View Full Version : Trojan?? and blocked sites?
daniel9
14 Sep 2009, 5:59am
Hi
Yes, i have been having a couple problems with my computer. It has been crashing, and freezing a lot for the past couple days. I have tried updating the video drivers, but that has not stopped it. Recently it did stop crashing and freezing.
And now i find i can not goto certain websites. The computer will not connect to them at all. However I have been able to goto those same websites while in admin mode, and also on a different computer connected via wireless, and i've used a proxy redirect site to get to the same websites (but then the proxy redirect site has also stopped working).
I have been hearing popping sounds through the computer speakers numerous times for no reason. These popping sounds also occur when i try to goto a website that i can't goto any longer. And i have lost some functionability of my mouse. and one or 2 programs do not save their settings. Numerous folders have become read only and now only have a created date, and not a last modified or last used date. The created dates are all wrong. I have tried a couple online scans and these were unable to get rid of the problem.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:32 AM, on 9/14/09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\illusion51\mirc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\food.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT4016
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\MALWAR~1\spybot\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XoftSpySE] "C:\Program Files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\MALWAR~1\spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\MALWAR~1\spybot\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229130357833
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229130347197
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avn - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avn.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 7929 bytes
Hey there. :)
Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.
Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
daniel9
18 Sep 2009, 2:21pm
Malwarebytes' Anti-Malware 1.41
Database version: 2819
Windows 5.1.2600 Service Pack 2
9/18/09 8:48:15 AM
mbam-log-2009-09-18 (08-48-15).txt
Scan type: Quick Scan
Objects scanned: 109935
Time elapsed: 6 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix 09-09-17.04 - Owner i 09/18/09 8:59.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.427 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
c:\documents and settings\Owner\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
c:\recycler\S-1-5-21-2926536862-2784431789-1591830859-500
c:\recycler\S-1-5-21-4053597597-3836546348-49961789-500
c:\windows\ALCMTR.EXE
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\199929.msi
c:\windows\Installer\19992a.msp
c:\windows\Installer\19992b.msp
c:\windows\Installer\19992c.msp
c:\windows\Installer\19992d.msp
c:\windows\Installer\19992e.msp
c:\windows\Installer\19992f.msp
c:\windows\Installer\199930.msp
c:\windows\Installer\199931.msp
c:\windows\Installer\199932.msp
c:\windows\Installer\199933.msp
c:\windows\system32\win.ini
c:\windows\winkey.drv
c:\windows\Winset.drv
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WSMSPSVC
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.
2009-09-18 10:57 . 2009-09-18 10:57 -------- d-----w- c:\program files\XP Repair Pro 4.0
2009-09-16 03:50 . 2009-09-16 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2009-09-16 03:50 . 2009-09-16 03:50 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2009-09-16 03:50 . 2009-09-16 03:50 -------- d-----w- c:\windows\Easy CD-DA Extractor 12.0.1
2009-09-14 05:57 . 2009-09-14 05:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-09-12 11:18 . 2009-09-12 11:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-12 08:47 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-12 08:46 . 2009-09-12 08:46 -------- d-----w- c:\program files\Panda Security
2009-09-12 08:22 . 2009-09-12 08:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-12 08:22 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 08:22 . 2009-09-18 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 08:22 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 17:08 . 2009-09-11 17:08 24744 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-09-10 21:52 . 2009-09-10 21:52 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-09-10 18:29 . 2009-09-14 08:24 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-09-10 18:29 . 2009-09-14 08:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-10 18:28 . 2009-09-10 18:28 -------- d-----w- c:\program files\Common Files\XoftSpySE
2009-09-10 18:28 . 2009-09-10 19:28 -------- d-----w- c:\program files\XoftSpySE6
2009-09-10 01:38 . 2009-09-10 01:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2009-09-10 01:38 . 2009-09-10 01:49 -------- d-----w- c:\program files\Foxit Software
2009-09-10 01:13 . 2009-09-10 01:13 -------- d-----w- c:\program files\gs
2009-09-09 07:22 . 2009-09-09 07:22 -------- d-----w- C:\6bf8f18c79cabb24c5ac4dc0
2009-09-08 03:17 . 2009-09-14 04:33 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-08 03:14 . 2009-09-08 04:05 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-09-08 01:23 . 2009-09-08 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-09-07 07:27 . 2009-09-07 07:27 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-07 07:27 . 2009-09-07 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-09-07 07:26 . 2009-09-07 07:26 -------- d-----w- C:\NVIDIA
2009-09-05 22:28 . 2009-09-05 22:28 -------- d-----w- c:\program files\Golden Bow
2009-09-04 17:32 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2009-09-04 17:32 . 2004-08-10 08:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2009-09-04 17:32 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2009-09-04 17:32 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2009-09-04 17:32 . 2004-08-10 08:13 61440 -c--a-w- c:\windows\system32\dllcache\ehreschs.dll
2009-09-04 12:39 . 2004-08-04 04:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-04 12:39 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-04 12:39 . 2001-08-18 02:36 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-09-04 12:39 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-09-04 12:39 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-09-04 12:39 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-09-04 12:39 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-09-04 12:39 . 2004-08-04 02:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-09-04 12:39 . 2004-08-04 02:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-09-04 12:39 . 2004-08-04 04:56 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2009-09-04 12:37 . 2001-08-17 17:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2009-09-04 12:36 . 2001-08-18 02:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2009-09-04 12:35 . 2001-08-18 02:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2009-09-04 12:34 . 2001-08-18 02:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2009-09-04 12:33 . 2004-08-10 19:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2009-09-04 12:32 . 2001-08-17 18:56 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll
2009-09-04 12:31 . 2001-08-18 02:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2009-09-04 12:30 . 2001-08-17 16:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2009-09-04 12:29 . 2004-08-10 19:00 131584 -c--a-w- c:\windows\system32\dllcache\pmxviceo.dll
2009-09-04 12:28 . 2001-08-18 02:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2009-09-04 12:27 . 2004-08-10 19:00 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll
2009-09-04 12:26 . 2001-08-17 17:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-09-04 12:25 . 2001-08-17 16:49 22848 -c--a-w- c:\windows\system32\dllcache\lwusbhid.sys
2009-09-04 12:24 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-04 12:23 . 2001-08-17 18:05 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys
2009-09-04 12:22 . 2001-08-18 02:36 13312 -c--a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2009-09-04 12:21 . 2004-08-10 19:00 562176 -c--a-w- c:\windows\system32\dllcache\fxsst.dll
2009-09-04 12:20 . 2001-08-17 16:19 174464 -c--a-w- c:\windows\system32\dllcache\es198x.sys
2009-09-04 12:19 . 2004-08-04 03:00 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2009-09-04 12:18 . 2001-08-17 16:19 3712 -c--a-w- c:\windows\system32\dllcache\ctljystk.sys
2009-09-04 12:17 . 2004-08-04 03:10 17024 -c--a-w- c:\windows\system32\dllcache\bthenum.sys
2009-09-04 12:16 . 2004-08-04 04:56 3967 -c--a-w- c:\windows\system32\dllcache\adv02nt5.dll
2009-09-03 22:20 . 2009-07-29 06:35 2378752 ----a-w- c:\windows\system32\x264vfw.dll
2009-08-23 19:46 . 2009-08-23 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Golden Bow Systems
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 13:10 . 2008-12-23 03:12 21536 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-18 13:10 . 2008-12-23 03:12 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-18 13:05 . 2008-12-23 03:12 1399584 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-18 13:05 . 2008-12-23 03:12 122060 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-09-18 12:38 . 2006-11-27 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-18 12:34 . 2006-05-11 09:24 -------- d-----w- c:\program files\illusion51
2009-09-18 08:36 . 2007-09-16 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-17 05:54 . 2006-06-02 04:14 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-09-16 03:51 . 2007-08-20 23:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 14:21 . 2009-03-26 00:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-11 15:21 . 2008-12-23 03:12 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-11 15:21 . 2008-12-23 03:12 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-09 09:15 . 2007-09-28 18:12 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-09 07:39 . 2005-01-10 01:26 35912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 07:12 . 2008-06-25 20:23 -------- d-----w- c:\program files\ComicRack
2009-09-09 05:56 . 2008-07-09 17:01 -------- d-----w- c:\documents and settings\Owner\Application Data\mIRC
2009-09-08 01:14 . 2009-01-07 16:19 -------- d-----w- c:\program files\Trojan Remover
2009-09-08 00:22 . 2007-11-21 16:30 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 1
2009-09-05 18:50 . 2007-03-15 07:34 -------- d-----w- c:\program files\SolSuite
2009-09-05 18:48 . 2006-11-12 13:59 -------- d-----w- c:\program files\Soulseek
2009-09-04 20:48 . 2007-03-31 19:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-03 22:34 . 2009-02-03 03:15 -------- d-----w- c:\program files\QuickTime Alternative
2009-09-03 22:20 . 2009-07-28 14:24 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-09-03 17:12 . 2007-06-10 07:26 -------- d-----w- c:\program files\Sierra
2009-09-03 17:12 . 2006-02-15 12:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 17:05 . 2006-07-27 15:16 -------- d-----w- c:\program files\XP Smoker
2009-08-22 17:49 . 2006-07-27 15:16 47004 ----a-w- c:\windows\system32\tcpipbak.reg
2009-08-22 03:35 . 2007-07-30 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-08-17 07:04 . 2009-08-17 07:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 07:04 . 2009-08-17 07:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 07:03 . 2009-08-17 07:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 07:03 . 2009-08-17 07:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 07:03 . 2009-08-17 07:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 07:03 . 2009-08-17 07:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 07:03 . 2009-08-17 07:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 07:03 . 2009-08-17 07:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 07:03 . 2009-08-17 07:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 07:03 . 2009-08-17 07:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 07:03 . 2009-08-17 07:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 07:03 . 2009-08-17 07:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 07:02 . 2009-08-17 07:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-17 04:57 . 2009-08-17 04:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 04:57 . 2009-08-17 04:57 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 04:57 . 2009-08-17 04:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 04:57 . 2009-08-17 04:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-17 04:57 . 2006-02-15 12:27 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-17 04:57 . 2006-02-15 11:52 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-17 04:57 . 2006-02-15 11:52 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-17 04:57 . 2006-02-15 11:52 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-17 04:57 . 2006-02-15 11:52 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-17 04:57 . 2005-01-09 17:02 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 04:57 . 2005-01-09 17:02 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-16 15:08 . 2006-05-26 11:48 178176 ----a-w- c:\windows\system32\unrar.dll
2009-08-16 11:21 . 2009-05-27 09:45 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-08-11 16:35 . 2006-02-15 12:10 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-28 16:54 . 2009-07-28 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Aim
2009-07-14 00:15 . 2009-07-28 14:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-28 14:24 685056 ----a-w- c:\windows\system32\divx.dll
2009-07-13 14:08 . 2005-01-09 23:49 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-01 16:25 . 2009-07-01 16:25 129744 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-24 14:15 . 2009-06-23 08:50 659968 ----a-w- c:\windows\system32\3Planesoft_Screensaver_Manager.scr
2008-12-19 03:31 . 2006-05-11 09:55 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 03:31 . 2006-05-11 09:55 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 03:31 . 2007-09-02 02:08 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 03:31 . 2007-09-02 02:08 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 03:31 . 2006-05-11 09:55 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-02-11 19:45 . 2007-09-18 17:03 48 --sh--w- c:\windows\S2683E8DA.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-25 3885408]
"AIM"="c:\program files\AIM\aim.exe" [2004-02-04 61440]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-12 1994480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 136600]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" [2009-08-28 4853016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-12 13:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=
"c:\\Program Files\\illusion51\\mirc.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/12/09 4:47 AM 28544]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [7/13/08 1:03 AM 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/1/09 10:53 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/1/09 10:53 PM 74480]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/09 4:22 AM 269648]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/06 8:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [8/24/07 6:19 AM 598856]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [12/13/07 2:28 PM 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/09 4:22 AM 19160]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/1/09 10:53 PM 7408]
S2 avn;avn;"c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avn.exe" -r --> c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avn.exe [?]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [8/28/09 5:15 PM 582424]
.
Contents of the 'Scheduled Tasks' folder
2009-09-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
2009-09-17 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-28 21:15]
2009-09-18 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html
IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-svcWRSSSDK
AddRemove-XoftSpySE - c:\program files\XoftSpySE\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 09:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2308361170-364180272-799116691-1006\Software\Zepter Software\RegLib*8465b084\AnyDVD/1]
"1"=dword:447128ef
"2"=dword:447129b4
[HKEY_USERS\S-1-5-21-2308361170-364180272-799116691-1006\Software\Zepter Software\RegLib*8465b084\CloneDVD/2]
"1"=dword:447129ea
"2"=dword:447129ea
[HKEY_USERS\S-1-5-21-2308361170-364180272-799116691-1006\Software\Zepter Software\RegLib*8465b084\CloneDVD2/2]
"1"=dword:447129ea
"2"=dword:44712bbd
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1156)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\klogon.dll
- - - - - - - > 'explorer.exe'(2780)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-09-18 9:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 13:15
Pre-Run: 73,231,765,504 bytes free
Post-Run: 73,134,096,384 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
330
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:56 AM, on 9/18/09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\MALWAR~1\spybot\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [XoftSpySE] "C:\Program Files\XoftSpySE6\XoftSpySE.exe" -NM -hidesplash
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mount.exe] C:\Program Files\GiPo@Utilities\FileUtilities.3\mount.exe /z
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\MALWAR~1\spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\MALWAR~1\spybot\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229130357833
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229130347197
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avn - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avn.exe (file missing)
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 7256 bytes
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
File::
c:\windows\S2683E8DA.tmp
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your reply, as well as let me know how your PC is running now.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*
daniel9
18 Sep 2009, 2:59pm
well it still runs the same from what i can immediately tell and i still cannnot get to the same websites. but the popping sound that happens when i goto them is gone for now
ComboFix 09-09-17.04 - Owner i 09/18/09 9:47.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.454 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FILE ::
"c:\windows\S2683E8DA.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\S2683E8DA.tmp
.
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.
2009-09-18 10:57 . 2009-09-18 10:57 -------- d-----w- c:\program files\XP Repair Pro 4.0
2009-09-16 03:50 . 2009-09-16 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Easy CD-DA Extractor
2009-09-16 03:50 . 2009-09-16 03:50 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2009-09-16 03:50 . 2009-09-16 03:50 -------- d-----w- c:\windows\Easy CD-DA Extractor 12.0.1
2009-09-14 05:57 . 2009-09-14 05:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-09-12 11:18 . 2009-09-12 11:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-12 08:47 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-12 08:46 . 2009-09-12 08:46 -------- d-----w- c:\program files\Panda Security
2009-09-12 08:22 . 2009-09-12 08:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-12 08:22 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 08:22 . 2009-09-18 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 08:22 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 17:08 . 2009-09-11 17:08 24744 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-09-10 21:52 . 2009-09-10 21:52 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-09-10 18:29 . 2009-09-14 08:24 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-09-10 18:29 . 2009-09-14 08:24 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-10 18:28 . 2009-09-10 18:28 -------- d-----w- c:\program files\Common Files\XoftSpySE
2009-09-10 18:28 . 2009-09-10 19:28 -------- d-----w- c:\program files\XoftSpySE6
2009-09-10 01:38 . 2009-09-10 01:38 -------- d-----w- c:\documents and settings\Owner\Application Data\Foxit
2009-09-10 01:38 . 2009-09-10 01:49 -------- d-----w- c:\program files\Foxit Software
2009-09-10 01:13 . 2009-09-10 01:13 -------- d-----w- c:\program files\gs
2009-09-09 07:22 . 2009-09-09 07:22 -------- d-----w- C:\6bf8f18c79cabb24c5ac4dc0
2009-09-08 03:17 . 2009-09-14 04:33 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-08 03:14 . 2009-09-08 04:05 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-09-08 01:23 . 2009-09-08 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-09-07 07:27 . 2009-09-07 07:27 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-07 07:27 . 2009-09-07 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-09-07 07:26 . 2009-09-07 07:26 -------- d-----w- C:\NVIDIA
2009-09-05 22:28 . 2009-09-05 22:28 -------- d-----w- c:\program files\Golden Bow
2009-09-04 17:32 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresko.dll
2009-09-04 17:32 . 2004-08-10 08:13 73728 -c--a-w- c:\windows\system32\dllcache\ehresja.dll
2009-09-04 17:32 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresfr.dll
2009-09-04 17:32 . 2004-08-10 08:13 69632 -c--a-w- c:\windows\system32\dllcache\ehresde.dll
2009-09-04 17:32 . 2004-08-10 08:13 61440 -c--a-w- c:\windows\system32\dllcache\ehreschs.dll
2009-09-04 12:39 . 2004-08-04 04:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-04 12:39 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-04 12:39 . 2001-08-18 02:36 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-09-04 12:39 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-09-04 12:39 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-09-04 12:39 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-09-04 12:39 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-09-04 12:39 . 2004-08-04 02:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-09-04 12:39 . 2004-08-04 02:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-09-04 12:39 . 2004-08-04 04:56 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2009-09-04 12:37 . 2001-08-17 17:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2009-09-04 12:36 . 2001-08-18 02:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2009-09-04 12:35 . 2001-08-18 02:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2009-09-04 12:34 . 2001-08-18 02:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2009-09-04 12:33 . 2004-08-10 19:00 5632 -c--a-w- c:\windows\system32\dllcache\smimsgif.dll
2009-09-04 12:32 . 2001-08-17 18:56 150144 -c--a-w- c:\windows\system32\dllcache\sis6306v.dll
2009-09-04 12:31 . 2001-08-18 02:36 495616 -c--a-w- c:\windows\system32\dllcache\sblfx.dll
2009-09-04 12:30 . 2001-08-17 16:19 3840 -c--a-w- c:\windows\system32\dllcache\rpfun.sys
2009-09-04 12:29 . 2004-08-10 19:00 131584 -c--a-w- c:\windows\system32\dllcache\pmxviceo.dll
2009-09-04 12:28 . 2001-08-18 02:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2009-09-04 12:27 . 2004-08-10 19:00 53248 -c--a-w- c:\windows\system32\dllcache\nextlink.dll
2009-09-04 12:26 . 2001-08-17 17:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-09-04 12:25 . 2001-08-17 16:49 22848 -c--a-w- c:\windows\system32\dllcache\lwusbhid.sys
2009-09-04 12:24 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-09-04 12:23 . 2001-08-17 18:05 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys
2009-09-04 12:22 . 2001-08-18 02:36 13312 -c--a-w- c:\windows\system32\dllcache\hpsjmcro.dll
2009-09-04 12:21 . 2004-08-10 19:00 562176 -c--a-w- c:\windows\system32\dllcache\fxsst.dll
2009-09-04 12:20 . 2001-08-17 16:19 174464 -c--a-w- c:\windows\system32\dllcache\es198x.sys
2009-09-04 12:19 . 2004-08-04 03:00 8320 -c--a-w- c:\windows\system32\dllcache\dlttape.sys
2009-09-04 12:18 . 2001-08-17 16:19 3712 -c--a-w- c:\windows\system32\dllcache\ctljystk.sys
2009-09-04 12:17 . 2004-08-04 03:10 17024 -c--a-w- c:\windows\system32\dllcache\bthenum.sys
2009-09-04 12:16 . 2004-08-04 04:56 3967 -c--a-w- c:\windows\system32\dllcache\adv02nt5.dll
2009-09-03 22:20 . 2009-07-29 06:35 2378752 ----a-w- c:\windows\system32\x264vfw.dll
2009-08-23 19:46 . 2009-08-23 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Golden Bow Systems
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 13:53 . 2008-12-23 03:12 86048 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-18 13:50 . 2008-12-23 03:12 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-18 13:42 . 2006-05-11 09:24 -------- d-----w- c:\program files\illusion51
2009-09-18 13:22 . 2006-11-27 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-09-18 13:05 . 2008-12-23 03:12 1399584 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-09-18 13:05 . 2008-12-23 03:12 122060 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-09-18 08:36 . 2007-09-16 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-17 05:54 . 2006-06-02 04:14 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-09-16 03:51 . 2007-08-20 23:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 14:21 . 2009-03-26 00:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-11 15:21 . 2008-12-23 03:12 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-09-11 15:21 . 2008-12-23 03:12 107547 ----a-w- c:\windows\system32\drivers\klin.dat
2009-09-09 09:15 . 2007-09-28 18:12 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-09 07:39 . 2005-01-10 01:26 35912 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-09 07:12 . 2008-06-25 20:23 -------- d-----w- c:\program files\ComicRack
2009-09-09 05:56 . 2008-07-09 17:01 -------- d-----w- c:\documents and settings\Owner\Application Data\mIRC
2009-09-08 01:14 . 2009-01-07 16:19 -------- d-----w- c:\program files\Trojan Remover
2009-09-08 00:22 . 2007-11-21 16:30 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 1
2009-09-05 18:50 . 2007-03-15 07:34 -------- d-----w- c:\program files\SolSuite
2009-09-05 18:48 . 2006-11-12 13:59 -------- d-----w- c:\program files\Soulseek
2009-09-04 20:48 . 2007-03-31 19:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-03 22:34 . 2009-02-03 03:15 -------- d-----w- c:\program files\QuickTime Alternative
2009-09-03 22:20 . 2009-07-28 14:24 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-09-03 17:12 . 2007-06-10 07:26 -------- d-----w- c:\program files\Sierra
2009-09-03 17:12 . 2006-02-15 12:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 17:05 . 2006-07-27 15:16 -------- d-----w- c:\program files\XP Smoker
2009-08-22 17:49 . 2006-07-27 15:16 47004 ----a-w- c:\windows\system32\tcpipbak.reg
2009-08-22 03:35 . 2007-07-30 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-08-17 07:04 . 2009-08-17 07:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 07:04 . 2009-08-17 07:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 07:03 . 2009-08-17 07:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 07:03 . 2009-08-17 07:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 07:03 . 2009-08-17 07:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 07:03 . 2009-08-17 07:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 07:03 . 2009-08-17 07:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 07:03 . 2009-08-17 07:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 07:03 . 2009-08-17 07:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 07:03 . 2009-08-17 07:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 07:03 . 2009-08-17 07:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 07:03 . 2009-08-17 07:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 07:02 . 2009-08-17 07:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-17 04:57 . 2009-08-17 04:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 04:57 . 2009-08-17 04:57 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 04:57 . 2009-08-17 04:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 04:57 . 2009-08-17 04:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-17 04:57 . 2006-02-15 12:27 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-17 04:57 . 2006-02-15 11:52 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-17 04:57 . 2006-02-15 11:52 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-17 04:57 . 2006-02-15 11:52 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-17 04:57 . 2006-02-15 11:52 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-17 04:57 . 2005-01-09 17:02 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 04:57 . 2005-01-09 17:02 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-16 15:08 . 2006-05-26 11:48 178176 ----a-w- c:\windows\system32\unrar.dll
2009-08-16 11:21 . 2009-05-27 09:45 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-08-11 16:35 . 2006-02-15 12:10 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-28 16:54 . 2009-07-28 16:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Aim
2009-07-14 00:15 . 2009-07-28 14:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-07-14 00:15 . 2009-07-28 14:24 685056 ----a-w- c:\windows\system32\divx.dll
2009-07-13 14:08 . 2005-01-09 23:49 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-01 16:25 . 2009-07-01 16:25 129744 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-24 14:15 . 2009-06-23 08:50 659968 ----a-w- c:\windows\system32\3Planesoft_Screensaver_Manager.scr
2008-12-19 03:31 . 2006-05-11 09:55 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 03:31 . 2006-05-11 09:55 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 03:31 . 2007-09-02 02:08 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 03:31 . 2007-09-02 02:08 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 03:31 . 2006-05-11 09:55 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-25 3885408]
"AIM"="c:\program files\AIM\aim.exe" [2004-02-04 61440]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-12 1994480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-19 136600]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" [2009-08-28 4853016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-12-09 550912]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-14 14820864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-12 13:46 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=
"c:\\Program Files\\illusion51\\mirc.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/12/09 4:47 AM 28544]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [7/13/08 1:03 AM 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/1/09 10:53 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/1/09 10:53 PM 74480]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/12/09 4:22 AM 269648]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/06 8:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [8/24/07 6:19 AM 598856]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [12/13/07 2:28 PM 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/12/09 4:22 AM 19160]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/1/09 10:53 PM 7408]
S2 avn;avn;"c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avn.exe" -r --> c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avn.exe [?]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [8/28/09 5:15 PM 582424]
.
Contents of the 'Scheduled Tasks' folder
2009-09-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
2009-09-17 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-28 21:15]
2009-09-18 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-28 21:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html
IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-18 09:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2308361170-364180272-799116691-1006\Software\Zepter Software\RegLib*8465b084\AnyDVD/1]
"1"=dword:447128ef
"2"=dword:447129b4
[HKEY_USERS\S-1-5-21-2308361170-364180272-799116691-1006\Software\Zepter Software\RegLib*8465b084\CloneDVD/2]
"1"=dword:447129ea
"2"=dword:447129ea
[HKEY_USERS\S-1-5-21-2308361170-364180272-799116691-1006\Software\Zepter Software\RegLib*8465b084\CloneDVD2/2]
"1"=dword:447129ea
"2"=dword:44712bbd
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1156)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\windows\system32\klogon.dll
.
Completion time: 2009-09-18 9:55
ComboFix-quarantined-files.txt 2009-09-18 13:55
ComboFix2.txt 2009-09-18 13:15
Pre-Run: 73,144,324,096 bytes free
Post-Run: 73,122,988,032 bytes free
273
Download HostsXpert Here (http://www.funkytoad.com/download/HostsXpert.zip) and unzip it to your desktop.
Next, open HostsXpert
Make sure that the "make hosts writable?" button in the upper right corner is checked
Now, click on 'back up Host files'
then click on 'Restore orginal host files'
Finally, close HostsXpert.
=============
Next let's have you go HERE (http://www.pandasecurity.com/activescan/index/) to run Panda ActiveScan 2.0
Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply.
daniel9
19 Sep 2009, 6:49am
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-09-19 01:47:46
PROTECTIONS: 1
MALWARE: 30
SUSPECTS: 5
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Internet Security 7.0.1.325 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.atdmt.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.tribalfusion.com/]
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@anm.co[2].txt
00148840 Cookie/Pollstar TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@pollstar[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.com.com/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.yadro.ru/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.xiti.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@gostats[3].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.azjmp.com/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.azjmp.com/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.azjmp.com/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.toplist.cz/]
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@club.cdfreaks[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@serving-sys[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.bs.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[1].txt
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@cdfreaks[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[server.iad.liveperson.net/hc/19452074]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[server.iad.liveperson.net/]
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@stat.onestat[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.advertising.com/]
00170553 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ig.com[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ia5qdij.default\cookies.txt[.realmedia.com/]
00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.uol.com.br/]
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.bravenet.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.adultfriendfinder.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\of1ixb4t.default\cookies.txt[.did-it.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
00286736 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
02219899 Bck/IRCFlood.CW Virus/Trojan Yes 2 Yes No C:\Program Files\illusion51\mirc.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1262\A0260670.sys
;===================================================================================================================================================================================
SUSPECTS
Sent Location �
;===================================================================================================================================================================================
No C:\Documents and Settings\Owner\My Documents\Downloads\mIRC v6.35 - Auth and CTCP VERSION Patched\mirc.exe
No C:\Program Files\StreamboxVcrSuite2\StreamBoxVCR1Beta31\received\comboscan.exe �
No C:\Program Files\Trojan Remover\trupd.exe �
No C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1226\A0198573.exe �
No C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1245\A0220656.exe �
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description �
;===================================================================================================================================================================================
212494 HIGH MS09-042 �
212493 HIGH MS09-041 �
212490 HIGH MS09-038 �
212530 HIGH MS09-034 �
211781 HIGH MS09-029 �
210625 HIGH MS09-026 �
210624 HIGH MS09-025 �
210621 HIGH MS09-022 �
210618 HIGH MS09-019 �
208380 HIGH MS09-015 �
208379 HIGH MS09-014 �
208378 HIGH MS09-013 �
208377 HIGH MS09-012 �
206981 HIGH MS09-007 �
206980 HIGH MS09-006 �
204670 HIGH MS09-001 �
201258 HIGH MS08-066 �
201256 HIGH MS08-064 �
201255 HIGH MS08-063 �
201253 HIGH MS08-061 �
194860 HIGH MS08-030 �
191618 HIGH MS08-025 �
191613 HIGH MS08-020 �
187733 HIGH MS08-008 �
184380 MEDIUM MS08-002 �
182046 HIGH MS07-067 �
179553 HIGH MS07-061 �
176383 HIGH MS07-058 �
108738 HIGH MS06-004 �
;===================================================================================================================================================================================
Delete this file here:
C:\Program Files\StreamboxVcrSuite2\StreamBoxVCR1Beta31\received\comboscan.exe �
I see that you are not using an original mIRC program. They may contain malware, I recommend that you delete the following file/folder.
C:\Program Files\illusion51\mirc.exe
C:\Documents and Settings\Owner\My Documents\Downloads\mIRC v6.35 - Auth and CTCP VERSION Patched\
Now it's time to remove ComboFix.
Go to to Start > Run
Type in box
combofix /u
Note: the space between the X and the /u
Press Enter.
This command will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
daniel9
20 Sep 2009, 4:43am
all done. lol but even the original mirc shows up as bad when downloaded it
hm now what?
We should be all done here.
How's your PC running?
daniel9
20 Sep 2009, 5:48pm
Same as before. firefox doesnt update even tho i open and close it, the roller on the top of the mouse still doesnt work. websites are unblocked right now, but it did not happen after i deleted that stuff. it happened after i installed superantispyware and during the scan it froze. i tried to close the program but i got a system has locked the program error. i ended the task on task manager.
that was when the blocked sites worked again, i started the program once more. now i see two superantispywares on my task manager. one will not go away no matter how much i try to end it. i did scans with malware antibytes and panda and kaspersky and found no viruses. but for some reason, i think whatever that was blocking sites is being stopped because of that superantispyware freezing and getting locked. i am going to be sad if once the program is gone the blocks come back. and i dont understand why this is happening.
Sorry for the late response.
I need you to try running a full scan with SuperAntiSpyware in Safe Mode.
Here are instructions to boot to Safe Mode:
http://www.computerhope.com/issues/chsafe.htm
Do note that you will not get access to Internet while in Safe Mode.
daniel9
2 Oct 2009, 8:53pm
did a scan with superantispyware in safe mode and nothing was found. now even more websites aren't working, google is blocked, aim server blocked, i can hardly go to any website. once in awhile all the sites and such go unblocked. thats what took me so long. even a proxy redirect site i (http://www.i) had didnt work
I am inclined to look at non-malware aspects. Have you contacted your ISP?
daniel9
4 Oct 2009, 3:36am
yes, i've had that idea before. i didn't contact them yet. mainly because i checked a wireless computer, at the same time the sites were blocked on here, and they alll worked on there. also when i reboot, and went into safe mode with networking as an admin the sites worked. but when i did the same thing, and used the user i am on the sites didnt work. no one else has access to my computer either that i can figure. muchless during the time the added blocked sites came into the picture.
daniel9
12 Oct 2009, 6:55pm
the computer rebooted twice this morning on its own. and now the popping sounds are back, and the same sites that were blocked at first are blocked again.
i checked a couple sites that said malwarebytes antimalware ip protection sometimes causes sites tog et blocked. i unchecked it. and the sites work again for now.
still that wouldnt explain the computer rebooting by itself 2 times like it did before. also whenever it reboots the definitions for different antivirus/antispyware programs show as being old defs from a month or 2 ago, even tho i update them all everyday.
Sorry for the late reply, I must have missed this. Do you still require help?
daniel9
5 Nov 2009, 2:50pm
is there anything else i can do to check to why sites are blocked on my pc but work when i use a proxy redirect site?
Try this...
Please download the program HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip%5Bb)
Unzip HostsXpert.zip
It will create a folder named HostsXpert in whatever folder you extract it to.
Run HostsXpert.exe by double clicking on it.
Click the Make Writeable? button.
Click Restore Microsoft's Hosts File and then click OK.
Click the X to exit the program.
daniel9
18 Nov 2009, 1:25am
did that but the problem keeps coming back. and now my conection gets slower than a 56k modem so not good and i get a very high ping. the crashs have started again. they stopped after you told me to use combofix but now they are back. i called earthlink and im not throttled or blocked or anything. they checked the line and said everything is fine. i connected the dsl modem directly to the computer instead o the router and the slow speeds are still there. they come and go. earthlink said i have to buy a new modem from them so it should be here tomorrow or thursday i think? i hope that is the problem? but what about the crashs that have come back recently? and what did combofix get rid of that stopped them all for a time?
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.