyncManager.exe" startup

mRun: [dvd43] "c:\program files\dvd43\dvd43_tray.exe"

mRun: [CTxfiHlp] "CTXFIHLP.EXE"

mRun: [broadcom Wireless Manager UI] "c:\windows\system32\WLTRAY.exe"

mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe"

mRun: [AcronisTimounterMonitor] "c:\program files\acronis\trueimagehome\TimounterMonitor.exe"

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [CTHelper] "CTHELPER.EXE"

mRun: [Cmaudio] "RunDll32" cmicnfg.cpl,CMICtrlWnd

mRun: [ACQTMOUSE] "c:\program files\mouse setting\mouse setting software\4.0\ACQTMAPP.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [ATIModeChange] "Ati2mdxx.exe"

mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k

mRun: [systemProtector] "c:\program files\advanced system optimizer 3\SystemProtector.exe" /autorun

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\cincopa.lnk - c:\program files\cincopa\cincopa.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1.lnk - c:\windows\installer\{4fcabf82-0896-40d2-bbd2-3817c5e16789}\_C4828D0854F1CA912B9EE1.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

uPolicies-explorer: nosimplestartmenu = 0 (0x0)

uPolicies-explorer: norecentdochistory = 1 (0x1)

uPolicies-explorer: maxrecentdocs = 0 (0x0)

mPolicies-explorer: <NO NAME> =

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: aol.com\free

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213909637663

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 68.87.76.182 68.87.78.134

TCP: Interfaces\{58557B52-1F23-4501-92FB-F5DBFB804C85} : DhcpNameServer = 68.87.76.182 68.87.78.134

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 relog_ap

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\2nlpny7q.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\2nlpny7q.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\documents and settings\owner\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: Youtube Downloader: youtube_downloader@anishsane.googlepages.com - %profile%\extensions\youtube_downloader@anishsane.googlepages.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: HootBar: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37} - %profile%\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}

FF - Ext: CraigZilla: craigzilla@studioshorts.com - %profile%\extensions\craigzilla@studioshorts.com

FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

.

============= SERVICES / DRIVERS ===============

.

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-4-20 528128]

R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\advanced system optimizer 3\ASO3DefragSrv.exe [2011-7-12 239928]

R2 cincopaAgent;cincopaAgent;c:\program files\cincopa\cincopaAgent.exe [2011-1-3 20480]

R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-24 91456]

R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [2011-7-2 45584]

R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2011-7-2 3907248]

R2 WMP300NSvc;WMP300NSvc;c:\program files\wireless-n pci adapter\WLService.exe [2008-6-19 53307]

R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2011-7-2 3363168]

R3 ADASPROT;SYSTWEAKASO;c:\program files\advanced system optimizer 3\adasprot32.sys [2011-7-12 6656]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]

R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2010-3-18 18904]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]

S3 ACRUSBTM;ACRUSBTM;c:\windows\system32\drivers\ACRUSBTM.SYS [2011-3-11 28672]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2010-9-26 6016]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-7-29 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]

S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [2011-1-24 21120]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-29 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-29 40552]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-9-26 19968]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-9-26 8320]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-9-26 23424]

S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-9-26 9472]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

.

=============== Created Last 30 ================

.

2011-07-25 17:38:23 388096 ----a-r- c:\documents and settings\owner\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-07-25 17:38:22 -------- d-----w- c:\program files\Trend Micro

2011-07-25 17:31:32 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2011-07-21 01:07:09 -------- d-----w- c:\documents and settings\owner\application data\QuickScan

2011-07-21 00:19:29 -------- d-----w- c:\program files\WinDirStat

2011-07-18 21:19:21 -------- d-----w- c:\program files\InCode Solutions

2011-07-16 18:15:08 45056 ----a-w- c:\windows\system32\ATIODCLI.exe

2011-07-16 18:15:08 294912 ----a-w- c:\windows\system32\ATIODE.exe

2011-07-16 18:15:07 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2011-07-16 18:15:02 11423744 ----a-w- c:\windows\system32\atioglxx.dll

2011-07-16 18:15:00 376832 ----a-w- c:\windows\system32\atiok3x2.dll

2011-07-16 18:15:00 118784 ----a-w- c:\windows\system32\atibtmon.exe

2011-07-15 18:04:21 -------- d-----w- c:\program files\IO3O LLC

2011-07-13 19:54:45 94208 ----a-w- c:\windows\DUMP5870.tmp

2011-07-13 19:54:45 94208 ----a-w- c:\windows\DUMP56bb.tmp

2011-07-12 17:52:02 2576 ----a-w- c:\windows\system32\ASOROSet.bin

2011-07-12 17:52:02 16184 ----a-w- c:\windows\system32\ROBoot.exe

2011-07-12 17:23:06 17136 ----a-w- c:\windows\system32\sasnative32.exe

2011-07-12 17:22:44 -------- d-----w- c:\program files\Advanced System Optimizer 3

2011-07-09 19:02:05 -------- d-----w- c:\program files\iPod

2011-07-09 19:01:57 -------- d-----w- c:\program files\iTunes

2011-07-09 18:55:40 -------- d-----w- c:\program files\Bonjour

2011-07-07 20:01:57 -------- d-----w- c:\documents and settings\owner\local settings\application data\Temp

2011-07-07 20:01:26 -------- d-----w- c:\documents and settings\owner\local settings\application data\Facebook

2011-07-02 18:08:05 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys

2011-07-02 18:08:05 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys

2011-07-02 18:08:05 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys

2011-07-02 18:05:02 -------- dc-h--w- c:\documents and settings\all users\application data\{24F72050-686C-4A15-B137-09FEB449D545}

2011-07-02 18:04:39 -------- d-----w- c:\program files\Webroot

2011-07-02 18:04:15 -------- d-----w- c:\documents and settings\all users\application data\Webroot

2011-07-02 18:04:12 -------- d-----w- c:\documents and settings\owner\local settings\application data\PackageAware

.

==================== Find3M ====================

.

2011-07-02 17:37:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-29 16:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-25 06:44:26 59904 ----a-w- c:\windows\system32\OVDecode.dll

2011-05-25 06:44:10 51712 ----a-w- c:\windows\system32\OpenCL.dll

2011-05-25 06:43:50 12798976 ----a-w- c:\windows\system32\amdocl.dll

2011-05-25 03:07:40 956160 ----a-w- c:\windows\system32\ativvamv.dll

2011-05-04 11:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 09:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

.

============= FINISH: 10:48:16.35 ===============

Link to comment
Share on other sites

Hello socom2 and :wp:

 

My name is JonTom

 

  • Malware Logs can sometimes take a lot of time to research and interpret.

  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

I have shut off system restore

Please turn system restore back on. An infected restore point is better than no restore point at all.

 

Still I have problems

Can you describe what problems you are having in a little more detail please?

 

When you ran DDS, two logs would have been produced. I would like to review the attach.txt log. Please post it in your next reply along with the logs from the following tools:

 

  • Please scan your system with GMER

     

     

    Posted Image

    Download GMER Rootkit Scanner from here or here.

    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and post it in your reply.

    **Caution**

    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries

     

    Please post the attach.txt log and the GMER log in your next reply. If you encounter any problems with the scan come back and let me know.

     

  • Security Check

     

     

    • Please download Security Check by screen317 from here or here and save the file (called securitycheck.exe) to your desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box (NOTE: If you are running Vista or Win7 please Right click and select "Run as Administrator"..
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.
Link to comment
Share on other sites

Thank you for taking my request.

 

Problems:

  • Computer is very slow
  • A few days ago the c disc drive went from 2gb to 3mb in less than 1 hr and it goes up and down, this is certainly bad.
  • Also I notice that in zone alarm there is a lot of internet traffic which makes my mouse stutter or get stuck when I am trying to scroll around the browser.
  • I have had a 2 times repair the "master boot record"
  • I get alerts from ZoneAlarm that programs that never had asked for internet connection or access to a sys file in the past which is very suspect.
Reports:

 

The GMER keeps crashing and I get a "...has recovered from a serious system error" so I can't get the report from it. It also wants me to send Microsoft the report

 

Here is the reports I could get. (attatch.txt / check up.txt)

 

1. DDS

 

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-06-23.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 5/21/2008 3:02:54 PM

System Uptime: 7/25/2011 9:20:26 AM (1 hours ago)

.

Motherboard: | | 848P-ICH5

Processor: Intel® Pentium® 4 CPU 3.00GHz | Socket 478 | 2992/200mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 93 GiB total, 4.955 GiB free.

D: is CDROM (UDF)

E: is CDROM (CDFS)

F: is FIXED (NTFS) - 466 GiB total, 192.569 GiB free.

G: is CDROM ()

H: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Realtek RTL8139/810x Family Fast Ethernet NIC

Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&1F7DBC9F&0&48F0

Manufacturer: Realtek Semiconductor Corp.

Name: Realtek RTL8139/810x Family Fast Ethernet NIC

PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\4&1F7DBC9F&0&48F0

Service: RTL8023xp

.

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}

Description: C-Media AC97 Audio Device

Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD

Manufacturer: C-Media

Name: C-Media AC97 Audio Device

PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_18751019&REV_02\3&13C0B0C5&0&FD

Service: cmuda

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

.

µTorrent

6300

6300_Help

6300Trb

AbsoluteShield File Shredder

Acronis True Image WD Edition

Adobe Acrobat 7.0 Professional

Adobe Acrobat 7.1.0 Professional

Adobe AIR

Adobe Anchor Service CS4

Adobe Bridge CS4

Adobe CMaps CS4

Adobe Color - Photoshop Specific CS4

Adobe Color EU Extra Settings CS4

Adobe Color JA Extra Settings CS4

Adobe Color NA Recommended Settings CS4

Adobe Color Video Profiles CS CS4

Adobe CSI CS4

Adobe Default Language CS4

Adobe Device Central CS4

Adobe Drive CS4

Adobe ExtendScript Toolkit CS4

Adobe Extension Manager CS4

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Fonts All

Adobe Linguistics CS4

Adobe Media Player

Adobe MPEG Encoder

Adobe Output Module

Adobe PDF Library Files CS4

Adobe Photoshop CS4

Adobe Photoshop CS4 Support

Adobe Premiere 6.5

Adobe Reader 7.1.0

Adobe Search for Help

Adobe Service Manager Extension

Adobe Setup

Adobe SVG Viewer 3.0

Adobe Type Support CS4

Adobe Update Manager CS4

Adobe WinSoft Linguistics Plugin

Adobe XMP Panels CS4

AdobeColorCommonSetCMYK

AdobeColorCommonSetRGB

Advanced RealMedia Export Plug-in for Premiere 6.0

Advanced System Optimizer

AiO_Scan_CDA

AiOSoftwareNPI

AnswerWorks 5.0 English Runtime

Any DVD Converter Professional 3.7.5

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI AVIVO Codecs

Bonjour

Broadcom 802.11 Network Adapter

BS-Server

BS-Tuner

BufferChm

C-Media WDM Audio Driver

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center Localization All

ccc-utility

CCC Help English

CCleaner

Cincopa Agent Application

ClubManager

Codec Pack - All In 1 6.0.3.0

Compatibility Pack for the 2007 Office system

Connect

ConvertXtoDVD 4.0.3.311

CP_CalendarTemplates1

cp_OnlineProjectsConfig

CP_Package_Basic1

CP_Panorama1Config

cp_PosterPrintConfig

Creative Audio Console

Creative MediaSource

Creative MediaSource 5

Creative Software AutoUpdate

Creative WaveStudio 7

Critical Update for Windows Media Player 11 (KB959772)

CueTour

CustomerResearchQFolder

Data Lifeguard Diagnostic for Windows 1.21

Destinations

Destiny Media Player

DeviceManagementQFolder

Direct MP3 Joiner version 3.0.2.9

DiscWizard for Windows

DocProc

DocProcQFolder

DocumentViewerQFolder

DVD Decrypter (Remove Only)

DVD Shrink 3.1.4

DVD43 v4.6.0

EA SPORTS online 2005

eSupportQFolder

Facebook Video Calling 1.0.0.7428

Fax_CDA

FileZilla Client 3.3.5.1

FullDPAppQFolder

Google Earth Pro 4.2

GrabIt 1.7.2 Beta 4 (build 997)

GroupMail :: Personal Edition

HiJackThis

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Customer Participation Program 7.0

HP Document Viewer 7.0

HP Imaging Device Functions 7.0

HP Photosmart Essential

HP Photosmart Premier Software 6.5

HP Photosmart, Officejet and Deskjet 7.0.A

HP Solution Center 7.0

HP Update

HPPhotoSmartExpress

HPProductAssistant

Indeo® Software

InstantShareDevices

InstantShareDevicesMFC

iTunes

Java Auto Updater

Java 6 Update 26

Java 6 Update 6

Java 6 Update 7

Jawbone Updater

kuler

Linksys Wireless-N PCI Adapter

Logitech MouseWare 9.76

Malwarebytes' Anti-Malware version 1.51.0.1200

MarketResearch

Medieval II Total War

Medieval II Total War : Kingdoms : Britannia

Medieval II Total War : Kingdoms : Crusades

MergeModules

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

Microsoft National Language Support Downlevel APIs

Microsoft Office 2003 Primary Interop Assemblies

Microsoft Office File Validation Add-In

Microsoft Office Professional Edition 2003

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual J# .NET Redistributable Package 1.1

Microsoft Visual Studio 2005 Tools for Office Runtime

MobileMe Control Panel

MotoConnect 1.1.31

Motorola Mobile Drivers Installation 4.7.1

Mouse Setting Software 4.0

Mozilla Firefox (3.6.18)

MP3 Splitter & Joiner Pro 4.22

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

MSXML 6.0 Parser (KB925673)

MVP Baseball 2005

Nero 8

neroxml

NewCopy_CDA

NVIDIA PhysX

OCR Software by I.R.I.S 7.0

Octoshape add-in for Adobe Flash Player

Open PLS in Windows Media Player 2.2.0

PanoStandAlone

PDF Settings CS4

Photoshop Camera Raw

PowerISO

ProductContextNPI

QuickBooks

QuickBooks Premier Edition 2009

Quicken 2010

QuickPar 0.9

QuickTime

RadioDestiny Broadcaster

RandMap

Readme

Scan

ScannerCopy

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB974455)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 8 (KB917734)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SkinsHP1

Skype™ 5.0

SlideShow

SolutionCenter

Sonic_PrimoSDK

Sony Noise Reduction Plug-In 2.0h

Sound Blaster Audigy 2

Sound Forge Pro 10.0

SoundFont Bank Manager

Status

Suite Shared Configuration CS4

SupportSoft Assisted Service

System Requirements Lab

TeamViewer 5

TeraCopy 2.12

Toolbox

Total Video Converter 3.10

TrayApp

TurboTax 2009 wcaiper

TurboTax 2010

TurboTax 2010 wcaiper

TurboTax 2010 WinBizFedFormset

TurboTax 2010 WinBizReleaseEngine

TurboTax 2010 WinBizTaxSupport

TurboTax 2010 WinPerFedFormset

TurboTax 2010 WinPerReleaseEngine

TurboTax 2010 WinPerTaxSupport

TurboTax 2010 wrapper

TurboTax Business 2010

Ubisoft Game Launcher

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows Internet Explorer 8 (KB973874)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB976749)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB942763)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Veetle TV 0.9.18

Visual Studio 2005 Tools for Office Second Edition Runtime

WebFldrs XP

WebReg

Webroot Software

Who Is On My Wifi

WinDirStat 1.1.2

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer Clean Up

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 11

Windows PowerShell 1.0

Windows Search 4.0

Windows XP Service Pack 3

WinRAR archiver

WinZip

XML Paper Specification Shared Components Pack 1.0

Xvid 1.2.1 final uninstall

XviD MPEG4 Video Codec (remove only)

Yahoo! Messenger

Yahoo! Software Update

Yahoo! Toolbar

ZoneAlarm Pro

.

==== End Of File ===========================

 

 

 

 

 

 

Results of screen317's Security Check version 0.99.17

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ZoneAlarm Pro

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

HijackThis 2.0.2

CCleaner

Java 6 Update 26

Java 6 Update 6

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10.3.181.26

Mozilla Firefox (3.6.18) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Webroot Security current plugins\antimalware\AEI.exe

Zone Labs ZoneAlarm zlclient.exe

``````````End of Log````````````

Link to comment
Share on other sites

Hello socom2

 

Thank you for the extra information.

 

  • P2P Programs:

     

     

    • P2P programs are a major source of Malware infections.
    • From your log I see you have µTorrent. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
    • The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
    • If you wish to keep the program(s), please do not use them until your computer is cleaned.

    • Information regarding the risk of using these programs can be found from here and here.

    • It is strongly recommend that you uninstall any P2P programs you have on your system.

    • To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
    • A list of currently installed programs will be displayed.
    • Find the "µTorrent" program, click on it once and then click on the "Remove" button.
    • If you are prompted to re-boot your computer to complete the uninstall please do so.

       

       

      PLEASE NOTE:

    • Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.

  • Please un-install your outdated Java

     

     

    • Click on "Start" then on "Control Panel" and then on "Add or remove programs".
    • Click on "remove a program". A list of currently installed programs will be displayed.
    • Find the "Java™ 6 Update 6" program, click on it once and then click on the "uninstall" button.
    • If you are prompted to re-boot your computer to complete the uninstall please do so.
    • Repeat for "Java™ 6 Update 7".
    • NOTE: Do not uninstall Java™ 6 Update 26

    The GMER keeps crashing

    It is important that we see a log from an ARK scanner as it can determine the best course of action to take in cleaning your machine. Lets see if we can get GMER to complete with the following:

  • GMER

     

     

    • If you are having trouble getting GMER to complete a scan, please run it again, but this time uncheck everything EXCEPT "Sections" and "C:\".
    • If GMER does not produce a log please try running it from Safe Mode.

    • How to use the F8 method to Start Your Computer in Safe Mode

    • Restart your computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the "Advanced Options" menu appears.
    • Use the arrow keys to select the Safe mode menu item.
    • Press Enter.

    • If GMER in safe mode does not work, please try Rootkit Unhooker:

  • Rootkit Unhooker

     

     

    • Please Download Rootkit Unhooker and Save it to your desktop.
    • Now double-click on RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Check (Tick) Drivers, Stealth. Uncheck the rest, then Click OK.
    • Wait till the scanner has finished and then click File, Save Report.
    • Save the report somewhere where you can find it. Click Close.

    Copy the entire contents of the report and paste it in your next reply here.

    Note: You may get the following warning, just click OK and continue.

     

    "Rootkit Unhooker has detected a parasite inside itself!

    It is recommended to remove parasite, okay?"

     

    I have had a 2 times repair the "master boot record"

    Lets take a look at it with the following:

  • aswMBR

     

     

    • Download aswMBR.exe to your desktop.
    • Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan.

    Posted Image

     

    • On completion of the scan click save log, save it to your desktop and post in your next reply.

    Posted Image

     

    Please provide the GMER/Rootkit Unhooker log in your next reply along with the aswMBR log. If you are still having trouble with the scans just come back and let me know :)

Link to comment
Share on other sites

JonTom,

 

I Got the GMER to work in Safe Mode it too more than 5 hrs LOL here are the 2 reports.

 

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-07-26 22:52:39

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6L100P0 rev.BAH41G10

Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwaorpob.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xBA1D92EC]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xBA1D28CC]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xBA1F40E6]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xBA1D9ABE]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xBA1EDF82]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xBA1EE3AA]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xBA1F883C]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xBA1D9C1C]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xBA1D378E]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xBA1F5B8E]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xBA1F5484]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xBA1ECD66]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadDriver [0xBA1CBABC]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xBA1F6558]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xBA1F6796]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwMapViewOfSection [0xBA1F8BF8]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xBA1D3280]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xBA1F049A]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xBA1F0088]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwProtectVirtualMemory [0xBA20625C]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xBA1F761E]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xBA1F6F12]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xBA1D8E84]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xBA1F807E]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xBA1D95B8]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xBA1D3B98]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationObject [0xBA206120]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xBA1F7BA6]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSystemInformation [0xBA1CB14A]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xBA1F4BA8]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xBA1EF0A6]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xBA1EEDD6]

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwUnloadDriver [0xBA1CBF0E]

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4988 12 Bytes [bE, 9A, 1D, BA, 82, DF, 1E, ...] {MOV ESI, 0x82ba1d9a; FISTP WORD [ESI]; MOV EDX, 0xba1ee3aa}

.text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A54 12 Bytes [bC, BA, 1C, BA, 58, 65, 1F, ...]

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\Program Files\Mozilla Firefox\firefox.exe[1808] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

 

---- Devices - GMER 1.0.15 ----

 

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

 

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

 

Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

 

---- Registry - GMER 1.0.15 ----

 

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CAFBDE7B-352D-447E-4221-027E688AE103}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CAFBDE7B-352D-447E-4221-027E688AE103}@oajgmpgmdngpeoiicdmaeeppomfjkd 0x64 0x61 0x6B 0x66 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CAFBDE7B-352D-447E-4221-027E688AE103}@oangmfanoddanljljlkknbekfcflkn 0x69 0x61 0x64 0x66 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CAFBDE7B-352D-447E-4221-027E688AE103}@nahgcmdafakiicjmhlibklncamib 0x69 0x61 0x64 0x66 ...

 

---- EOF - GMER 1.0.15 ----

 

 

 

 

aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software

Run date: 2011-07-26 14:35:01

-----------------------------

14:35:01.703 OS Version: Windows 5.1.2600 Service Pack 3

14:35:01.703 Number of processors: 2 586 0x401

14:35:01.703 ComputerName: NONE-QFHVNOUWE3 UserName: Owner

14:35:04.968 Initialize success

14:35:28.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

14:35:28.171 Disk 0 Vendor: Maxtor_6L100P0 BAH41G10 Size: 95611MB BusType: 3

14:35:28.171 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c

14:35:28.171 Disk 1 Vendor: WDC_WD5000AAKB-00H8A0 05.04E05 Size: 476940MB BusType: 3

14:35:28.343 Disk 0 MBR read successfully

14:35:28.343 Disk 0 MBR scan

14:35:28.343 Disk 0 Windows XP default MBR code

14:35:28.437 Disk 0 scanning sectors +195784155

14:35:28.718 Disk 0 scanning C:\WINDOWS\system32\drivers

14:36:41.609 Service scanning

14:36:43.265 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32

14:36:43.796 Modules scanning

14:38:20.375 Disk 0 trace - called modules:

14:38:20.421

14:38:20.421 Scan finished successfully

14:38:32.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"

14:38:32.406 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

Link to comment
Share on other sites

Hello Socom2

 

GMER can take a while to complete, thank you for sticking with it :)

 

  • Combofix

     

     

  • Download ComboFix from one of the following locations:

     

    Link 1

    Link 2

  • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

 

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

 

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

  • Should there be issues with internet afterward:

     

    In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

     

    In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

Link to comment
Share on other sites

Ok that was easy.

 

ComboFix 11-07-27.03 - Owner 07/27/2011 16:03:13.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.564 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FW: ZoneAlarm Pro Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Owner\Application Data\inst.exe

c:\documents and settings\Owner\GoToAssistDownloadHelper.exe

c:\documents and settings\Owner\System

c:\documents and settings\Owner\System\win_qs8.jqx

c:\documents and settings\Owner\WINDOWS

c:\windows\system32\logs

F:\install.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-06-27 to 2011-07-27 )))))))))))))))))))))))))))))))

.

.

2011-07-27 06:35 . 2011-07-27 06:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help

2011-07-27 06:20 . 2011-07-27 06:20 -------- d-----w- C:\epson

2011-07-25 17:38 . 2011-07-25 17:38 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-07-25 17:38 . 2011-07-25 17:38 -------- d-----w- c:\program files\Trend Micro

2011-07-21 01:07 . 2011-07-25 21:05 -------- d-----w- c:\documents and settings\Owner\Application Data\QuickScan

2011-07-21 00:19 . 2011-07-21 00:19 -------- d-----w- c:\program files\WinDirStat

2011-07-18 21:19 . 2011-07-18 21:19 -------- d-----w- c:\program files\InCode Solutions

2011-07-16 18:15 . 2009-02-18 17:55 294912 ----a-w- c:\windows\system32\ATIODE.exe

2011-07-16 18:15 . 2009-02-03 20:52 45056 ----a-w- c:\windows\system32\ATIODCLI.exe

2011-07-16 18:15 . 2009-05-06 02:52 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2011-07-16 18:15 . 2009-05-06 02:56 11423744 ----a-w- c:\windows\system32\atioglxx.dll

2011-07-16 18:15 . 2009-05-06 02:27 376832 ----a-w- c:\windows\system32\atiok3x2.dll

2011-07-16 18:15 . 2009-05-05 19:33 118784 ----a-w- c:\windows\system32\atibtmon.exe

2011-07-15 18:04 . 2011-07-15 18:04 -------- d-----w- c:\program files\IO3O LLC

2011-07-13 19:54 . 2011-07-16 18:26 94208 ----a-w- c:\windows\DUMP56bb.tmp

2011-07-13 19:54 . 2011-07-16 18:25 94208 ----a-w- c:\windows\DUMP5870.tmp

2011-07-12 17:52 . 2011-07-12 18:05 2576 ----a-w- c:\windows\system32\ASOROSet.bin

2011-07-12 17:52 . 2010-10-05 20:59 16184 ----a-w- c:\windows\system32\ROBoot.exe

2011-07-12 17:23 . 2010-07-31 01:35 17136 ----a-w- c:\windows\system32\sasnative32.exe

2011-07-12 17:22 . 2011-07-12 17:37 -------- d-----w- c:\program files\Advanced System Optimizer 3

2011-07-09 19:02 . 2011-07-09 19:02 -------- d-----w- c:\program files\iPod

2011-07-09 19:01 . 2011-07-09 19:03 -------- d-----w- c:\program files\iTunes

2011-07-09 18:55 . 2011-07-09 18:55 -------- d-----w- c:\program files\Bonjour

2011-07-07 20:01 . 2011-07-15 05:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2011-07-07 20:01 . 2011-07-07 20:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Facebook

2011-07-02 18:14 . 2011-07-02 18:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-07-02 18:08 . 2011-07-11 17:07 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys

2011-07-02 18:08 . 2011-07-11 17:07 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys

2011-07-02 18:08 . 2011-07-11 17:07 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys

2011-07-02 18:05 . 2011-07-02 18:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}

2011-07-02 18:04 . 2011-07-02 18:04 -------- d-----w- c:\program files\Webroot

2011-07-02 18:04 . 2011-07-27 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2011-07-02 18:04 . 2011-07-02 18:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-02 17:37 . 2011-05-21 01:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-29 16:11 . 2010-02-01 18:38 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11 . 2010-02-01 18:38 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-25 06:44 . 2011-05-25 06:44 59904 ----a-w- c:\windows\system32\OVDecode.dll

2011-05-25 06:44 . 2011-05-25 06:44 51712 ----a-w- c:\windows\system32\OpenCL.dll

2011-05-25 06:43 . 2011-05-25 06:43 12798976 ----a-w- c:\windows\system32\amdocl.dll

2011-05-04 11:52 . 2010-05-22 04:44 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 09:25 . 2010-10-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-02 15:31 . 2008-05-21 21:57 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25 . 2003-03-31 12:00 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19 . 2003-03-31 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-06-08 19:30 . 2010-06-08 19:30 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2010-06-08 19:30 . 2010-06-08 19:30 125840 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2010-06-08 19:30 . 2010-06-08 19:30 98704 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2010-06-08 19:30 . 2010-06-08 19:30 107848 ----a-w- c:\program files\mozilla firefox\plugins\mwmcli.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RcMan.exe" [2002-11-21 135168]

"Creative MediaSource Go"="c:\program files\Creative\MediaSource\Go\CTCMSGo.exe" [2002-11-25 126976]

"Facebook Update"="c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-07-14 137536]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]

"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]

"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-06 570664]

"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 19968]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]

"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]

"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2006-04-25 1273856]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]

"ACQTMOUSE"="c:\program files\Mouse Setting\Mouse Setting Software\4.0\ACQTMAPP.exe" [2008-08-01 501760]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-04 1038848]

"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-07-27 1382984]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]

"SystemProtector"="c:\program files\Advanced System Optimizer 3\SystemProtector.exe" [2010-10-05 10000184]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Cincopa.lnk - c:\program files\Cincopa\cincopa.exe [2011-1-3 348160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-7-8 25214]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

AutoRun MyWifi.lnk - c:\windows\Installer\{4FCABF82-0896-40D2-BBD2-3817C5E16789}\_C4828D0854F1CA912B9EE1.exe [2011-7-15 9662]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-2 984352]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"nosimplestartmenu"= 0 (0x0)

"norecentdochistory"= 1 (0x1)

"maxrecentdocs"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Cincopa\\cincopaAgent.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\Jawbone\\JawboneUpdater.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Cincopa\\cincopa.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

.

R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [7/12/2011 10:22 AM 239928]

R2 cincopaAgent;cincopaAgent;c:\program files\Cincopa\cincopaAgent.exe [1/3/2011 12:29 PM 20480]

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/24/2010 12:34 PM 91456]

R2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [7/2/2011 11:08 AM 45584]

R2 WMP300NSvc;WMP300NSvc;c:\program files\Wireless-N PCI Adapter\WLService.exe [6/19/2008 1:49 PM 53307]

R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [7/27/2011 12:23 PM 3381184]

R3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [7/12/2011 10:22 AM 6656]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]

R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [3/18/2010 8:40 PM 18904]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]

S3 ACRUSBTM;ACRUSBTM;c:\windows\system32\drivers\ACRUSBTM.SYS [3/11/2011 11:15 AM 28672]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [9/26/2010 10:13 AM 6016]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [7/29/2010 5:18 PM 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]

S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [1/24/2011 3:37 PM 21120]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [9/26/2010 10:13 AM 19968]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [9/26/2010 10:13 AM 8320]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [9/26/2010 10:13 AM 23424]

S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [9/26/2010 10:13 AM 9472]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]

.

2011-07-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1708537768-1715567821-725345543-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-07-07 05:11]

.

2011-07-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1708537768-1715567821-725345543-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-07-07 05:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uInternet Settings,ProxyOverride = *.local

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: aol.com\free

Trusted Zone: internet

Trusted Zone: intuit.com\ttlc

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 68.87.76.182 68.87.78.134

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2nlpny7q.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: network.proxy.type - 4

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: Youtube Downloader: youtube_downloader@anishsane.googlepages.com - %profile%\extensions\youtube_downloader@anishsane.googlepages.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: HootBar: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37} - %profile%\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}

FF - Ext: CraigZilla: craigzilla@studioshorts.com - %profile%\extensions\craigzilla@studioshorts.com

FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-RemoveIT Pro v7Ent - c:\program files\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe

HKLM-Run-Cmaudio - cmicnfg.cpl

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

HKLM-Run-EPSON Stylus C88 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE

MSConfigStartUp-RemoteControl8 - c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-27 16:31

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1708537768-1715567821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CAFBDE7B-352D-447E-4221-027E688AE103}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oajgmpgmdngpeoiicdmaeeppomfjkd"=hex:64,61,6b,66,69,6a,66,62,00,85

"oangmfanoddanljljlkknbekfcflkn"=hex:69,61,64,66,6c,67,61,6e,64,6d,62,61,6c,62,

63,68,61,63,00,00

"nahgcmdafakiicjmhlibklncamib"=hex:69,61,64,66,6c,67,61,6e,64,6d,62,61,6c,62,

63,68,61,63,00,00

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

@DACL=(02 0000)

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(856)

c:\windows\system32\Ati2evxx.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(5844)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Creative\Shared Files\CTAudSvc.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\CTsvcCDA.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\system32\IoctlSvc.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\Logi_MwX.Exe

c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\MsPMSPSv.exe

c:\windows\System32\bcmwltry.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Wireless-N PCI Adapter\WMP300N.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Motorola\MotoConnectService\MotoConnect.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2011-07-27 16:37:19 - machine was rebooted

ComboFix-quarantined-files.txt 2011-07-27 23:37

ComboFix2.txt 2009-10-27 23:44

.

Pre-Run: 4,608,090,112 bytes free

Post-Run: 5,593,231,360 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - 868ADA163FC8C17F8E83CDFB862B91D3

Link to comment
Share on other sites

Hello Socom2

 

Thank you for the log.

 

Before we move on lets take a closer look at a couple of files on your machine:

 

  • Please scan the following files

     

     

  • Please go to VirusTotal

 

  • On the page you'll find a "Browse" button.
  • Click on the Browse button.
  • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

 

c:\windows\system32\ROBoot.exe

 

 

  • Next, click the Open button.
  • Then click the "Send File" button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now.
  • Once scanned, copy and paste the link to the results page in your next reply.
  • Please repeat this procedure for the following files:

 

c:\windows\system32\ASOROSet.bin

 

 

Please post the links to the VT results pages in your next reply.

 

Link to comment
Share on other sites

Hello Socom2

 

Both of those files are clean :)

 

We need to use ComboFix again, but this time we will be running it in a slightly different way:

 

  • Please work through the following steps

     

     

  • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").

  • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.

  • Copy and Paste the text in the quotebox below into the open Notepad window:

     

    DirLook::

    c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}

     

    DDS::

    Trusted Zone: aol.com\free

    Trusted Zone: internet

    Trusted Zone: intuit.com\ttlc

    Trusted Zone: mcafee.com

     

    Firefox::

    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2nlpny7q.default\

    FF - prefs.js: network.proxy.type - 4

     

     

  • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.

  • Close any open browsers.

  • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Refering to the picture below, drag CFScript.txt into ComboFix.exe

     

    Posted Image

     

     

  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  • Once the log is produced, re-engage your resident anti virus.
Link to comment
Share on other sites

ComboFix 11-07-27.03 - Owner 07/28/2011 17:18:35.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.808 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: Webroot AntiVirus with Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FW: ZoneAlarm Pro Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

.

((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-29 )))))))))))))))))))))))))))))))

.

.

2011-07-27 06:35 . 2011-07-27 06:35 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help

2011-07-27 06:20 . 2011-07-27 06:20 -------- d-----w- C:\epson

2011-07-25 17:38 . 2011-07-25 17:38 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-07-25 17:38 . 2011-07-25 17:38 -------- d-----w- c:\program files\Trend Micro

2011-07-21 01:07 . 2011-07-25 21:05 -------- d-----w- c:\documents and settings\Owner\Application Data\QuickScan

2011-07-21 00:19 . 2011-07-21 00:19 -------- d-----w- c:\program files\WinDirStat

2011-07-18 21:19 . 2011-07-18 21:19 -------- d-----w- c:\program files\InCode Solutions

2011-07-16 18:15 . 2009-02-18 17:55 294912 ----a-w- c:\windows\system32\ATIODE.exe

2011-07-16 18:15 . 2009-02-03 20:52 45056 ----a-w- c:\windows\system32\ATIODCLI.exe

2011-07-16 18:15 . 2009-05-06 02:52 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2011-07-16 18:15 . 2009-05-06 02:56 11423744 ----a-w- c:\windows\system32\atioglxx.dll

2011-07-16 18:15 . 2009-05-06 02:27 376832 ----a-w- c:\windows\system32\atiok3x2.dll

2011-07-16 18:15 . 2009-05-05 19:33 118784 ----a-w- c:\windows\system32\atibtmon.exe

2011-07-15 18:04 . 2011-07-15 18:04 -------- d-----w- c:\program files\IO3O LLC

2011-07-13 19:54 . 2011-07-16 18:26 94208 ----a-w- c:\windows\DUMP56bb.tmp

2011-07-13 19:54 . 2011-07-16 18:25 94208 ----a-w- c:\windows\DUMP5870.tmp

2011-07-12 17:52 . 2011-07-12 18:05 2576 ----a-w- c:\windows\system32\ASOROSet.bin

2011-07-12 17:52 . 2010-10-05 20:59 16184 ----a-w- c:\windows\system32\ROBoot.exe

2011-07-12 17:23 . 2010-07-31 01:35 17136 ----a-w- c:\windows\system32\sasnative32.exe

2011-07-12 17:22 . 2011-07-12 17:37 -------- d-----w- c:\program files\Advanced System Optimizer 3

2011-07-09 19:02 . 2011-07-09 19:02 -------- d-----w- c:\program files\iPod

2011-07-09 19:01 . 2011-07-09 19:03 -------- d-----w- c:\program files\iTunes

2011-07-09 18:55 . 2011-07-09 18:55 -------- d-----w- c:\program files\Bonjour

2011-07-07 20:01 . 2011-07-27 23:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp

2011-07-07 20:01 . 2011-07-07 20:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Facebook

2011-07-02 18:14 . 2011-07-02 18:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2011-07-02 18:08 . 2011-07-11 17:07 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys

2011-07-02 18:08 . 2011-07-11 17:07 181008 ----a-w- c:\windows\system32\drivers\ssidrv.sys

2011-07-02 18:08 . 2011-07-11 17:07 45584 ----a-w- c:\windows\system32\drivers\ssfmonm.sys

2011-07-02 18:05 . 2011-07-02 18:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}

2011-07-02 18:04 . 2011-07-02 18:04 -------- d-----w- c:\program files\Webroot

2011-07-02 18:04 . 2011-07-28 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

2011-07-02 18:04 . 2011-07-02 18:04 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-02 17:37 . 2011-05-21 01:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-06-02 14:02 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-29 16:11 . 2010-02-01 18:38 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 16:11 . 2010-02-01 18:38 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-25 06:44 . 2011-05-25 06:44 59904 ----a-w- c:\windows\system32\OVDecode.dll

2011-05-25 06:44 . 2011-05-25 06:44 51712 ----a-w- c:\windows\system32\OpenCL.dll

2011-05-25 06:43 . 2011-05-25 06:43 12798976 ----a-w- c:\windows\system32\amdocl.dll

2011-05-04 11:52 . 2010-05-22 04:44 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 09:25 . 2010-10-22 22:46 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-02 15:31 . 2008-05-21 21:57 692736 ----a-w- c:\windows\system32\inetcomm.dll

2010-06-08 19:30 . 2010-06-08 19:30 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2010-06-08 19:30 . 2010-06-08 19:30 125840 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2010-06-08 19:30 . 2010-06-08 19:30 98704 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2010-06-08 19:30 . 2010-06-08 19:30 107848 ----a-w- c:\program files\mozilla firefox\plugins\mwmcli.dll

.

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545} ----

.

2011-07-02 18:05 . 2011-07-02 18:05 98 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\instance.dat

2011-07-02 18:05 . 2011-07-02 18:05 9 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\WRInstall.lan

2011-07-02 18:05 . 2011-07-02 18:05 0 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\WRInstall.lnk

2011-07-02 18:05 . 2011-07-02 18:05 249 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\WRInstall.dat

2011-07-02 18:05 . 2011-07-02 18:05 2850 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\WRInstall.par

2011-07-02 18:05 . 2011-05-26 17:49 575060 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\mia.lib

2011-07-02 18:05 . 2011-05-26 17:49 412160 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\WRInstall.msi

2011-07-02 18:05 . 2011-05-26 17:49 16532771 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\WRInstall.res

2011-07-02 18:05 . 2011-05-26 17:49 3328608 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\WRInstall.exe

2011-07-02 18:05 . 2011-07-02 18:05 0 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\{8B287B75-DF8D-40C8-9620-8E4492C38EF1}

2011-07-02 18:05 . 2011-07-02 18:05 0 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\OFFLINE\{24F72050-686C-4A15-B137-09FEB449D545}

2011-07-02 18:04 . 2009-07-02 01:51 101888 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\OFFLINE\mIDEFunc.dll\mEXEFunc.dll

2011-07-02 18:04 . 2011-05-26 17:22 47107 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\OFFLINE\E97AD801\DE0A17F3\WR_MAIN.ico

2011-07-02 18:04 . 2011-05-26 17:22 90223 -c--a-w- c:\documents and settings\All Users\Application Data\{24F72050-686C-4A15-B137-09FEB449D545}\OFFLINE\BBB548A0\DE0A17F3\help.ico

.

.

((((((((((((((((((((((((((((( SnapShot@2011-07-27_23.31.59 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-07-28 15:30 . 2011-07-28 15:30 16384 c:\windows\temp\Perflib_Perfdata_818.dat

- 2008-05-21 22:02 . 2011-07-27 23:15 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-05-21 22:02 . 2011-07-28 15:29 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-05-21 22:02 . 2011-07-28 15:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-05-21 22:02 . 2011-07-27 23:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-10-29 17:10 . 2011-07-28 15:29 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2009-10-29 17:10 . 2011-07-27 23:15 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2009-10-29 17:10 . 2011-07-28 15:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-10-29 17:10 . 2011-07-27 23:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2011-07-27 23:35 . 2011-07-27 23:35 114688 c:\windows\Installer\11cde5.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RcMan.exe" [2002-11-21 135168]

"Creative MediaSource Go"="c:\program files\Creative\MediaSource\Go\CTCMSGo.exe" [2002-11-25 126976]

"Facebook Update"="c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe" [2011-07-14 137536]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-04 45056]

"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]

"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-11-06 570664]

"Logitech Utility"="Logi_MwX.Exe" [2003-03-04 19968]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]

"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 19968]

"Broadcom Wireless Manager UI"="c:\windows\System32\WLTRAY.exe" [2006-04-25 1273856]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"CTHelper"="CTHELPER.EXE" [2010-03-19 19456]

"ACQTMOUSE"="c:\program files\Mouse Setting\Mouse Setting Software\4.0\ACQTMAPP.exe" [2008-08-01 501760]

"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-04 1038848]

"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2011-07-27 1382984]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]

"SystemProtector"="c:\program files\Advanced System Optimizer 3\SystemProtector.exe" [2010-10-05 10000184]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Cincopa.lnk - c:\program files\Cincopa\cincopa.exe [2011-1-3 348160]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-7-8 25214]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

AutoRun MyWifi.lnk - c:\windows\Installer\{4FCABF82-0896-40D2-BBD2-3817C5E16789}\_C4828D0854F1CA912B9EE1.exe [2011-7-15 9662]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2010-2-2 984352]

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"nosimplestartmenu"= 0 (0x0)

"norecentdochistory"= 1 (0x1)

"maxrecentdocs"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Cincopa\\cincopaAgent.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

"c:\\Program Files\\Jawbone\\JawboneUpdater.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=

"c:\\Program Files\\Cincopa\\cincopa.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

.

R2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [7/12/2011 10:22 AM 239928]

R2 cincopaAgent;cincopaAgent;c:\program files\Cincopa\cincopaAgent.exe [1/3/2011 12:29 PM 20480]

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/24/2010 12:34 PM 91456]

R2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [7/2/2011 11:08 AM 45584]

R3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [7/12/2011 10:22 AM 6656]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]

R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [3/18/2010 8:40 PM 18904]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]

S3 ACRUSBTM;ACRUSBTM;c:\windows\system32\drivers\ACRUSBTM.SYS [3/11/2011 11:15 AM 28672]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [9/26/2010 10:13 AM 6016]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [7/29/2010 5:18 PM 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]

S3 libusb0;LibUsb-Win32 - Kernel Driver 06/04/2010,1.12.1.0;c:\windows\system32\drivers\libusb0.sys [1/24/2011 3:37 PM 21120]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [9/26/2010 10:13 AM 19968]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [9/26/2010 10:13 AM 8320]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [9/26/2010 10:13 AM 23424]

S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [9/26/2010 10:13 AM 9472]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - GTNDIS5

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

.

Contents of the 'Scheduled Tasks' folder

.

2011-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]

.

2011-07-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1708537768-1715567821-725345543-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-07-07 05:11]

.

2011-07-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1708537768-1715567821-725345543-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-07-07 05:11]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/

uInternet Settings,ProxyOverride = *.local

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.87.76.182 68.87.78.134

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2nlpny7q.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: Youtube Downloader: youtube_downloader@anishsane.googlepages.com - %profile%\extensions\youtube_downloader@anishsane.googlepages.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: HootBar: {1a0c9ebe-ddf9-4b76-b8a3-675c77874d37} - %profile%\extensions\{1a0c9ebe-ddf9-4b76-b8a3-675c77874d37}

FF - Ext: CraigZilla: craigzilla@studioshorts.com - %profile%\extensions\craigzilla@studioshorts.com

FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-07-28 17:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1708537768-1715567821-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CAFBDE7B-352D-447E-4221-027E688AE103}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oajgmpgmdngpeoiicdmaeeppomfjkd"=hex:64,61,6b,66,69,6a,66,62,00,85

"oangmfanoddanljljlkknbekfcflkn"=hex:69,61,64,66,6c,67,61,6e,64,6d,62,61,6c,62,

63,68,61,63,00,00

"nahgcmdafakiicjmhlibklncamib"=hex:69,61,64,66,6c,67,61,6e,64,6d,62,61,6c,62,

63,68,61,63,00,00

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

@DACL=(02 0000)

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

@DACL=(02 0000)

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(856)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(3076)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2011-07-28 17:33:42

ComboFix-quarantined-files.txt 2011-07-29 00:33

ComboFix2.txt 2011-07-27 23:37

ComboFix3.txt 2009-10-27 23:44

.

Pre-Run: 5,723,353,088 bytes free

Post-Run: 5,697,224,704 bytes free

.

- - End Of File - - 058E59C52CB3D37B7139BB5E95C52445

Link to comment
Share on other sites

Hello Socom2

 

Thank you for the log.

 

  • Clean out your temporary files

     

     

    • Please download ATF Cleaner by Atribune by clicking here and save the file (called ATF-Cleaner.exe) to your desktop.
    • Run the program by double clicking the ATF-Cleaner.exe icon located on your desktop.
    • Check the boxes to the left of the following:

    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Java Cache

    • The rest are optional. If you want to remove everything check the "Select All" box.
    • Click on "Empty Selected" to begin cleaning.
    • Once the "Done Cleaning" message appears, click OK.
    • If you use Firefox, Click on the Firefox tab and repeat the above process.
    • When you have finished cleaning, click on the "Exit" button in the main menu.

  • MalwareBytes AntiMalware:

     

     

    • I can see that you have MBAM installed.
    • Double click on your MalwareBytes AntiMalware icon to launch the program.
    • Click on the "Update" tab and then on "Check for Updates".
    • The program will now install the latest Malware definition files.
    • Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
    • Once the program has scanned your computer, a log file will be created in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

     

    • If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
    • The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
    • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
    • Come back here to this thread and Paste the log in your next reply.

  • Please un-install your outdated Java

     

     

    • Click on "Start" then on "Control Panel" and then on "Add or remove programs".
    • Click on "remove a program". A list of currently installed programs will be displayed.
    • Find the "Java™ 6 Update 6" program, click on it once and then click on the "uninstall" button.
    • If you are prompted to re-boot your computer to complete the uninstall please do so.
    • Repeat for "Java™ 6 Update 7"
    • DO NOT uninstall Java™ 6 Update 26.

  • Please run the following scan

     

     

    • Note:Internet Explorer is preferred for this scan, although it will run with other browsers.
    • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
    • Please disable your real time security programs before performing the scan.

     

    • Scan your system with Eset Online Scanner
    • Place a check mark in the box YES, I accept the Terms Of Use.
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

     

    • Check Posted Image
    • Click the Posted Image button.
    • Accept any security warnings from your browser.
    • Check Posted Image
    • Make sure that the option to "Remove Found Threats" is UN checked.
    • Push the "Start" button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push Posted Image
    • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the Posted Image button.
    • Push Posted Image

    Please post the MBAM and ESET logs in your next reply and let me know how the machine is running now.

Link to comment
Share on other sites

Hello Socom2

 

Never mind it's ok

ATF is a trusted temp file cleaner. It is not malware.

 

There was no old java in the "add and remove programs"

No problem, just carry on with MBAM and ESET :)
Link to comment
Share on other sites

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

 

Database version: 7322

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

7/29/2011 12:23:54 PM

mbam-log-2011-07-29 (12-23-54).txt

 

Scan type: Quick scan

Objects scanned: 185651

Time elapsed: 9 minute(s), 22 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

 

 

 

ESET: found 2

C:\Documents and Settings\Owner\My Documents\General Install Programs\nl_setup_beta.exe probably a variant of Win32/Packed.Themida application

F:\MY DOCS\General Install Programs\nl_setup_beta.exe probably a variant of Win32/Packed.Themida application

Link to comment
Share on other sites

Hello Socom2

 

Lets get a second opinion on those detections. Please scan the following files using Virus Total and post the links to the results in your next reply:

 

 

C:\Documents and Settings\Owner\My Documents\General Install Programs\nl_setup_beta.exe

 

F:\MY DOCS\General Install Programs\nl_setup_beta.exe

Link to comment
Share on other sites

Hello Socom2

 

C:\Documents and Settings\Owner\My Documents\General Install Programs\nl_setup_beta.exe

 

Is the setup_beta file something you downloaded yourself? Do you recognise it? It looks like the installer file for some beta version software perhaps?

 

At the moment I am not 100% convinced that the file is definitely infected.

 

Please let me know if you recognise it as something you downloaded, and if you use the application in question.

Link to comment
Share on other sites

Hello Socom2

 

If you recognise the program and have used it for some time without problems I would be inclined to believe the detection was a false positive.

 

How is the machine running now?

Link to comment
Share on other sites

Yes it's a program I use and it was dl'd from a safe location. I do recognize it.

 

it's running good but when I am using web browser Firefox something makes my mouse stutter and then I look down over at ZoneAlarm and there is internet traiffic but I am not downloading anything.

 

I did a scan before with removeit and it could be a scam program to get you to buy their product but here was the log of the various infections....

 

 

RemoveIT Pro v7 Enterprise (Build date: 11.11.2008) log.

Generated at: 7/18/2011 on 2:22:31 PM

Microsoft Windows XP

 

2:22:31 PM: Scanning, please wait...

2:22:55 PM: Infected file (Win32.Unknown.Random.X) c:\program files\common files\microsoft shared\source

engine\ose.exe -> No action taken.

2:30:03 PM: Infected file (Sys32.gotoassistdownloadhelper) C:\Documents and

Settings\Owner\gotoassistdownloadhelper.exe -> No action taken.

2:30:09 PM: Infected file (Sys32.hijackthis) C:\Documents and Settings\Owner\desktop\hijackthis.exe -> No action

taken.

2:31:20 PM: Infected file (Sys32.inst) C:\Documents and Settings\Owner\application data\inst.exe -> No action

taken.

2:33:30 PM: Infected file (Sys32.pnkbstrk) C:\Documents and Settings\Owner\application data\pnkbstrk.sys -> No

action taken.

2:38:06 PM: Infected file (Sys32.addcat) C:\WINDOWS\system32\addcat.exe -> No action taken.

2:38:13 PM: Infected file (Sys32.amdocl) C:\WINDOWS\system32\amdocl.dll -> No action taken.

2:38:14 PM: Infected file (Sys32.aosmtp) C:\WINDOWS\system32\aosmtp.dll -> No action taken.

2:38:15 PM: Infected file (Sys32.apomgrh) C:\WINDOWS\system32\apomgrh.dll -> No action taken.

2:38:18 PM: Infected file (Sys32.ativvamv) C:\WINDOWS\system32\ativvamv.dll -> No action taken.

2:38:43 PM: Infected file (Sys32.cddblangde) C:\WINDOWS\system32\cddblangde.dll -> No action taken.

2:38:43 PM: Infected file (Sys32.cddblanges) C:\WINDOWS\system32\cddblanges.dll -> No action taken.

2:38:43 PM: Infected file (Sys32.cddblangfr) C:\WINDOWS\system32\cddblangfr.dll -> No action taken.

2:38:43 PM: Infected file (Sys32.cddblangit) C:\WINDOWS\system32\cddblangit.dll -> No action taken.

2:38:43 PM: Infected file (Sys32.cddblangja) C:\WINDOWS\system32\cddblangja.dll -> No action taken.

2:38:43 PM: Infected file (Sys32.cddblangnl) C:\WINDOWS\system32\cddblangnl.dll -> No action taken.

2:38:44 PM: Infected file (Sys32.cdintf400) C:\WINDOWS\system32\cdintf400.dll -> No action taken.

2:38:56 PM: Infected file (Sys32.cthwiut) C:\WINDOWS\system32\cthwiut.dll -> No action taken.

2:38:56 PM: Infected file (Sys32.ctpxst32) C:\WINDOWS\system32\ctpxst32.exe -> No action taken.

2:39:40 PM: Infected file (Sys32.empop3) C:\WINDOWS\system32\empop3.dll -> No action taken.

2:39:51 PM: Infected file (Sys32.feelit) C:\WINDOWS\system32\feelit.dll -> No action taken.

2:40:25 PM: Infected file (Sys32.graphs32) C:\WINDOWS\system32\graphs32.ocx -> No action taken.

2:40:26 PM: Infected file (Sys32.gsw32) C:\WINDOWS\system32\gsw32.exe -> No action taken.

2:40:26 PM: Infected file (Sys32.gswag32) C:\WINDOWS\system32\gswag32.dll -> No action taken.

2:40:39 PM: Infected file (Sys32.hpzjfw01) C:\WINDOWS\system32\hpzjfw01.dll -> No action taken.

2:40:39 PM: Infected file (Sys32.hpzjsn01) C:\WINDOWS\system32\hpzjsn01.dll -> No action taken.

2:40:46 PM: Infected file (Sys32.ifc21) C:\WINDOWS\system32\ifc21.dll -> No action taken.

2:41:40 PM: Infected file (Sys32.libusb0) C:\WINDOWS\system32\libusb0.dll -> No action taken.

2:41:52 PM: Infected file (Sys32.magicctl) C:\WINDOWS\system32\magicctl.dll -> No action taken.

2:42:02 PM: Infected file (Sys32.mmavilng) C:\WINDOWS\system32\mmavilng.exe -> No action taken.

2:42:02 PM: Infected file (Sys32.mmswitch) C:\WINDOWS\system32\mmswitch.dll -> No action taken.

2:42:04 PM: Infected file (Sys32.mp2enc) C:\WINDOWS\system32\mp2enc.dll -> No action taken.

2:43:32 PM: Infected file (Sys32.ovdecode) C:\WINDOWS\system32\ovdecode.dll -> No action taken.

2:44:39 PM: Infected file (Sys32.roboot) C:\WINDOWS\system32\roboot.exe -> No action taken.

2:44:56 PM: Infected file (Sys32.sasnative32) C:\WINDOWS\system32\sasnative32.exe -> No action taken.

2:45:01 PM: Infected file (Sys32.sfcvrt32) C:\WINDOWS\system32\sfcvrt32.dll -> No action taken.

2:45:06 PM: Infected file (Sys32.sneu) C:\WINDOWS\system32\sneu.exe -> No action taken.

2:45:08 PM: Infected file (Sys32.spr32d30) C:\WINDOWS\system32\spr32d30.dll -> No action taken.

2:45:20 PM: Infected file (Sys32.sshrmd) C:\WINDOWS\system32\drivers\sshrmd.sys -> No action taken.

2:45:22 PM: Infected file (Sys32.ssiefr) C:\WINDOWS\system32\ssiefr.exe -> No action taken.

2:45:51 PM: Infected file (Sys32.tx12) C:\WINDOWS\system32\tx12.dll -> No action taken.

2:45:54 PM: Infected file (Sys32.udaaim32) C:\WINDOWS\system32\udaaim32.exe -> No action taken.

2:46:06 PM: Infected file (Sys32.unccplext) C:\WINDOWS\system32\unccplext.dll -> No action taken.

2:47:47 PM: Infected file (Sys32.wnaspint) C:\WINDOWS\system32\wnaspint.dll -> No action taken.

2:47:51 PM: Infected file (Sys32.wrlzma) C:\WINDOWS\system32\wrlzma.dll -> No action taken.

2:47:57 PM: Infected file (Sys32.xceedbkp) C:\WINDOWS\system32\xceedbkp.dll -> No action taken.

2:49:15 PM: Infected file (Sys32.cmids3d) C:\WINDOWS\system\cmids3d.dll -> No action taken.

2:49:16 PM: Infected file (Sys32.ctccw) C:\WINDOWS\ctccw.dll -> No action taken.

2:49:17 PM: Infected file (Sys32.ctres) C:\WINDOWS\ctres.dll -> No action taken.

2:49:21 PM: Infected file (Sys32.erdnt) C:\WINDOWS\erdnt\hiv-backup\erdnt.exe -> No action taken.

2:49:21 PM: Infected file (Sys32.erdnt) C:\WINDOWS\erdnt\subs\erdnt.exe -> No action taken.

2:49:29 PM: Infected file (Sys32.iexplore) C:\WINDOWS\ie7\iexplore.exe -> No action taken.

2:49:55 PM: Infected file (Sys32.ntfs) C:\WINDOWS\erdnt\cache\ntfs.sys -> No action taken.

2:50:11 PM: Infected file (Sys32.randfont) C:\WINDOWS\fonts\randfont.dll -> No action taken.

2:50:26 PM: Infected file (Sys32.vdremote) C:\WINDOWS\system\vdremote.dll -> No action taken.

2:50:26 PM: Infected file (Sys32.vdsvrlnk) C:\WINDOWS\system\vdsvrlnk.dll -> No action taken.

2:50:27 PM: Infected file (Sys32.webcheck) C:\WINDOWS\ie8\webcheck.dll -> No action taken.

2:50:36 PM: Infected file (Sys32.wsys049) C:\WINDOWS\wsys049.sys -> No action taken.

2:52:34 PM: Infected file (Sys32.digcore) C:\Program Files\msn\msncorefiles\install\msn9components\digcore.exe ->

No action taken.

2:52:35 PM: Infected file (Sys32.hypertrm) C:\Program Files\windows nt\hypertrm.exe -> No action taken.

2:52:37 PM: Infected file (Sys32.msnsusii) C:\Program Files\msn\msncorefiles\install\msnsusii.exe -> No action taken.

2:52:40 PM: Infected file (Sys32.unins000) C:\Program Files\xvid\unins000.exe -> No action taken.

2:52:42 PM: 62 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

2:53:46 PM: Scanning, please wait...

3:16:39 PM: Infected file (Sys32.vdremote) C:\Documents and Settings\Owner\My Documents\New

Folder\vdremote.dll -> No action taken.

3:16:39 PM: Infected file (Sys32.vdsvrlnk) C:\Documents and Settings\Owner\My Documents\New

Folder\vdsvrlnk.dll -> No action taken.

3:17:06 PM: Infected file (Sys32.hijackthis) C:\MGtools\analyse.exe -> No action taken.

3:17:09 PM: Infected file (Sys32.ntfs) C:\MGtools\temp\ERDNT\ntfs.sys -> No action taken.

3:17:09 PM: Infected file (Sys32.ntfs) C:\MGtools\temp\SPF\ntfs.sys -> No action taken.

3:17:11 PM: Infected file (Win32.Unknown.Random.X) C:\MSOCache\All

Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\SETUP\OSE.EXE -> No action taken.

3:25:28 PM: Infected file (Sys32.roboot) C:\Program Files\Advanced System Optimizer 3\roboot.exe -> No action

taken.

3:37:48 PM: Infected file (Sys32.sfcvrt32) C:\Program Files\Creative\SBAudigy2\SFBM\Sfcvrt32.dll -> No action

taken.

3:41:26 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\hpdplace_cfg.dll -> No action

taken.

3:41:31 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\hpqdstcp.tlb -> No action taken.

3:41:32 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\hpqgalry_cfg.dll -> No action

taken.

3:41:41 PM: Infected file (Sys32.hpzjsn01) C:\Program Files\HP\Digital Imaging\bin\hpzjsn01.dll -> No action taken.

3:41:45 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\randdata\Data.dll -> No action

taken.

3:41:45 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\randdata\name\font\font.dll ->

No action taken.

3:41:45 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\randdata\name\np\np.dll -> No

action taken.

3:41:46 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\randdata\name\river\river.dll ->

No action taken.

3:41:46 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\randdata\name\strike\strike.dll ->

No action taken.

3:41:48 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\bin\randdata\name\symbol\symbol.dll -> No action taken.

3:41:49 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\randdata\name\tile\tile.dll -> No

action taken.

3:41:49 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\bin\randdata\relief\relief.dll -> No

action taken.

3:41:49 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\bin\randdata\vector\compsrc\compsrc.dll -> No action taken.

3:41:50 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\bin\randdata\vector\textsrc\textsrc.dll -> No action taken.

3:41:51 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\bin\randdata\vector\vectrsc\vectrsc.dll -> No action taken.

3:42:03 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Data\Destination\aiopfl.dll -> No

action taken.

3:42:16 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\Data\projectstemplates\ContentPackages\cc76e081-ac20-4507-9af4-d13c8ae706a5.dll -> No action

taken.

3:42:19 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Data\SkinsOOV1_all_skins.dll -> No

action taken.

3:42:30 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\Help\flash\cue_add_to_catalog_swf.dll -> No action taken.

3:42:30 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_backup_swf.dll -> No

action taken.

3:42:30 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_edit_basic_swf.dll ->

No action taken.

3:42:31 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_edit_recover_swf.dll

-> No action taken.

3:42:31 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_instant_share_swf.dll

-> No action taken.

3:42:31 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_org_album_swf.dll ->

No action taken.

3:42:31 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_panorama.dll -> No

action taken.

3:42:31 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_print_4x6.dll -> No

action taken.

3:42:31 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_print_mult.dll -> No

action taken.

3:42:32 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_save_cd_swf.dll ->

No action taken.

3:42:32 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_share_xml.dll -> No

action taken.

3:42:32 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\Help\flash\cue_transfer_camera_swf.dll -> No action taken.

3:42:32 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_transfer_cd_swf.dll ->

No action taken.

3:42:32 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_transfer_scan_swf.dll

-> No action taken.

3:42:32 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_trim_video_swf.dll ->

No action taken.

3:42:32 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\cue_win_projects.dll ->

No action taken.

3:42:33 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\flash\hpistour_swf.dll -> No

action taken.

3:42:34 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\Help\helpImages\instantshare_htm.dll -> No action taken.

3:42:34 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\hpqtdb01.dll -> No action

taken.

3:42:35 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\instantshare_htm.dll -> No

action taken.

3:42:35 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\Library\instantshare_htm.dll ->

No action taken.

3:42:35 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\LP_Creative_Projects.dll -> No

action taken.

3:42:35 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\LP_Print_Applications.dll -> No

action taken.

3:42:40 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\tr_instantshare.dll -> No action

taken.

3:42:41 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\Ut_Backup.dll -> No action

taken.

3:42:41 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\Ut_Copy.dll -> No action taken.

3:42:41 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\UT_DIRECTOR.DLL -> No

action taken.

3:42:42 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\ut_imageeditor.dll -> No action

taken.

3:42:42 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\ut_instantshare.dll -> No action

taken.

3:42:42 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\ut_managedocuments.dll -> No

action taken.

3:42:42 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\Ut_Manageimages.dll -> No

action taken.

3:42:43 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\Ut_Viewimages.dll -> No action

taken.

3:42:43 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\xmlmenu\cue_back_xml.dll ->

No action taken.

3:42:43 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\xmlmenu\cue_edit_xml.dll -> No

action taken.

3:42:43 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\xmlmenu\cue_share_xml.dll ->

No action taken.

3:42:44 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\xmlmenu\cue_view_xml.dll ->

No action taken.

3:42:44 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Help\xmlmenu\cue_win_projects.dll

-> No action taken.

3:42:44 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital

Imaging\Help\xmlmenu\LP_Print_Applications.dll -> No action taken.

3:42:50 PM: Infected file (Sys32.randfont) C:\Program Files\HP\Digital Imaging\Skins\hp1\SkinXMLHP1.dll -> No

action taken.

3:52:30 PM: Infected file (Sys32.libusb0) C:\Program Files\Jawbone\libusb0.dll -> No action taken.

4:11:56 PM: Infected file (Sys32.sshrmd) C:\Program

Files\Webroot\Security\Current\plugins\antimalware\WRSS\i386\SSHRMD.sys -> No action taken.

4:36:56 PM: Infected file (Sys32.digcore) C:\WINDOWS\ServicePackFiles\i386\digcore.exe -> No action taken.

4:37:18 PM: Infected file (Sys32.iexplore) C:\WINDOWS\ServicePackFiles\i386\iexplore.exe -> No action taken.

4:37:52 PM: Infected file (Sys32.msnsusii) C:\WINDOWS\ServicePackFiles\i386\msnsusii.exe -> No action taken.

4:38:05 PM: Infected file (Sys32.ntfs) C:\WINDOWS\ServicePackFiles\i386\ntfs.sys -> No action taken.

4:43:10 PM: Infected file (Sys32.ntfs) C:\WINDOWS\system32\drivers\ntfs.sys -> No action taken.

4:43:30 PM: Infected file (Sys32.libusb0)

C:\WINDOWS\system32\DRVSTORE\JBLibUSB_715591E219C2E3D123B6F97379ABFB6FD26BDE8B\libusb0.dll

-> No action taken.

4:45:22 PM: Infected file (Sys32.libusb0) C:\WINDOWS\system32\ReinstallBackups\0028\DriverFiles\libusb0.dll ->

No action taken.

4:45:57 PM: Infected file (Sys32.cdintf400) C:\WINDOWS\system32\spool\drivers\w32x86\cdintf400.dll -> No

action taken.

4:56:21 PM: Infected file (Sys32.vdremote) F:\MY DOCS\New Folder\vdremote.dll -> No action taken.

4:56:21 PM: Infected file (Sys32.vdsvrlnk) F:\MY DOCS\New Folder\vdsvrlnk.dll -> No action taken.

5:55:45 PM: 139 Dangerous files has been found on your computer.

Click on "Fix" button to fix selected tasks.

Finished...

Link to comment
Share on other sites

Hello Socom2

 

I know very little about RemoveIT Pro, nor do I see it being used regularly on the forums. You also have Webroot AV installed. To be honest (and this is my own personal opinion) I used webroot many many moons ago and was not bowled over by it. There are many reliable (and free) AV programs available which are trusted by many people.

 

Infected file (Sys32.hijackthis) C:\Documents and Settings\Owner\desktop\hijackthis.exe -> No action

I would be surprised if HJT was infected with malware, likewise for any files located within your i386 directory.

 

C:\WINDOWS\system32\roboot.exe

We already scanned this file.....with 43 separate AV scanners....we know it to be clean: http://www.virustotal.com/file-scan/report.html?id=73208a07519b2f86074e6925d92f912304b125a4dd88a79e5ea843044c38723f-1311874528

 

If you would like to be sure there is never any harm in running an additional ESET scan. Alternatively, update MBAM and run a Full Scan. If the report comes back as clean my advice would be to uninstall both RemoveIT Pro and webroot and install one of these instead:

 

 

  • Security programs

     

     

  • I have provided links to three trusted programs (just choose one).

 

Once installed update the program and run a full system scan.

 

If you run ESET or MBAM post the logs created and let me know if you decide to go with one of the other AV's (and if anything is detected with their full system scan).

 

Its time for bed now - we'll catch up tommorrow :)

 

 

Link to comment
Share on other sites

check out what i found with Advanced System Protector

 

 

res://C:%5CProgram%20Files%5CAdvanced%20System%20Optimizer%203%5CSystemProtector.exe/icon_infectionQuarantined.gif Scan Log Total Time: 350 Mins 59 Secs

Start Time: Jul 31, 2011 at 03:11:43 PM End Time: Jul 31, 2011 at 09:02:42 PM

 

res://C:%5CProgram%20Files%5CAdvanced%20System%20Optimizer%203%5CSystemProtector.exe/icon_cookies.gif RogueProgram.MS-Antispyware-2009 (Rogue Antispyware Program)

Status : Quarantined

 

Infected registry keys/values detected hkey_current_user\software\microsoft\windows\currentversion\drivers hkey_current_user\software\microsoft\windows\currentversion\drivers\video hkey_current_user\software\microsoft\windows\currentversion\drivers\video\options res://C:%5CProgram%20Files%5CAdvanced%20System%20Optimizer%203%5CSystemProtector.exe/icon_cookies.gif RogueProgram.WinAntiVirus-Pro-2006 (Rogue Antispyware Program)

Status : Quarantined

 

Infected registry keys/values detected hkey_classes_root\*\shellex\contextmenuhandlers\shellextension hkey_classes_root\directory\shellex\contextmenuhandlers\shellextension hkey_classes_root\drive\shellex\contextmenuhandlers\shellextension hkey_local_machine\software\classes\*\shellex\contextmenuhandlers\shellextension hkey_local_machine\software\classes\directory\shellex\contextmenuhandlers\shellextension hkey_local_machine\software\classes\drive\shellex\contextmenuhandlers\shellextension res://C:%5CProgram%20Files%5CAdvanced%20System%20Optimizer%203%5CSystemProtector.exe/icon_cookies.gif Malware.goldun (Generic Malware )

Status : Quarantined

 

Infected registry keys/values detected hkey_local_machine\software\microsoft\windows nt\currentversion\windows\requiresignedappinit_dlls res://C:%5CProgram%20Files%5CAdvanced%20System%20Optimizer%203%5CSystemProtector.exe/icon_cookies.gif Malware.hatob (Generic Malware )

Status : Quarantined

 

Infected registry keys/values detected hkey_local_machine\software\policies\microsoft\windows nt\windows file protection\sfcdisable res://C:%5CProgram%20Files%5CAdvanced%20System%20Optimizer%203%5CSystemProtector.exe/icon_cookies.gif Malware (General Components) (Generic Malware )

Status : Quarantined

 

Infected registry keys/values detected hkey_current_user\software\microsoft\security center\antivirusdisablenotify hkey_current_user\software\microsoft\security center\updatesdisablenotify hkey_current_user\software\wget res://C:%5CProgram%20Files%5CAdvanced%20System%20Optimizer%203%5CSystemProtector.exe/icon_cookies.gif Trojan.swisyn (Trojan)

Status : Quarantined

 

Infected registry keys/values detected hkey_local_machine\system\currentcontrolset\services\catchme hkey_local_machine\system\currentcontrolset\services\catchme\type hkey_local_machine\system\currentcontrolset\services\catchme\errorcontrol hkey_local_machine\system\currentcontrolset\services\catchme\start hkey_local_machine\system\currentcontrolset\services\catchme\imagepath hkey_local_machine\system\currentcontrolset\services\catchme\group hkey_local_machine\system\currentcontrolset\services\catchme\enum hkey_local_machine\system\currentcontrolset\services\catchme\enum\0 hkey_local_machine\system\currentcontrolset\services\catchme\enum\count hkey_local_machine\system\currentcontrolset\services\catchme\enum\nextinstance res://C:%5CProgram%20Files%5CAdvanced%20System%20Optimizer%203%5CSystemProtector.exe/icon_cookies.gif keylogger.personal-keylogger.1 (Key Logger)

Status : Quarantined

 

Infected files detected

FileName: c:\documents and settings\owner\recent\log.txt.lnk

MD5: 6d1dcd1c8a53cf260e95fc54d9173439 (452 Bytes)

Signature:

FileName: c:\documents and settings\owner\desktop\log.txt

MD5: c2e1c3d41f3caee1c6082b0a70322cd9 (26534 Bytes)

Signature:

Link to comment
Share on other sites

Hello Socom2

 

Whilst it is always tempting to run additional scans during the course of a fix I respectfully request that you refrain from doing so. I am happy to try and help you with your computer issues but please do follow the advice I am providing.

 

The scan logs you have posted appear to have made several detections, all of which are in direct conflict with the output of often-used and completely trusted applications (ComboFix, MBAM and ESET).

 

It is my belief that the applications you are using may be giving you less than accurate reports regarding the infection status of your system.

 

As I have alredy stated, I believe the quality of RemoveIT Pro and webroot AV to be somewhat questionable. Again, to be clear, this is my own personal opinion regarding these applications. Having said that, I doubt very much if you will find a Trusted HJT Advisor that uses ASO to clean a machine.

 

 

The following link provides a little information about one of the detections listed in your scan: http://help.geckosoftware.com/support_forum/viewtopic.php?t=2537

 

A little information regarding RemoveIt Pro: http://softwareindustryreport.com/antispyware/removeit-pro.html

 

 

I would of course be doing you a disservice to simply dismiss these detections out of hand (it is possible that there could perhaps be a file infector on board but again, it has not been detected by ComboFix, MBAM or ESET), so lets continue as follows:

 

 

  • Please scan the following files

     

     

     

    • On the page you'll find a "Browse" button.
    • Click on the Browse button.
    • In the Choose File to Upload window which opens, copy and paste this into the File Name box.

     

    C:\WINDOWS\system32\addcat.exe

     

     

    • Next, click the Open button.
    • Then click the "Send File" button just below.
    • This will scan the file. Please be patient.
    • If you get a message saying File has already been analyzed: click Reanalyze file now.
    • Once scanned, copy and paste the link to the results page in your next reply.
    • Please repeat this procedure for the following files:

     

    C:\WINDOWS\system32\mmavilng.exe

    C:\WINDOWS\system32\sasnative32.exe

    C:\WINDOWS\system32\drivers\sshrmd.sys

    C:\Program Files\HP\Digital Imaging\Help\xmlmenu\cue_back_xml.dll

     

  • CKScanner

     

     

    • Download CKScanner by askey127 from here and save it to your Desktop.
    • Double click CKScanner.exe then click on Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify the file saved.
    • Double click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

  • Please run the following scan

     

     

    • Note:Internet Explorer is preferred for this scan, although it will run with other browsers.
    • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
    • Please disable your real time security programs before performing the scan.

     

    • Scan your system with Eset Online Scanner
    • Place a check mark in the box YES, I accept the Terms Of Use.
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

     

    • Check Posted Image
    • Click the Posted Image button.
    • Accept any security warnings from your browser.
    • Check Posted Image
    • Make sure that the option to "Remove Found Threats" is UN checked.
    • Push the "Start" button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push Posted Image
    • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the Posted Image button.
    • Push Posted Image

    Please post the VT result links, the CKScanner log and the ESET log in your next reply.

Link to comment
Share on other sites

http://www.virustotal.com/file-scan/report.html?id=04eacd16d57c3193bdfd32f3340f088ad1588b98facbd859a5104b742d7eb558-1312316384

http://www.virustotal.com/file-scan/report.html?id=82ba28458fbf521b90cc70f338aeea0d8fbceb77cbfd65180a3601456ead4ff7-1312316261

http://www.virustotal.com/file-scan/report.html?id=bf28a8eb57684f7819ae1c76282d26356590559f827eddb576662bada1d2c9fc-1312317052

http://www.virustotal.com/file-scan/report.html?id=d9bdf9f79ee4e70153c6a5124f51d6d76b5b7ec213bacd7362ca9a521831ec43-1312321782

http://www.virustotal.com/file-scan/report.html?id=926097df69df2c86cd5dca6870e07294aba54892ad8359eae4a85b2b31b6ff2f-1312321891

 

CKScanner - Additional Security Risks - These are not necessarily bad

c:\documents and settings\owner\desktop\usb tranzfer\crack\diskdoctor.exe

c:\documents and settings\owner\desktop\usb tranzfer\crack\license.dat

c:\documents and settings\owner\desktop\usb tranzfer\vso convertxtodvd v4.0.3.311 + crack (clean) [h33t] - cazor\convertxtodvd4setup4.0.3.311.exe

c:\documents and settings\owner\desktop\usb tranzfer\vso convertxtodvd v4.0.3.311 + crack (clean) [h33t] - cazor\h33t - cazor.url

c:\documents and settings\owner\desktop\usb tranzfer\vso convertxtodvd v4.0.3.311 + crack (clean) [h33t] - cazor\lndl.nfo

c:\documents and settings\owner\desktop\usb tranzfer\vso convertxtodvd v4.0.3.311 + crack (clean) [h33t] - cazor\tracked_by_h33t_com.txt

c:\documents and settings\owner\desktop\usb tranzfer\vso convertxtodvd v4.0.3.311 + crack (clean) [h33t] - cazor\visit h33t.url

c:\documents and settings\owner\desktop\usb tranzfer\vso convertxtodvd v4.0.3.311 + crack (clean) [h33t] - cazor\vso convertxtodvd v4.0.3.311 + crack (clean) [h33t].rar

c:\documents and settings\owner\desktop\usb tranzfer\vso convertxtodvd v4.0.3.311 + crack (clean) [h33t] - cazor\crack\convertxtodvd.exe

c:\program files\sony\sound forge pro 10.0\crack.txt

scanner sequence 3.CG.11.BAAASO

----- EOF -----

 

ESET SCAN

 

C:\Documents and Settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application

C:\Documents and Settings\Owner\Local Settings\Temp\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application

C:\Documents and Settings\Owner\My Documents\General Install Programs\nl_setup_beta.exe probably a variant of Win32/Packed.Themida application

C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll a variant of Win32/Adware.Yontoo.A application

F:\MY DOCS\General Install Programs\nl_setup_beta.exe probably a variant of Win32/Packed.Themida application

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...