Options
nexplore.exe, hijackthis log posted
When I do an internet search I get a nexplore.exe pop-up. Can anyone help?
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:10:20 PM, on 12/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\System32\notepad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kodakodase] Rundll32.exe "C:\ProgramData\raganapo\raganapo.dll",s
O4 - HKCU\..\Run: [bedoteyeg] Rundll32.exe "c:\progra~2\jijawomu\jijawomu.dll",a
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5987 bytes
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:10:20 PM, on 12/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\System32\notepad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kodakodase] Rundll32.exe "C:\ProgramData\raganapo\raganapo.dll",s
O4 - HKCU\..\Run: [bedoteyeg] Rundll32.exe "c:\progra~2\jijawomu\jijawomu.dll",a
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 5987 bytes
0
Comments
A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you.
4. If you have to go away for an extended period of time, let me know.
5. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)
===============
Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.
Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
ComboFix 09-12-27.04 - mp 12/28/2009 *20:55:59.1.2 - x86
Microsoft® Windows Vista™ Home Premium **6.0.6002.2.1252.1.1033.18.1013.206 [GMT -6:00]
Running from: c:\users\mp\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( **Other Deletions **)))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1371564502-211234451-2037569336-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3921902123-2398644384-1746000298-500
c:\progra~2\jijawomu\jijawomu.dll
c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PAV\Uninstall.lnk
c:\program files\PAV
c:\programdata\jijawomu\jijawomu.dll
c:\programdata\ntuser.dat{66fbbe4e-96a7-11db-98bf-001302a3bd8a}.TMContainer00000000000000000001.regtrans-ms
c:\programdata\ntuser.dat{66fbbe5e-96a7-11db-98bf-001302a3bd8a}.TMContainer00000000000000000001.regtrans-ms
c:\windows\Tasks\clpjshtg.job
.
((((((((((((((((((((((((( **Files Created from 2009-11-28 to 2009-12-29 *)))))))))))))))))))))))))))))))
.
2009-12-29 03:05 . 2009-12-29 03:07 * *
* *d
w- * *c:\users\mp\AppData\Local\temp
2009-12-29 03:05 . 2009-12-29 03:05 * *
* *d
w- * *c:\users\Default\AppData\Local\temp
2009-12-28 00:50 . 2009-12-28 00:50 * *
* *d
w- * *c:\users\mp\AppData\Local\Adobe
2009-12-27 22:21 . 2009-12-03 22:14 * *38224 * *----a-w- * *c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 22:21 . 2009-12-03 22:13 * *19160 * *----a-w- * *c:\windows\system32\drivers\mbam.sys
2009-12-27 21:38 . 2009-12-27 21:39 * *
* *d
w- * *c:\program files\Microsoft Security Essentials
2009-12-27 19:17 . 2009-12-27 19:17 * *
* *d
w- * *c:\programdata\sekanawo
2009-12-27 19:17 . 2009-12-27 19:17 * *
* *d
w- * *c:\programdata\mumonuwi
2009-12-27 10:03 . 2009-12-27 10:03 * *
* *d
w- * *c:\users\mp\AppData\Roaming\Malwarebytes
2009-12-27 10:02 . 2009-12-29 02:26 * *
* *d
w- * *c:\program files\Malwarebytes' Anti-Malware
2009-12-27 10:02 . 2009-12-27 10:02 * *
* *d
w- * *c:\programdata\Malwarebytes
2009-12-27 07:17 . 2009-12-27 07:17 * *
* *d
w- * *c:\programdata\pofegozo
2009-12-27 07:17 . 2009-12-27 07:17 * *
* *d
w- * *c:\programdata\kelesivu
2009-12-27 06:17 . 2009-12-27 06:17 * *
* *d
w- * *c:\programdata\kejawidi
2009-12-27 06:17 . 2009-12-27 06:17 * *
* *d
w- * *c:\programdata\dagamami
2009-12-26 18:17 . 2009-12-26 18:17 * *
* *d
w- * *c:\programdata\sinizamu
2009-12-26 18:17 . 2009-12-29 03:04 * *
* *d
w- * *c:\programdata\jijawomu
2009-12-26 17:16 . 2009-12-26 17:16 * *
* *d
w- * *c:\programdata\nugeloba
2009-12-26 17:16 . 2009-12-26 17:16 * *
* *d
w- * *c:\programdata\fedehika
2009-12-26 10:14 . 2009-12-26 10:14 * *
* *d
w- * *c:\programdata\lodayija
2009-12-26 10:14 . 2009-12-26 10:14 * *
* *d
w- * *c:\programdata\kusavapu
2009-12-26 09:13 . 2009-12-26 09:13 * *
* *d
w- * *c:\programdata\zisizaru
2009-12-26 09:13 . 2009-12-26 09:13 * *
* *d
w- * *c:\programdata\muyiseta
2009-12-26 08:13 . 2009-12-26 08:13 * *
* *d
w- * *c:\programdata\vutohevo
2009-12-26 08:13 . 2009-12-26 08:13 * *
* *d
w- * *c:\programdata\sedebodu
2009-12-26 08:13 . 2009-12-26 08:13 * *
* *d
w- * *c:\programdata\gorawuwi
2009-12-26 08:11 . 2009-12-26 08:11 * *
* *d
w- * *c:\program files\Alwil Software
2009-12-26 06:07 . 2009-12-26 06:07 * *
* *d
w- * *c:\programdata\WindowsSearch
2009-12-25 20:13 . 2009-12-25 20:13 * *
* *d
w- * *c:\programdata\vajenaso
2009-12-25 20:13 . 2009-12-25 20:13 * *
* *d
w- * *c:\programdata\sumogate
2009-12-25 20:13 . 2009-12-25 20:13 * *
* *d
w- * *c:\programdata\jipugeri
2009-12-25 20:13 . 2009-12-25 20:13 * *
* *d
w- * *c:\programdata\jayajuho
2009-12-25 12:57 . 2009-12-25 12:57 * *
* *d
w- * *c:\programdata\yuhasifo
2009-12-25 12:57 . 2009-12-25 12:57 * *
* *d
w- * *c:\programdata\nuwevole
2009-12-25 12:57 . 2009-12-25 12:57 * *
* *d
w- * *c:\programdata\mofomugo
2009-12-25 12:57 . 2009-12-25 12:57 * *
* *d
w- * *c:\programdata\kuvoruri
2009-12-25 00:57 . 2009-12-25 00:57 * *
* *d
w- * *c:\programdata\zeteyiwu
2009-12-25 00:57 . 2009-12-25 00:57 * *
* *d
w- * *c:\programdata\yamileju
2009-12-25 00:52 . 2009-12-27 23:48 * *
* *d
w- * *c:\programdata\raganapo
2009-12-25 00:52 . 2009-12-25 00:52 * *
* *d
w- * *c:\programdata\vamodimu
2009-12-25 00:52 . 2009-12-25 00:52 * *
* *d
w- * *c:\programdata\laninejo
2009-12-23 21:38 . 2009-12-24 21:44 * *56816 * *----a-w- * *c:\windows\system32\drivers\avgntflt.sys
2009-12-20 22:36 . 2009-12-20 22:36 * *
* *d
w- * *c:\program files\Windows Portable Devices
2009-12-20 22:02 . 2009-09-10 02:00 * *1164800 * *----a-w- * *c:\windows\system32\UIRibbonRes.dll
2009-12-20 22:02 . 2009-09-10 02:00 * *92672 * *----a-w- * *c:\windows\system32\UIAnimation.dll
2009-12-20 22:02 . 2009-09-10 02:01 * *3023360 * *----a-w- * *c:\windows\system32\UIRibbon.dll
2009-12-20 22:00 . 2009-10-01 01:02 * *30208 * *----a-w- * *c:\windows\system32\WPDShextAutoplay.exe
2009-12-20 22:00 . 2009-10-01 01:02 * *31232 * *----a-w- * *c:\windows\system32\BthMtpContextHandler.dll
2009-12-20 22:00 . 2009-10-01 01:01 * *81920 * *----a-w- * *c:\windows\system32\wpdbusenum.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *60928 * *----a-w- * *c:\windows\system32\PortableDeviceConnectApi.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *2537472 * *----a-w- * *c:\windows\system32\wpdshext.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *334848 * *----a-w- * *c:\windows\system32\PortableDeviceApi.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *87552 * *----a-w- * *c:\windows\system32\WPDShServiceObj.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *546816 * *----a-w- * *c:\windows\system32\wpd_ci.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *160256 * *----a-w- * *c:\windows\system32\PortableDeviceTypes.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *100864 * *----a-w- * *c:\windows\system32\PortableDeviceClassExtension.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *350208 * *----a-w- * *c:\windows\system32\WPDSp.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *196608 * *----a-w- * *c:\windows\system32\PortableDeviceWMDRM.dll
2009-12-20 21:57 . 2009-10-08 21:08 * *555520 * *----a-w- * *c:\windows\system32\UIAutomationCore.dll
2009-12-20 21:57 . 2009-10-08 21:08 * *234496 * *----a-w- * *c:\windows\system32\oleacc.dll
2009-12-20 21:57 . 2009-10-08 21:07 * *4096 * *----a-w- * *c:\windows\system32\oleaccrc.dll
2009-12-20 21:54 . 2009-04-27 12:21 * *17152 * *----a-w- * *c:\windows\system32\authuitu.dll
2009-12-20 21:54 . 2009-04-27 12:21 * *28928 * *----a-w- * *c:\windows\system32\uxtuneup.dll
2009-12-20 21:54 . 2009-12-20 21:54 * *361216 * *----a-w- * *c:\windows\system32\TuneUpDefragService.exe
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\ca-ES
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\eu-ES
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\vi-VN
2009-12-13 09:10 . 2009-11-09 12:31 * *24064 * *----a-w- * *c:\windows\system32\nshhttp.dll
2009-12-13 09:10 . 2009-11-09 12:30 * *30720 * *----a-w- * *c:\windows\system32\httpapi.dll
2009-12-13 09:10 . 2009-11-09 10:36 * *411648 * *----a-w- * *c:\windows\system32\drivers\http.sys
2009-12-13 05:33 . 2009-12-13 05:33 * *
* *d
w- * *c:\users\mp\AppData\Local\Real
2009-12-13 05:32 . 2009-12-13 05:32 * *
* *d
w- * *c:\program files\Common Files\xing shared
2009-12-13 05:31 . 2009-12-13 05:31 * *
* *d
w- * *c:\program files\real
2009-12-13 03:50 . 2009-08-24 11:36 * *377344 * *----a-w- * *c:\windows\system32\winhttp.dll
2009-12-13 03:50 . 2009-10-27 14:11 * *834048 * *----a-w- * *c:\windows\system32\wininet.dll
2009-12-13 03:49 . 2009-10-27 13:16 * *78336 * *----a-w- * *c:\windows\system32\ieencode.dll
2009-12-13 03:47 . 2009-10-07 11:36 * *243712 * *----a-w- * *c:\windows\system32\rastls.dll
2009-11-29 17:03 . 2009-10-29 09:17 * *2048 * *----a-w- * *c:\windows\system32\tzres.dll
2009-11-29 05:40 . 2009-08-11 16:44 * *1401856 * *----a-w- * *c:\windows\system32\msxml6.dll
2009-11-29 05:40 . 2009-08-11 16:44 * *1248768 * *----a-w- * *c:\windows\system32\msxml3.dll
.
(((((((((((((((((((((((((((((((((((((((( **Find3M Report **))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 02:35 . 2009-04-03 00:58 * *680 * *----a-w- * *c:\users\mp\AppData\Local\d3d9caps.dat
2009-12-29 01:50 . 2009-03-13 02:10 * *
* *d
w- * *c:\users\mp\AppData\Roaming\uTorrent
2009-12-29 01:50 . 2009-03-13 02:35 * *
* *d
w- * *c:\users\mp\AppData\Roaming\mIRC
2009-12-27 22:20 . 2009-12-27 22:20 * *388096 * *----a-w- * *c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F5B9EB77-D7B6-3431-2D84-0DBEB857FC1C}-HiJackThis.exe
2009-12-24 23:53 . 2009-04-13 01:26 * *
* *d
w- * *c:\users\mp\AppData\Roaming\LimeWire
2009-12-21 05:37 . 2009-12-21 05:37 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-12-21 05:35 . 2009-12-21 05:35 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-12-21 05:33 . 2009-12-21 05:33 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-12-21 05:33 . 2009-12-21 05:33 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-12-20 22:35 . 2009-12-20 22:35 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-20 21:54 . 2009-03-13 02:40 * *604416 * *----a-w- * *c:\windows\system32\TUProgSt.exe
2009-12-20 21:53 . 2009-03-13 02:36 * *
* *d
w- * *c:\program files\TuneUp Utilities 2009
2009-12-20 03:31 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Calendar
2009-12-20 03:31 . 2006-11-02 11:18 * *
* *d
w- * *c:\program files\Windows Mail
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Sidebar
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Collaboration
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Photo Gallery
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Defender
2009-12-13 09:10 . 2009-03-13 03:22 * *
* *d
w- * *c:\programdata\Microsoft Help
2009-12-13 05:32 . 2009-03-13 02:17 * *
* *d
w- * *c:\program files\Common Files\Real
2009-12-06 20:00 . 2009-03-13 02:45 * *82720 * *----a-w- * *c:\users\mp\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-05 21:26 . 2009-12-05 21:26 * *439816 * *----a-w- * *c:\users\mp\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-05 21:05 . 2009-03-13 03:20 * *
* *d
w- * *c:\program files\Microsoft Works
2009-11-29 07:12 . 2009-04-13 04:54 * *
* *d
w- * *c:\users\mp\AppData\Roaming\vlc
2009-11-28 23:52 . 2009-11-28 23:52 * *
* *d
w- * *c:\program files\Microsoft Silverlight
2009-11-28 18:01 . 2009-11-28 02:53 * *
* *d
w- * *c:\users\mp\AppData\Roaming\Move Networks
2009-11-03 02:42 . 2009-10-03 03:40 * *195456 * *
w- * *c:\windows\system32\MpSigStub.exe
.
((((((((((((((((((((((((((((((((((((( **Reg Loading Points **))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-29 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-29 106496]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-29 81920]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-03 429392]
c:\users\mp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"TOSCDSPD"=TOSCDSPD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe"
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"PINGER"=c:\toshiba\IVP\ISM\pinger.exe /run
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"NDSTray.exe"=NDSTray.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):36,dd,8f,3f,26,81,ca,01
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2009 4:21 PM 276816]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [12/27/2009 4:21 PM 19160]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [6/18/2009 6:48 PM 42480]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/16/2009 9:52 PM 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation * *REG_MULTI_SZ ** * *FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *- NetSvcs
UxTuneUp
.
Supplementary Scan
.
uStart Page = hxxp://start.icq.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\mp\AppData\Roaming\Mozilla\Firefox\Profiles\0vzv37te.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-bedoteyeg - c:\progra~2\jijawomu\jijawomu.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 21:07
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ... *
scanning hidden autostart entries ...
scanning hidden files ... *
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Other Running Processes
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\System32\TUProgSt.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-12-28 *21:16:50 - machine was rebooted
ComboFix-quarantined-files.txt *2009-12-29 03:16
Pre-Run: 21,362,003,968 bytes free
Post-Run: 21,489,307,648 bytes free
- - End Of File - - 6C5DCEEC6C137B97966BB7BFC3BD6818
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the red text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your new reply.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
ÿþComboFix 09-12-27.04 - mp 12/31/2009 0:02.2.2 - x86
Running from: c:\users\mp\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.
2009-12-31 06:11 . 2009-12-31 06:11 * *
* *d
w- * *c:\users\mp\AppData\Local\temp
2009-12-31 06:11 . 2009-12-31 06:11 * *
* *d
w- * *c:\users\Public\AppData\Local\temp
2009-12-31 06:11 . 2009-12-31 06:11 * *
* *d
w- * *c:\users\Default\AppData\Local\temp
2009-12-28 00:50 . 2009-12-28 00:50 * *
* *d
w- * *c:\users\mp\AppData\Local\Adobe
2009-12-27 22:21 . 2009-12-03 22:14 * *38224 * *----a-w- * *c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 22:21 . 2009-12-03 22:13 * *19160 * *----a-w- * *c:\windows\system32\drivers\mbam.sys
2009-12-27 22:20 . 2009-12-27 22:20 * *388096 * *----a-w- * *c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F5B9EB77-D7B6-3431-2D84-0DBEB857FC1C}-HiJackThis.exe
2009-12-27 21:38 . 2009-12-27 21:39 * *
* *d
w- * *c:\program files\Microsoft Security Essentials
2009-12-27 19:17 . 2009-12-27 19:17 * *
* *d
w- * *c:\programdata\sekanawo
2009-12-27 19:17 . 2009-12-27 19:17 * *
* *d
w- * *c:\programdata\mumonuwi
2009-12-27 10:03 . 2009-12-27 10:03 * *
* *d
w- * *c:\users\mp\AppData\Roaming\Malwarebytes
2009-12-27 10:02 . 2009-12-29 02:26 * *
* *d
w- * *c:\program files\Malwarebytes' Anti-Malware
2009-12-27 10:02 . 2009-12-27 10:02 * *
* *d
w- * *c:\programdata\Malwarebytes
2009-12-27 07:17 . 2009-12-27 07:17 * *
* *d
w- * *c:\programdata\pofegozo
2009-12-27 07:17 . 2009-12-27 07:17 * *
* *d
w- * *c:\programdata\kelesivu
2009-12-27 06:17 . 2009-12-27 06:17 * *
* *d
w- * *c:\programdata\kejawidi
2009-12-27 06:17 . 2009-12-27 06:17 * *
* *d
w- * *c:\programdata\dagamami
2009-12-26 18:17 . 2009-12-26 18:17 * *
* *d
w- * *c:\programdata\sinizamu
2009-12-26 18:17 . 2009-12-29 03:04 * *
* *d
w- * *c:\programdata\jijawomu
2009-12-26 17:16 . 2009-12-26 17:16 * *
* *d
w- * *c:\programdata\nugeloba
2009-12-26 17:16 . 2009-12-26 17:16 * *
* *d
w- * *c:\programdata\fedehika
2009-12-26 10:14 . 2009-12-26 10:14 * *
* *d
w- * *c:\programdata\lodayija
2009-12-26 10:14 . 2009-12-26 10:14 * *
* *d
w- * *c:\programdata\kusavapu
2009-12-26 09:13 . 2009-12-26 09:13 * *
* *d
w- * *c:\programdata\zisizaru
2009-12-26 09:13 . 2009-12-26 09:13 * *
* *d
w- * *c:\programdata\muyiseta
2009-12-26 08:13 . 2009-12-26 08:13 * *
* *d
w- * *c:\programdata\vutohevo
2009-12-26 08:13 . 2009-12-26 08:13 * *
* *d
w- * *c:\programdata\sedebodu
2009-12-26 08:13 . 2009-12-26 08:13 * *
* *d
w- * *c:\programdata\gorawuwi
2009-12-26 08:11 . 2009-12-26 08:11 * *
* *d
w- * *c:\program files\Alwil Software
2009-12-26 06:07 . 2009-12-26 06:07 * *
* *d
w- * *c:\programdata\WindowsSearch
2009-12-25 20:13 . 2009-12-25 20:13 * *
* *d
w- * *c:\programdata\vajenaso
2009-12-25 20:13 . 2009-12-25 20:13 * *
* *d
w- * *c:\programdata\sumogate
2009-12-25 20:13 . 2009-12-25 20:13 * *
* *d
w- * *c:\programdata\jipugeri
2009-12-25 20:13 . 2009-12-25 20:13 * *
* *d
w- * *c:\programdata\jayajuho
2009-12-25 12:57 . 2009-12-25 12:57 * *
* *d
w- * *c:\programdata\yuhasifo
2009-12-25 12:57 . 2009-12-25 12:57 * *
* *d
w- * *c:\programdata\nuwevole
2009-12-25 12:57 . 2009-12-25 12:57 * *
* *d
w- * *c:\programdata\mofomugo
2009-12-25 12:57 . 2009-12-25 12:57 * *
* *d
w- * *c:\programdata\kuvoruri
2009-12-25 00:57 . 2009-12-25 00:57 * *
* *d
w- * *c:\programdata\zeteyiwu
2009-12-25 00:57 . 2009-12-25 00:57 * *
* *d
w- * *c:\programdata\yamileju
2009-12-25 00:52 . 2009-12-27 23:48 * *
* *d
w- * *c:\programdata\raganapo
2009-12-25 00:52 . 2009-12-25 00:52 * *
* *d
w- * *c:\programdata\vamodimu
2009-12-25 00:52 . 2009-12-25 00:52 * *
* *d
w- * *c:\programdata\laninejo
2009-12-23 21:38 . 2009-12-24 21:44 * *56816 * *----a-w- * *c:\windows\system32\drivers\avgntflt.sys
2009-12-20 22:36 . 2009-12-20 22:36 * *
* *d
w- * *c:\program files\Windows Portable Devices
2009-12-20 22:02 . 2009-09-10 02:00 * *1164800 * *----a-w- * *c:\windows\system32\UIRibbonRes.dll
2009-12-20 22:02 . 2009-09-10 02:00 * *92672 * *----a-w- * *c:\windows\system32\UIAnimation.dll
2009-12-20 22:02 . 2009-09-10 02:01 * *3023360 * *----a-w- * *c:\windows\system32\UIRibbon.dll
2009-12-20 22:00 . 2009-10-01 01:02 * *30208 * *----a-w- * *c:\windows\system32\WPDShextAutoplay.exe
2009-12-20 22:00 . 2009-10-01 01:02 * *31232 * *----a-w- * *c:\windows\system32\BthMtpContextHandler.dll
2009-12-20 22:00 . 2009-10-01 01:01 * *81920 * *----a-w- * *c:\windows\system32\wpdbusenum.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *60928 * *----a-w- * *c:\windows\system32\PortableDeviceConnectApi.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *2537472 * *----a-w- * *c:\windows\system32\wpdshext.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *334848 * *----a-w- * *c:\windows\system32\PortableDeviceApi.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *87552 * *----a-w- * *c:\windows\system32\WPDShServiceObj.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *546816 * *----a-w- * *c:\windows\system32\wpd_ci.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *160256 * *----a-w- * *c:\windows\system32\PortableDeviceTypes.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *100864 * *----a-w- * *c:\windows\system32\PortableDeviceClassExtension.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *350208 * *----a-w- * *c:\windows\system32\WPDSp.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *196608 * *----a-w- * *c:\windows\system32\PortableDeviceWMDRM.dll
2009-12-20 21:57 . 2009-10-08 21:08 * *555520 * *----a-w- * *c:\windows\system32\UIAutomationCore.dll
2009-12-20 21:57 . 2009-10-08 21:08 * *234496 * *----a-w- * *c:\windows\system32\oleacc.dll
2009-12-20 21:57 . 2009-10-08 21:07 * *4096 * *----a-w- * *c:\windows\system32\oleaccrc.dll
2009-12-20 21:54 . 2009-04-27 12:21 * *17152 * *----a-w- * *c:\windows\system32\authuitu.dll
2009-12-20 21:54 . 2009-04-27 12:21 * *28928 * *----a-w- * *c:\windows\system32\uxtuneup.dll
2009-12-20 21:54 . 2009-12-20 21:54 * *361216 * *----a-w- * *c:\windows\system32\TuneUpDefragService.exe
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\ca-ES
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\eu-ES
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\vi-VN
2009-12-13 09:10 . 2009-11-09 12:31 * *24064 * *----a-w- * *c:\windows\system32\nshhttp.dll
2009-12-13 09:10 . 2009-11-09 12:30 * *30720 * *----a-w- * *c:\windows\system32\httpapi.dll
2009-12-13 09:10 . 2009-11-09 10:36 * *411648 * *----a-w- * *c:\windows\system32\drivers\http.sys
2009-12-13 05:33 . 2009-12-13 05:33 * *
* *d
w- * *c:\users\mp\AppData\Local\Real
2009-12-13 05:32 . 2009-12-13 05:32 * *
* *d
w- * *c:\program files\Common Files\xing shared
2009-12-13 05:31 . 2009-12-13 05:31 * *
* *d
w- * *c:\program files\real
2009-12-13 03:50 . 2009-08-24 11:36 * *377344 * *----a-w- * *c:\windows\system32\winhttp.dll
2009-12-13 03:50 . 2009-10-27 14:11 * *834048 * *----a-w- * *c:\windows\system32\wininet.dll
2009-12-13 03:49 . 2009-10-27 13:16 * *78336 * *----a-w- * *c:\windows\system32\ieencode.dll
2009-12-13 03:47 . 2009-10-07 11:36 * *243712 * *----a-w- * *c:\windows\system32\rastls.dll
2009-12-05 21:26 . 2009-12-05 21:26 * *439816 * *----a-w- * *c:\users\mp\AppData\Roaming\Real\Update\setup3.09\setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 06:07 . 2009-03-13 02:35 * *
* *d
w- * *c:\users\mp\AppData\Roaming\mIRC
2009-12-31 06:03 . 2009-03-13 02:10 * *
* *d
w- * *c:\users\mp\AppData\Roaming\uTorrent
2009-12-30 17:35 . 2009-06-05 02:16 * *
* *d
w- * *c:\users\mp\AppData\Roaming\dvdcss
2009-12-29 02:35 . 2009-04-03 00:58 * *680 * *----a-w- * *c:\users\mp\AppData\Local\d3d9caps.dat
2009-12-24 23:53 . 2009-04-13 01:26 * *
* *d
w- * *c:\users\mp\AppData\Roaming\LimeWire
2009-12-21 05:37 . 2009-12-21 05:37 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-12-21 05:35 . 2009-12-21 05:35 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-12-21 05:33 . 2009-12-21 05:33 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-12-21 05:33 . 2009-12-21 05:33 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-12-20 22:35 . 2006-11-02 10:25 * *665600 * *----a-w- * *c:\windows\inf\drvindex.dat
2009-12-20 22:35 . 2009-12-20 22:35 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-20 21:54 . 2009-03-13 02:40 * *604416 * *----a-w- * *c:\windows\system32\TUProgSt.exe
2009-12-20 21:53 . 2009-03-13 02:36 * *
* *d
w- * *c:\program files\TuneUp Utilities 2009
2009-12-20 03:31 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Calendar
2009-12-20 03:31 . 2006-11-02 11:18 * *
* *d
w- * *c:\program files\Windows Mail
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Sidebar
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Collaboration
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Photo Gallery
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Defender
2009-12-13 09:10 . 2009-03-13 03:22 * *
* *d
w- * *c:\programdata\Microsoft Help
2009-12-13 05:32 . 2009-03-13 02:17 * *
* *d
w- * *c:\program files\Common Files\Real
2009-12-06 20:00 . 2009-03-13 02:45 * *82720 * *----a-w- * *c:\users\mp\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-05 21:05 . 2009-03-13 03:20 * *
* *d
w- * *c:\program files\Microsoft Works
2009-11-29 07:12 . 2009-04-13 04:54 * *
* *d
w- * *c:\users\mp\AppData\Roaming\vlc
2009-11-28 23:52 . 2009-11-28 23:52 * *
* *d
w- * *c:\program files\Microsoft Silverlight
2009-11-28 18:01 . 2009-11-28 02:53 * *
* *d
w- * *c:\users\mp\AppData\Roaming\Move Networks
2009-11-03 02:42 . 2009-10-03 03:40 * *195456 * *
w- * *c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-29 17:03 * *2048 * *----a-w- * *c:\windows\system32\tzres.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-29 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-29 106496]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-29 81920]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-03 429392]
c:\users\mp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"TOSCDSPD"=TOSCDSPD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe"
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"PINGER"=c:\toshiba\IVP\ISM\pinger.exe /run
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"NDSTray.exe"=NDSTray.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):36,dd,8f,3f,26,81,ca,01
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2009 4:21 PM 276816]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [12/27/2009 4:21 PM 19160]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [6/18/2009 6:48 PM 42480]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/16/2009 9:52 PM 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation * *REG_MULTI_SZ * *FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Supplementary Scan
.
uStart Page = hxxp://start.icq.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\mp\AppData\Roaming\Mozilla\Firefox\Profiles\0vzv37te.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 00:11
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-31 00:15:26
ComboFix-quarantined-files.txt 2009-12-31 06:15
ComboFix2.txt 2009-12-29 03:16
Pre-Run: 8,979,746,816 bytes free
Post-Run: 9,023,315,968 bytes free
- - End Of File - - 5F6543FB1B0E390E982CFAA8B0DF0B53
Can you be more specific about folder?
http://icrontic.com/forum/showpost.php?p=729907&postcount=4
All the text in red needs to be copied in.
Please try that again and let me know.
Running from: c:\users\mp\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.
2009-12-31 06:11 . 2009-12-31 06:11
d
w- c:\users\mp\AppData\Local\temp
2009-12-31 06:11 . 2009-12-31 06:11
d
w- c:\users\Public\AppData\Local\temp
2009-12-31 06:11 . 2009-12-31 06:11
d
w- c:\users\Default\AppData\Local\temp
2009-12-28 00:50 . 2009-12-28 00:50
d
w- c:\users\mp\AppData\Local\Adobe
2009-12-27 22:21 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 22:21 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 22:20 . 2009-12-27 22:20 388096 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F5B9EB77-D7B6-3431-2D84-0DBEB857FC1C}-HiJackThis.exe
2009-12-27 21:38 . 2009-12-27 21:39
d
w- c:\program files\Microsoft Security Essentials
2009-12-27 19:17 . 2009-12-27 19:17
d
w- c:\programdata\sekanawo
2009-12-27 19:17 . 2009-12-27 19:17
d
w- c:\programdata\mumonuwi
2009-12-27 10:03 . 2009-12-27 10:03
d
w- c:\users\mp\AppData\Roaming\Malwarebytes
2009-12-27 10:02 . 2009-12-29 02:26
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 10:02 . 2009-12-27 10:02
d
w- c:\programdata\Malwarebytes
2009-12-27 07:17 . 2009-12-27 07:17
d
w- c:\programdata\pofegozo
2009-12-27 07:17 . 2009-12-27 07:17
d
w- c:\programdata\kelesivu
2009-12-27 06:17 . 2009-12-27 06:17
d
w- c:\programdata\kejawidi
2009-12-27 06:17 . 2009-12-27 06:17
d
w- c:\programdata\dagamami
2009-12-26 18:17 . 2009-12-26 18:17
d
w- c:\programdata\sinizamu
2009-12-26 18:17 . 2009-12-29 03:04
d
w- c:\programdata\jijawomu
2009-12-26 17:16 . 2009-12-26 17:16
d
w- c:\programdata\nugeloba
2009-12-26 17:16 . 2009-12-26 17:16
d
w- c:\programdata\fedehika
2009-12-26 10:14 . 2009-12-26 10:14
d
w- c:\programdata\lodayija
2009-12-26 10:14 . 2009-12-26 10:14
d
w- c:\programdata\kusavapu
2009-12-26 09:13 . 2009-12-26 09:13
d
w- c:\programdata\zisizaru
2009-12-26 09:13 . 2009-12-26 09:13
d
w- c:\programdata\muyiseta
2009-12-26 08:13 . 2009-12-26 08:13
d
w- c:\programdata\vutohevo
2009-12-26 08:13 . 2009-12-26 08:13
d
w- c:\programdata\sedebodu
2009-12-26 08:13 . 2009-12-26 08:13
d
w- c:\programdata\gorawuwi
2009-12-26 08:11 . 2009-12-26 08:11
d
w- c:\program files\Alwil Software
2009-12-26 06:07 . 2009-12-26 06:07
d
w- c:\programdata\WindowsSearch
2009-12-25 20:13 . 2009-12-25 20:13
d
w- c:\programdata\vajenaso
2009-12-25 20:13 . 2009-12-25 20:13
d
w- c:\programdata\sumogate
2009-12-25 20:13 . 2009-12-25 20:13
d
w- c:\programdata\jipugeri
2009-12-25 20:13 . 2009-12-25 20:13
d
w- c:\programdata\jayajuho
2009-12-25 12:57 . 2009-12-25 12:57
d
w- c:\programdata\yuhasifo
2009-12-25 12:57 . 2009-12-25 12:57
d
w- c:\programdata\nuwevole
2009-12-25 12:57 . 2009-12-25 12:57
d
w- c:\programdata\mofomugo
2009-12-25 12:57 . 2009-12-25 12:57
d
w- c:\programdata\kuvoruri
2009-12-25 00:57 . 2009-12-25 00:57
d
w- c:\programdata\zeteyiwu
2009-12-25 00:57 . 2009-12-25 00:57
d
w- c:\programdata\yamileju
2009-12-25 00:52 . 2009-12-27 23:48
d
w- c:\programdata\raganapo
2009-12-25 00:52 . 2009-12-25 00:52
d
w- c:\programdata\vamodimu
2009-12-25 00:52 . 2009-12-25 00:52
d
w- c:\programdata\laninejo
2009-12-23 21:38 . 2009-12-24 21:44 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-20 22:36 . 2009-12-20 22:36
d
w- c:\program files\Windows Portable Devices
2009-12-20 22:02 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-12-20 22:02 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-12-20 22:02 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-12-20 22:00 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-12-20 22:00 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-12-20 22:00 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-12-20 21:59 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-12-20 21:59 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-12-20 21:59 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-12-20 21:59 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-12-20 21:59 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-12-20 21:59 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-12-20 21:59 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-12-20 21:59 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-12-20 21:59 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-12-20 21:57 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-12-20 21:57 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-12-20 21:57 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-12-20 21:54 . 2009-04-27 12:21 17152 ----a-w- c:\windows\system32\authuitu.dll
2009-12-20 21:54 . 2009-04-27 12:21 28928 ----a-w- c:\windows\system32\uxtuneup.dll
2009-12-20 21:54 . 2009-12-20 21:54 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-12-20 03:24 . 2009-12-20 03:29
d
w- c:\windows\system32\ca-ES
2009-12-20 03:24 . 2009-12-20 03:29
d
w- c:\windows\system32\eu-ES
2009-12-20 03:24 . 2009-12-20 03:29
d
w- c:\windows\system32\vi-VN
2009-12-13 09:10 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-13 09:10 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-13 09:10 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-13 05:33 . 2009-12-13 05:33
d
w- c:\users\mp\AppData\Local\Real
2009-12-13 05:32 . 2009-12-13 05:32
d
w- c:\program files\Common Files\xing shared
2009-12-13 05:31 . 2009-12-13 05:31
d
w- c:\program files\real
2009-12-13 03:50 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-13 03:50 . 2009-10-27 14:11 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-13 03:49 . 2009-10-27 13:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-13 03:47 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-05 21:26 . 2009-12-05 21:26 439816 ----a-w- c:\users\mp\AppData\Roaming\Real\Update\setup3.09\setup.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 06:07 . 2009-03-13 02:35
d
w- c:\users\mp\AppData\Roaming\mIRC
2009-12-31 06:03 . 2009-03-13 02:10
d
w- c:\users\mp\AppData\Roaming\uTorrent
2009-12-30 17:35 . 2009-06-05 02:16
d
w- c:\users\mp\AppData\Roaming\dvdcss
2009-12-29 02:35 . 2009-04-03 00:58 680 ----a-w- c:\users\mp\AppData\Local\d3d9caps.dat
2009-12-24 23:53 . 2009-04-13 01:26
d
w- c:\users\mp\AppData\Roaming\LimeWire
2009-12-21 05:37 . 2009-12-21 05:37 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-12-21 05:35 . 2009-12-21 05:35 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-12-21 05:33 . 2009-12-21 05:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-12-21 05:33 . 2009-12-21 05:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-12-20 22:35 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-20 22:35 . 2009-12-20 22:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-20 21:54 . 2009-03-13 02:40 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-12-20 21:53 . 2009-03-13 02:36
d
w- c:\program files\TuneUp Utilities 2009
2009-12-20 03:31 . 2006-11-02 12:37
d
w- c:\program files\Windows Calendar
2009-12-20 03:31 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2009-12-20 03:30 . 2006-11-02 12:37
d
w- c:\program files\Windows Sidebar
2009-12-20 03:30 . 2006-11-02 12:37
d
w- c:\program files\Windows Collaboration
2009-12-20 03:30 . 2006-11-02 12:37
d
w- c:\program files\Windows Photo Gallery
2009-12-20 03:30 . 2006-11-02 12:37
d
w- c:\program files\Windows Defender
2009-12-13 09:10 . 2009-03-13 03:22
d
w- c:\programdata\Microsoft Help
2009-12-13 05:32 . 2009-03-13 02:17
d
w- c:\program files\Common Files\Real
2009-12-06 20:00 . 2009-03-13 02:45 82720 ----a-w- c:\users\mp\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-05 21:05 . 2009-03-13 03:20
d
w- c:\program files\Microsoft Works
2009-11-29 07:12 . 2009-04-13 04:54
d
w- c:\users\mp\AppData\Roaming\vlc
2009-11-28 23:52 . 2009-11-28 23:52
d
w- c:\program files\Microsoft Silverlight
2009-11-28 18:01 . 2009-11-28 02:53
d
w- c:\users\mp\AppData\Roaming\Move Networks
2009-11-03 02:42 . 2009-10-03 03:40 195456
w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-29 17:03 2048 ----a-w- c:\windows\system32\tzres.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-29 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-29 106496]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-29 81920]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-03 429392]
c:\users\mp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"TOSCDSPD"=TOSCDSPD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe"
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"PINGER"=c:\toshiba\IVP\ISM\pinger.exe /run
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"NDSTray.exe"=NDSTray.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):36,dd,8f,3f,26,81,ca,01
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2009 4:21 PM 276816]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [12/27/2009 4:21 PM 19160]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [6/18/2009 6:48 PM 42480]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/16/2009 9:52 PM 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Supplementary Scan
.
uStart Page = hxxp://start.icq.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\mp\AppData\Roaming\Mozilla\Firefox\Profiles\0vzv37te.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 00:11
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-31 00:15:26
ComboFix-quarantined-files.txt 2009-12-31 06:15
ComboFix2.txt 2009-12-29 03:16
Pre-Run: 8,979,746,816 bytes free
Post-Run: 9,023,315,968 bytes free
- - End Of File - - 5F6543FB1B0E390E982CFAA8B0DF0B53
Can I have you update MalwareBytes Anti-Malware (MBAM) right now.
Then run a full scan with MBAM, and post the generated log in your reply.
ÿþMalwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
1/3/2010 10:07:30 PM
mbam-log-2010-01-03 (22-07-30).txt
Scan type: Quick Scan
Objects scanned: 94294
Time elapsed: 12 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Ran a quick scan. Attached are the results.
Did you want me to run a full scan instead?
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Let's boot into Safe Mode (You will not have any internet connectivity there, so you may want to copy my instructions to a Notepad file and save it to your desktop).
Restart your PC. As the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.
Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.
Once you're in Safe Mode,
Manually navigate to and delete the following folders:
c:\programdata\sekanawo
c:\programdata\mumonuwi
c:\programdata\pofegozo
c:\programdata\kelesivu
c:\programdata\kejawidi
c:\programdata\dagamami
c:\programdata\sinizamu
c:\programdata\jijawomu
c:\programdata\nugeloba
c:\programdata\fedehika
c:\programdata\lodayija
c:\programdata\kusavapu
c:\programdata\zisizaru
c:\programdata\muyiseta
c:\programdata\vutohevo
c:\programdata\sedebodu
c:\programdata\gorawuwi
c:\programdata\vajenaso
c:\programdata\sumogate
c:\programdata\jipugeri
c:\programdata\jayajuho
c:\programdata\yuhasifo
c:\programdata\nuwevole
c:\programdata\mofomugo
c:\programdata\kuvoruri
c:\programdata\zeteyiwu
c:\programdata\yamileju
c:\programdata\raganapo
c:\programdata\vamodimu
c:\programdata\laninejo
Then reboot your PC, you should be able to get back to Normal Mode.
Now run ComboFix and post the fresh log in your reply.
Microsoft® Windows Vista™ Home Premium **6.0.6002.2.1252.1.1033.18.1013.287 [GMT -6:00]
Running from: c:\users\mp\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( **Other Deletions **)))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\ICQ6.5\updates\ICQLRun.exe.91c2e91e127ccb34d0b0bbd8b0533169
.
((((((((((((((((((((((((( **Files Created from 2009-12-06 to 2010-01-06 *)))))))))))))))))))))))))))))))
.
2010-01-02 05:16 . 2010-01-02 05:16 * *
* *d
w- * *c:\users\mp\AppData\Local\Yahoo
2010-01-02 05:15 . 2010-01-02 05:15 * *
* *d
w- * *c:\programdata\Yahoo! Companion
2010-01-02 05:15 . 2010-01-02 05:16 * *
* *d
w- * *c:\users\mp\AppData\Roaming\Yahoo!
2010-01-02 05:14 . 2010-01-02 05:15 * *
* *d
w- * *c:\programdata\Yahoo!
2010-01-02 05:14 . 2009-11-10 20:39 * *607472 * *----a-w- * *c:\programdata\Yahoo!\YUpdater\yupdater.exe
2010-01-02 05:10 . 2010-01-02 05:15 * *
* *d
w- * *c:\program files\Yahoo!
2010-01-02 00:34 . 2010-01-02 00:40 * *
* *d
w- * *C:\fd515f7aea92f4913efdf10f4612
2009-12-28 00:50 . 2009-12-28 00:50 * *
* *d
w- * *c:\users\mp\AppData\Local\Adobe
2009-12-27 22:21 . 2009-12-03 22:14 * *38224 * *----a-w- * *c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 22:21 . 2009-12-03 22:13 * *19160 * *----a-w- * *c:\windows\system32\drivers\mbam.sys
2009-12-27 22:20 . 2009-12-27 22:20 * *388096 * *----a-w- * *c:\programdata\Microsoft\Microsoft Antimalware\LocalCopy\{F5B9EB77-D7B6-3431-2D84-0DBEB857FC1C}-HiJackThis.exe
2009-12-27 21:38 . 2009-12-27 21:39 * *
* *d
w- * *c:\program files\Microsoft Security Essentials
2009-12-27 10:03 . 2009-12-27 10:03 * *
* *d
w- * *c:\users\mp\AppData\Roaming\Malwarebytes
2009-12-27 10:02 . 2009-12-29 02:26 * *
* *d
w- * *c:\program files\Malwarebytes' Anti-Malware
2009-12-27 10:02 . 2009-12-27 10:02 * *
* *d
w- * *c:\programdata\Malwarebytes
2009-12-26 08:11 . 2009-12-26 08:11 * *
* *d
w- * *c:\program files\Alwil Software
2009-12-26 06:07 . 2009-12-26 06:07 * *
* *d
w- * *c:\programdata\WindowsSearch
2009-12-23 21:38 . 2009-12-24 21:44 * *56816 * *----a-w- * *c:\windows\system32\drivers\avgntflt.sys
2009-12-20 22:36 . 2009-12-20 22:36 * *
* *d
w- * *c:\program files\Windows Portable Devices
2009-12-20 22:02 . 2009-09-10 02:00 * *1164800 * *----a-w- * *c:\windows\system32\UIRibbonRes.dll
2009-12-20 22:02 . 2009-09-10 02:00 * *92672 * *----a-w- * *c:\windows\system32\UIAnimation.dll
2009-12-20 22:02 . 2009-09-10 02:01 * *3023360 * *----a-w- * *c:\windows\system32\UIRibbon.dll
2009-12-20 22:00 . 2009-10-01 01:02 * *30208 * *----a-w- * *c:\windows\system32\WPDShextAutoplay.exe
2009-12-20 22:00 . 2009-10-01 01:02 * *31232 * *----a-w- * *c:\windows\system32\BthMtpContextHandler.dll
2009-12-20 22:00 . 2009-10-01 01:01 * *81920 * *----a-w- * *c:\windows\system32\wpdbusenum.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *60928 * *----a-w- * *c:\windows\system32\PortableDeviceConnectApi.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *2537472 * *----a-w- * *c:\windows\system32\wpdshext.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *334848 * *----a-w- * *c:\windows\system32\PortableDeviceApi.dll
2009-12-20 21:59 . 2009-10-01 01:02 * *87552 * *----a-w- * *c:\windows\system32\WPDShServiceObj.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *546816 * *----a-w- * *c:\windows\system32\wpd_ci.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *160256 * *----a-w- * *c:\windows\system32\PortableDeviceTypes.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *100864 * *----a-w- * *c:\windows\system32\PortableDeviceClassExtension.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *350208 * *----a-w- * *c:\windows\system32\WPDSp.dll
2009-12-20 21:59 . 2009-10-01 01:01 * *196608 * *----a-w- * *c:\windows\system32\PortableDeviceWMDRM.dll
2009-12-20 21:57 . 2009-10-08 21:08 * *555520 * *----a-w- * *c:\windows\system32\UIAutomationCore.dll
2009-12-20 21:57 . 2009-10-08 21:08 * *234496 * *----a-w- * *c:\windows\system32\oleacc.dll
2009-12-20 21:57 . 2009-10-08 21:07 * *4096 * *----a-w- * *c:\windows\system32\oleaccrc.dll
2009-12-20 21:54 . 2009-04-27 12:21 * *17152 * *----a-w- * *c:\windows\system32\authuitu.dll
2009-12-20 21:54 . 2009-04-27 12:21 * *28928 * *----a-w- * *c:\windows\system32\uxtuneup.dll
2009-12-20 21:54 . 2009-12-20 21:54 * *361216 * *----a-w- * *c:\windows\system32\TuneUpDefragService.exe
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\ca-ES
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\eu-ES
2009-12-20 03:24 . 2009-12-20 03:29 * *
* *d
w- * *c:\windows\system32\vi-VN
2009-12-13 09:10 . 2009-11-09 12:31 * *24064 * *----a-w- * *c:\windows\system32\nshhttp.dll
2009-12-13 09:10 . 2009-11-09 12:30 * *30720 * *----a-w- * *c:\windows\system32\httpapi.dll
2009-12-13 09:10 . 2009-11-09 10:36 * *411648 * *----a-w- * *c:\windows\system32\drivers\http.sys
2009-12-13 05:33 . 2009-12-13 05:33 * *
* *d
w- * *c:\users\mp\AppData\Local\Real
2009-12-13 05:32 . 2009-12-13 05:32 * *
* *d
w- * *c:\program files\Common Files\xing shared
2009-12-13 05:31 . 2009-12-13 05:31 * *
* *d
w- * *c:\program files\real
2009-12-13 03:50 . 2009-08-24 11:36 * *377344 * *----a-w- * *c:\windows\system32\winhttp.dll
2009-12-13 03:50 . 2009-10-27 14:11 * *834048 * *----a-w- * *c:\windows\system32\wininet.dll
2009-12-13 03:49 . 2009-10-27 13:16 * *78336 * *----a-w- * *c:\windows\system32\ieencode.dll
2009-12-13 03:47 . 2009-10-07 11:36 * *243712 * *----a-w- * *c:\windows\system32\rastls.dll
.
(((((((((((((((((((((((((((((((((((((((( **Find3M Report **))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-06 02:54 . 2009-03-13 02:10 * *
* *d
w- * *c:\users\mp\AppData\Roaming\uTorrent
2010-01-05 07:23 . 2009-03-13 02:35 * *
* *d
w- * *c:\users\mp\AppData\Roaming\mIRC
2010-01-03 08:05 . 2009-06-05 02:16 * *
* *d
w- * *c:\users\mp\AppData\Roaming\dvdcss
2010-01-03 07:43 . 2009-06-13 01:32 * *
* *d
w- * *c:\program files\ICQ6.5
2009-12-29 02:35 . 2009-04-03 00:58 * *680 * *----a-w- * *c:\users\mp\AppData\Local\d3d9caps.dat
2009-12-24 23:53 . 2009-04-13 01:26 * *
* *d
w- * *c:\users\mp\AppData\Roaming\LimeWire
2009-12-21 05:37 . 2009-12-21 05:37 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motport_01005.Wdf
2009-12-21 05:35 . 2009-12-21 05:35 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-12-21 05:33 . 2009-12-21 05:33 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01005.Wdf
2009-12-21 05:33 . 2009-12-21 05:33 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_Kernel_motccgp_01005.Wdf
2009-12-20 22:35 . 2006-11-02 10:25 * *665600 * *----a-w- * *c:\windows\inf\drvindex.dat
2009-12-20 22:35 . 2009-12-20 22:35 * *0 * *---ha-w- * *c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-12-20 21:54 . 2009-03-13 02:40 * *604416 * *----a-w- * *c:\windows\system32\TUProgSt.exe
2009-12-20 21:53 . 2009-03-13 02:36 * *
* *d
w- * *c:\program files\TuneUp Utilities 2009
2009-12-20 03:31 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Calendar
2009-12-20 03:31 . 2006-11-02 11:18 * *
* *d
w- * *c:\program files\Windows Mail
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Sidebar
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Collaboration
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Photo Gallery
2009-12-20 03:30 . 2006-11-02 12:37 * *
* *d
w- * *c:\program files\Windows Defender
2009-12-13 09:10 . 2009-03-13 03:22 * *
* *d
w- * *c:\programdata\Microsoft Help
2009-12-13 05:32 . 2009-03-13 02:17 * *
* *d
w- * *c:\program files\Common Files\Real
2009-12-06 20:00 . 2009-03-13 02:45 * *82720 * *----a-w- * *c:\users\mp\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-05 21:26 . 2009-12-05 21:26 * *439816 * *----a-w- * *c:\users\mp\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-12-05 21:05 . 2009-03-13 03:20 * *
* *d
w- * *c:\program files\Microsoft Works
2009-11-29 07:12 . 2009-04-13 04:54 * *
* *d
w- * *c:\users\mp\AppData\Roaming\vlc
2009-11-28 23:52 . 2009-11-28 23:52 * *
* *d
w- * *c:\program files\Microsoft Silverlight
2009-11-28 18:01 . 2009-11-28 02:53 * *
* *d
w- * *c:\users\mp\AppData\Roaming\Move Networks
2009-11-03 02:42 . 2009-10-03 03:40 * *195456 * *
w- * *c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-29 17:03 * *2048 * *----a-w- * *c:\windows\system32\tzres.dll
.
((((((((((((((((((((((((((((( **SnapShot@2009-12-31_06.11.45 **)))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *65536 *************c:\windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_3b0e32bdc9afe437\vcomp.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *49152 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80KOR.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *49152 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80JPN.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *61440 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ITA.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *61440 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80FRA.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *61440 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ESP.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *57344 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ENU.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *65536 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80DEU.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *45056 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHT.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *40960 *************c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHS.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *57856 *************c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80u.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *69632 *************c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80.dll
+ 2006-12-28 19:15 . 2010-01-06 02:46 * *53156 *************c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-01-06 02:46 * *60036 *************c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-13 02:06 . 2010-01-06 02:46 * *13410 *************c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1371564502-211234451-2037569336-1000_UserData.bin
+ 2010-01-02 05:14 . 2010-01-02 05:14 * *84507 *************c:\windows\System32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-13 04:38 . 2010-01-06 02:44 * *32768 *************c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-13 04:38 . 2009-12-31 00:18 * *32768 *************c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-13 04:38 . 2009-12-31 00:18 * *32768 *************c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-13 04:38 . 2010-01-06 02:44 * *32768 *************c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-13 04:38 . 2010-01-06 02:44 * *16384 *************c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-13 04:38 . 2009-12-31 00:18 * *16384 *************c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-28 06:57 . 2009-12-21 06:06 * *16384 *************c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-28 06:57 . 2010-01-03 07:18 * *16384 *************c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-28 06:57 . 2009-12-21 06:06 * *32768 *************c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-28 06:57 . 2010-01-03 07:18 * *32768 *************c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-28 06:57 . 2010-01-03 07:18 * *16384 *************c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-28 06:57 . 2009-12-21 06:06 * *16384 *************c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-11-28 06:57 . 2009-12-29 02:44 * *16384 *************c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-11-28 06:57 . 2010-01-03 07:18 * *16384 *************c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-11-28 06:57 . 2009-12-29 02:44 * *32768 *************c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-28 06:57 . 2010-01-03 07:18 * *32768 *************c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-11-28 06:57 . 2009-12-29 02:44 * *16384 *************c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-28 06:57 . 2010-01-03 07:18 * *16384 *************c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-01-06 02:44 . 2010-01-06 02:44 * *2048 *************c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-29 03:06 . 2009-12-31 00:18 * *2048 *************c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-06 02:44 . 2010-01-06 02:44 * *2048 *************c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-12-29 03:06 . 2009-12-31 00:18 * *2048 *************c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *632656 *************c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcr80.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *554832 *************c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcp80.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *479232 *************c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcm80.dll
+ 2009-11-03 00:24 . 2009-11-03 00:24 * *257440 *************c:\windows\System32\Macromed\Flash\FlashUtil10d.exe
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *424960 *************c:\windows\Installer\ef8793.msi
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *1093120 *************c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80u.dll
+ 2010-01-02 05:13 . 2010-01-02 05:13 * *1105920 *************c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80.dll
- 2006-11-02 10:22 . 2009-12-25 22:43 * *6553600 *************c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2010-01-06 02:27 * *6553600 *************c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-06-04 06:09 . 2010-01-02 05:13 * *144509436 *************c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( **Reg Loading Points **))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-11-29 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-11-29 106496]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-11-29 81920]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-12-03 429392]
c:\users\mp\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"TOSCDSPD"=TOSCDSPD.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe"
"00TCrdMain"=%ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
"HSON"=%ProgramFiles%\TOSHIBA\TBS\HSON.exe
"PINGER"=c:\toshiba\IVP\ISM\pinger.exe /run
"SmoothView"=%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
"NDSTray.exe"=NDSTray.exe
"TPwrMain"=%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):36,dd,8f,3f,26,81,ca,01
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [12/27/2009 4:21 PM 19160]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [6/18/2009 6:48 PM 42480]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/27/2009 4:21 PM 276816]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [3/16/2009 9:52 PM 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 8:18 PM 23680]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation * *REG_MULTI_SZ ** * *FontCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost *- NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
2010-01-06 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]
2010-01-06 c:\windows\Tasks\AutoSmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-12-13 19:48]
2010-01-04 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-12-13 19:48]
.
.
Supplementary Scan
.
uStart Page = hxxp://start.icq.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\mp\AppData\Roaming\Mozilla\Firefox\Profiles\0vzv37te.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 21:02
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ... *
scanning hidden autostart entries ...
scanning hidden files ... *
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-05 *21:04:54
ComboFix-quarantined-files.txt *2010-01-06 03:04
ComboFix2.txt *2009-12-31 06:15
ComboFix3.txt *2009-12-29 03:16
Pre-Run: 25,619,050,496 bytes free
Post-Run: 25,512,960,000 bytes free
- - End Of File - - C5F934A6E62546EB01F6EA13E3F8AF67
Please download JavaRa to your desktop and unzip it to its own folder
=====================
Now let's have you go HERE to run Panda ActiveScan 2.0
ANALYSIS: 2010-01-10 19:51:05
PROTECTIONS: 1
MALWARE: 18
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Microsoft Security Essentials Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\mp@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\mp@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@atdmt[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\mp@mediaplex[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@mediaplex[1].txt
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@linksynergy[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\mp@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\mp@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@bs.serving-sys[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@ads.pointroll[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@zedo[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\mp@zedo[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@adultfriendfinder[2].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\mp@atwola[1].txt
00950035 Cookie/RegistryDefender TrackingCookie No 0 Yes No c:\users\mp\appdata\roaming\microsoft\windows\cookies\low\mp@registrydefender[2].txt
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\programdata\microsoft\windows\wer\reportqueue\report03ab9ad7\ncprov.dll.xor
03009106 W32/Xor-encoded.A Virus No 0 No No c:\users\mp\appdata\local\microsoft\windows\wer\reportarchive\report06ea57a1\report.cab[{f5b9eb77-d7b6-3431-2d84-0dbeb857fc1c}-hijackthis.exe]
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\programdata\microsoft\windows\wer\reportqueue\report03ab2a69\windowscodecs.dll.xor
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\programdata\microsoft\windows\wer\reportqueue\report03a4cc34\windowscodecs.dll.xor
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\programdata\microsoft\windows\wer\reportqueue\report03a4ca21\windowscodecs.dll.xor
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\programdata\microsoft\windows\wer\reportqueue\report03ab94b0\ncprov.dll.xor
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\programdata\microsoft\windows\wer\reportqueue\report035c6ef8\sptip.dll.xor
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\programdata\microsoft\windows\wer\reportqueue\report03a4a092\windowscodecs.dll.xor
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\programdata\microsoft\microsoft antimalware\localcopy\{f5b9eb77-d7b6-3431-2d84-0dbeb857fc1c}-hijackthis.exe
05829984 Adware/SystemGuard2009 Adware No 0 Yes No c:\qoobox\quarantine\c\progra~2\jijawomu\jijawomu.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\users\mp\downloads\combofix.exe[32788r22fwjfw\pev.exe]
No c:\windows\pev.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
It's time to remove ComboFix.
Go to to Start > Run
Type in box
combofix /uninstall
Note: the space between the X and the /u
Press Enter.
This command will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Even if you have no more queries, I would appreciate if you can reply once more to this thread so that I will be able to have this archived. Thanks.
Thanks for all your help!
What should I do to avoid this virus?
You may have already taken some of these steps:
1. Watch what you download!
Do not download just anything you see on the web. Some may have spyware bundled into them.
2. Try not to use peer-to-peer programs.
P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.
3. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
If Automatic Updates is turned off, please turn it on.
4. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive. Would you run just any random file downloaded off a web site without knowing what it is and what it does?
5. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Periodically check for updates.
6. Use a firewall. If you don't have a firewall, I recommend the free version of ZoneAlarm. It is one of the most-used firewalls around the world, and is truly dependable.
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
Other alternatives are: Comodo firewall, Sunbelt Kerio firewall
http://www.personalfirewall.comodo.com/
http://sunbelt-software.com/kerio.cfm
7. IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiuc.edu/ehowes/www/resource.htm
Another good hosts program is mvpshosts.
http://www.mvps.org/winhelp2002/hosts.zip
This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.
http://www.mvps.org/winhelp2002/hosts.htm
8. You might consider installing Mozilla Firefox. It has been said to be safer than Internet Explorer. Also it comes along with a good popup blocker.
http://www.mozilla.org/
9. Install spyware detection and removal programs. The programs on your PC - Spybot S&D and Ad-Adware - are fine, just remember to update and scan with them regularly.
10. Before using or purchasing any Spyware/Malware protection/removal program, always google and check for reviews. It will save you a lot of grief, as well as money if you are thinking of purchasing.
Let me know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!