Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Network, good; Internet, bad
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Go to first new post Cannot access any google sites - youtube ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Firefox/IE Google redirect virus - logs attached (In Progress)

Page 1 of 3 1 23
Reply  
Thread Tools
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
01-Sep-2010, 11:22 PM #1
Firefox/IE Google redirect virus - logs attached
Having a random google / IE/firefox re-direct virus issue that I couldnt identify right away and was looking for some help. Hosts file looked clean but I could replicate the problem in both FF and IE. Here are all my log files. Any ideas? Thanks.

HJT:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:50:11 PM, on 9/1/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\RemoteX\remotex.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2010 Deluxe\Hallmark Card Studio 2010.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\David \Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteX] "C:\Program Files\RemoteX\RemoteX.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinReminders 2005] C:\Program Files\HES\WinReminders\WinReminders.exe /user
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/J...etupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01F957CC-3142-44B6-8AD4-A3F08B705A04}: NameServer = 208.67.222.222,4.4.4.4,8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{01F957CC-3142-44B6-8AD4-A3F08B705A04}: NameServer = 208.67.222.222,4.4.4.4,8.8.8.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{01F957CC-3142-44B6-8AD4-A3F08B705A04}: NameServer = 208.67.222.222,4.4.4.4,8.8.8.8
O20 - AppInit_DLLs: avgrsstx.dll acaptuser32.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe

--
End of file - 10636 bytes



DDS:


DDS (Ver_10-03-17.01) - NTFSx86
Run by David at 21:50:47.51 on Wed 09/01/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.540 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\WebDrive\wdService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\RemoteX\remotex.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2010 Deluxe\Hallmark Card Studio 2010.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Users\David \Desktop\OTL.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\David \Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [WebDriveTray] c:\program files\webdrive\webdrive.exe /trayicon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [RemoteX] "c:\program files\remotex\RemoteX.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [WinReminders 2005] c:\program files\hes\winreminders\WinReminders.exe /user
StartupFolder: c:\users\davidp~1\appdata\roaming\micros~1\windows\startm~1\programs\startu p\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\davidp~1\appdata\roaming\micros~1\windows\startm~1\programs\startu p\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\users\davidp~1\appdata\roaming\micros~1\windows\startm~1\programs\startu p\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: {01F957CC-3142-44B6-8AD4-A3F08B705A04} = 208.67.222.222,4.4.4.4,8.8.8.8
AppInit_DLLs: avgrsstx.dll acaptuser32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\davidp~1\appdata\roaming\mozilla\firefox\profiles\4xynkign.dave\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\users\david \appdata\roaming\mozilla\firefox\profiles\4xynkign.dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_availa ble_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-28 29584]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-3-4 12672]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-10 47640]
R2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\webdrive\wdfsd.sys [2006-4-28 165888]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2010-5-18 13408]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-19 249888]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-1 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-3 1343400]

=============== Created Last 30 ================

2010-08-31 10:50:54 0 d-----w- c:\users\davidp~1\appdata\roaming\Malwarebytes
2010-08-31 10:50:49 0 d-----w- c:\program files\CCleaner
2010-08-31 10:50:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 10:50:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 10:50:27 0 d-----w- c:\programdata\Malwarebytes
2010-08-31 10:50:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-31 04:09:31 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-31 04:09:31 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-31 02:49:39 79360 --sha-r- c:\windows\system32\netcorehct.dll
2010-08-29 17:29:58 0 d-----w- c:\program files\HES
2010-08-28 23:13:21 0 d-----w- c:\windows\system32\appmgmt
2010-08-28 18:03:44 0 d-----w- c:\programdata\ZoomBrowser
2010-08-28 18:02:50 0 d-----w- c:\program files\common files\Canon
2010-08-28 17:57:21 0 ----a-w- c:\windows\OpPrintServer.INI
2010-08-28 17:56:33 0 d-----w- c:\program files\Canon
2010-08-24 20:24:48 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-22 15:38:16 0 d-----w- c:\program files\VideoLAN
2010-08-15 23:02:09 0 d-----w- c:\program files\Microsoft
2010-08-15 23:01:53 0 d-----w- c:\program files\Windows Live SkyDrive
2010-08-15 23:01:23 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-15 23:00:45 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-15 22:58:46 0 d-----w- c:\program files\common files\Windows Live
2010-08-15 20:06:26 0 d-----w- c:\program files\Movie Rotator

==================== Find3M ====================

2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-24 05:03:58 13824 ----a-w- c:\windows\system32\slwga.dll
2010-07-24 05:03:57 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-07-16 13:03:24 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 13:02:55 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-06 01:28:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48:35 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-08 06:02:06 1233920 ----a-w- c:\windows\system32\msxml3.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:51:14.33 ===============



ARK.txt

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-01 22:17:18
Windows 6.1.7600
Running: 481ic33d.exe; Driver: C:\Users\DAVIDP~1\AppData\Local\Temp\pxldapow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3BAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3B104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3B3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E242D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E23898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3B1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3B958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3B6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3BF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E3C1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A54599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A78F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\drivers\mlmkjt.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F41F000, 0x2D5378, 0xE8000020]
.text peauth.sys 99079C9D 28 Bytes [DE, A9, 73, F8, B0, 75, 04, ...]
.text peauth.sys 99079CC1 28 Bytes [DE, A9, 73, F8, B0, 75, 04, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] ntdll.dll!NtQueryInformationProcess 770954B0 5 Bytes JMP 00780DED
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] ntdll.dll!LdrLoadDll 770AF625 5 Bytes JMP 003F13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!closesocket 759A3BED 5 Bytes JMP 0076C549
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!recv 759A47DF 5 Bytes JMP 0076C300
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!GetAddrInfoW 759A60F5 5 Bytes JMP 0076B90E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!getaddrinfo 759A6737 5 Bytes JMP 0076B833
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!WSASend 759A68A7 5 Bytes JMP 0076C3A7
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!WSARecv 759AC29F 5 Bytes JMP 0076C465
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!send 759AC4C8 5 Bytes JMP 0076C25D
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!WSAAsyncGetHostByName 759B6D2A 5 Bytes JMP 0076BBA6
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] WS2_32.dll!gethostbyname 759B7133 5 Bytes JMP 0076B779
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!DrawTextExW 76297BDD 5 Bytes JMP 0076CB0A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!DrawTextW 76298220 5 Bytes JMP 0076C94C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!SetClipboardData 762A4979 5 Bytes JMP 0076C5D4
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!DrawTextA 762AA482 5 Bytes JMP 0076C873
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!DrawTextExA 762AA4B9 5 Bytes JMP 0076CA25
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!DialogBoxParamW 762B564A 5 Bytes JMP 0076BC7E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] GDI32.dll!ExtTextOutW 75858053 5 Bytes JMP 0076CCD1
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] GDI32.dll!GetGlyphIndicesW 7585B521 5 Bytes JMP 0076D143
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] GDI32.dll!ExtTextOutA 75860158 5 Bytes JMP 0076CBEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] GDI32.dll!TextOutA 75860878 5 Bytes JMP 0076C6DF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] GDI32.dll!TextOutW 758714B9 5 Bytes JMP 0076C7A9
.text C:\Program Files\Mozilla Firefox\firefox.exe[3608] GDI32.dll!GetGlyphIndicesA 7587BC42 5 Bytes JMP 0076D07C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4508] USER32.dll!TrackPopupMenu 762B4B3B 5 Bytes JMP 5F0F721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Register for free to hide this ad!
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
03-Sep-2010, 05:28 PM #2
Any ideas guys?
CatByte's Avatar
Malware Removal Specialist with 3,373 posts.
  
Join Date: Feb 2009
06-Sep-2010, 06:12 PM #3
Hi

Please do the following:

Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2



**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
__________________
Microsoft MVP - 2010, 2011
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
06-Sep-2010, 06:47 PM #4
Thanks. The problem is spontaneous.. it doesn't always have the redirect problem but sometimes it does.

Here's my combofix log:

ComboFix 10-09-06.03 - David 09/06/2010 17:36:37.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.772 [GMT -4:00]
Running from: c:\users\David \Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-09-06 21:40 . 2010-09-06 21:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-06 21:40 . 2010-09-06 21:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-04 16:10 . 2010-08-30 18:33 43008 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-09-04 16:10 . 2010-08-30 18:33 338944 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-09-04 16:10 . 2010-08-30 18:33 346112 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-09-04 16:10 . 2010-08-30 18:34 1496064 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-09-03 21:59 . 2010-09-03 21:59 -------- d-----w- c:\program files\iTunes
2010-09-03 21:59 . 2010-09-03 21:59 -------- d-----w- c:\program files\iPod
2010-09-03 21:57 . 2010-09-03 21:58 -------- d-----w- c:\program files\QuickTime
2010-09-03 21:56 . 2010-09-03 21:56 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-03 21:12 . 2010-09-03 21:15 -------- d-----w- c:\users\David \AppData\Roaming\X-Chat 2
2010-09-03 21:12 . 2010-09-03 21:56 -------- d-----w- c:\program files\xchat
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\users\David \AppData\Roaming\Malwarebytes
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\program files\CCleaner
2010-08-31 10:50 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\programdata\Malwarebytes
2010-08-31 10:50 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 04:09 . 2010-09-02 03:58 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-31 04:09 . 2010-08-31 04:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-31 02:49 . 2010-08-31 02:49 79360 --sha-r- c:\windows\system32\netcorehct.dll
2010-08-29 17:30 . 2010-08-29 17:30 -------- d-----w- c:\users\David \AppData\Local\HES
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_95F3A2F1DA26B96BA11820.exe
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_8BA7CBC971BCDA84F8DD2E.exe
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_6FEFF9B68218417F98F549.exe
2010-08-29 17:29 . 2010-08-29 17:29 -------- d-----w- c:\program files\HES
2010-08-28 18:03 . 2010-08-28 18:03 -------- d-----w- c:\programdata\ZoomBrowser
2010-08-28 18:02 . 2010-08-28 18:02 -------- d-----w- c:\program files\Common Files\Canon
2010-08-28 17:56 . 2010-08-28 18:04 -------- d-----w- c:\program files\Canon
2010-08-24 20:24 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-22 15:38 . 2010-08-22 15:53 -------- d-----w- c:\users\David \AppData\Roaming\vlc
2010-08-22 15:38 . 2010-08-22 15:38 -------- d-----w- c:\program files\VideoLAN
2010-08-16 01:01 . 2010-06-20 08:21 214016 ----a-w- c:\users\David \AppData\Roaming\Thunderbird\Profiles\3q46zmiz.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2010-08-15 23:02 . 2010-08-15 23:02 -------- d-----w- c:\program files\Microsoft
2010-08-15 23:01 . 2010-08-15 23:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-08-15 23:01 . 2010-08-15 23:02 -------- d-----w- c:\program files\Windows Live
2010-08-15 23:01 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-15 23:00 . 2010-08-15 23:00 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-15 22:58 . 2010-08-15 22:58 -------- d-----w- c:\program files\Common Files\Windows Live
2010-08-15 20:06 . 2010-08-15 20:06 -------- d-----w- c:\program files\Movie Rotator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-06 09:47 . 2010-06-10 19:45 -------- d-----w- c:\program files\LogMeIn
2010-09-04 05:49 . 2010-04-24 15:22 -------- d-----w- c:\program files\RemoteX
2010-09-04 05:47 . 2010-03-01 02:24 78620325 ----a-w- c:\users\David \AppData\Roaming\Thunderbird\Profiles\3q46zmiz.default\Mail\Local Folders\Inbox.sbd\DP.com
2010-09-03 21:59 . 2010-03-01 03:12 -------- d-----w- c:\program files\Common Files\Apple
2010-09-03 21:21 . 2010-04-10 03:32 -------- d-----w- c:\program files\mIRC
2010-09-03 21:21 . 2010-04-10 03:32 -------- d-----w- c:\users\David \AppData\Roaming\mIRC
2010-08-31 10:39 . 2010-06-12 22:40 -------- d-----w- c:\program files\Xilisoft
2010-08-31 02:50 . 2010-06-12 22:43 -------- d-----w- c:\users\David \AppData\Roaming\Xilisoft
2010-08-28 18:05 . 2010-03-06 16:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-28 17:55 . 2010-03-06 16:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-15 19:18 . 2010-03-01 02:18 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-29 06:30 . 2010-08-11 23:27 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 23:27 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-28 05:16 . 2010-07-26 03:23 -------- d-----w- c:\program files\MagicISO
2010-07-28 05:16 . 2010-07-25 15:24 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2010-07-28 05:16 . 2010-07-25 15:24 -------- d-----w- c:\program files\Application Verifier
2010-07-28 01:54 . 2010-07-25 15:24 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-07-28 01:35 . 2010-04-26 02:02 -------- d-----w- c:\program files\BedtimeHelp
2010-07-25 21:40 . 2010-07-25 21:35 -------- d-----w- c:\users\David \AppData\Roaming\Ringtone Expressions
2010-07-25 15:24 . 2010-07-25 15:24 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-07-25 15:23 . 2010-07-25 15:23 -------- d-----w- c:\program files\Microsoft SDKs
2010-07-24 05:03 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
2010-07-24 05:03 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-07-16 13:03 . 2010-07-16 13:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 13:02 . 2010-03-01 03:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-06 01:28 . 2010-07-06 01:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 06:25 . 2010-08-11 23:27 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 21:00 . 2010-06-25 02:21 1496064 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-06-22 20:59 . 2010-06-25 02:21 43008 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-06-22 20:59 . 2010-06-25 02:21 339456 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-06-22 20:59 . 2010-06-25 02:21 346112 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-22 02:47 . 2010-08-11 23:27 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 23:27 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 23:27 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-11 23:27 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 23:27 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 23:27 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 23:27 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 23:27 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 23:27 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-14 03:00 . 2010-06-14 03:02 29253144 ----a-w- c:\users\Public\VZAM_7.2.1_2420b_Pantech_UM175.exe
2010-06-12 16:59 . 2010-06-12 16:59 0 ----a-w- c:\windows\nsreg.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-04-01 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-09-03_03.43.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-04 03:58 . 2010-09-04 05:50 35216 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-09-04 05:50 29174 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-13 23:55 . 2009-07-14 01:14 17408 c:\windows\System32\TFTP.EXE
- 2009-07-14 04:50 . 2010-06-22 01:22 86016 c:\windows\System32\DriverStore\infpub.dat
+ 2009-07-14 04:50 . 2010-09-04 16:05 86016 c:\windows\System32\DriverStore\infpub.dat
+ 2010-04-20 00:47 . 2010-04-20 00:47 41984 c:\windows\System32\DriverStore\FileRepository\usbaapl.inf_x86_neutral_1afa 095d447e8d52\usbaapl.sys
+ 2010-03-01 01:39 . 2010-09-04 17:02 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2010-03-01 01:39 . 2010-09-02 10:50 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2010-03-01 01:39 . 2010-09-02 10:50 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2010-03-01 01:39 . 2010-09-04 17:02 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:41 . 2010-09-04 17:02 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2009-07-14 04:41 . 2010-09-02 10:50 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2010-03-01 02:24 . 2010-09-02 10:50 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
+ 2010-03-01 02:24 . 2010-09-04 05:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
+ 2009-07-14 04:34 . 2010-09-06 16:02 74432 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Softwar eProtectionPlatform\Cache\cache.dat
- 2009-07-14 04:34 . 2010-08-08 00:29 74432 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Softwar eProtectionPlatform\Cache\cache.dat
+ 2010-03-01 02:24 . 2010-09-04 05:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
- 2010-03-01 02:24 . 2010-09-02 10:50 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
- 2010-03-01 02:24 . 2010-09-02 10:50 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
+ 2010-03-01 02:24 . 2010-09-04 05:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
+ 2010-03-01 02:24 . 2010-09-04 05:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
- 2010-03-01 02:24 . 2010-09-02 10:50 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2010-03-01 05:00 . 2010-09-06 21:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-01 05:00 . 2010-09-03 03:12 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-01 05:00 . 2010-09-06 21:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History. IE5\index.dat
- 2010-03-01 05:00 . 2010-09-03 03:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History. IE5\index.dat
+ 2010-03-01 05:00 . 2010-09-06 21:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.da t
- 2010-03-01 05:00 . 2010-09-03 03:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.da t
- 2010-03-01 02:24 . 2010-09-03 03:12 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Content.IE5\index.dat
+ 2010-03-01 02:24 . 2010-09-06 21:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Content.IE5\index.dat
+ 2010-03-01 02:24 . 2010-09-04 05:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2010-03-01 02:24 . 2010-09-02 10:50 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
+ 2010-03-01 05:19 . 2010-09-04 05:50 4960 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-623889280-2913089192-2681729872-1000_UserData.bin
+ 2010-09-04 05:49 . 2010-09-04 05:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-09-02 10:49 . 2010-09-02 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-04 05:49 . 2010-09-04 05:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-09-02 10:49 . 2010-09-02 10:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:05 . 2010-09-04 05:53 659580 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-09-02 10:54 659580 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-09-02 10:54 120508 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2010-09-04 05:53 120508 c:\windows\System32\perfc009.dat
- 2009-07-14 04:50 . 2010-06-22 01:22 143360 c:\windows\System32\DriverStore\infstrng.dat
+ 2009-07-14 04:50 . 2010-09-04 16:05 143360 c:\windows\System32\DriverStore\infstrng.dat
- 2009-07-14 04:50 . 2010-06-21 02:57 143360 c:\windows\System32\DriverStore\infstor.dat
+ 2009-07-14 04:50 . 2010-09-03 21:57 143360 c:\windows\System32\DriverStore\infstor.dat
+ 2010-09-03 21:59 . 2010-09-03 21:59 380928 c:\windows\Installer\{350FB27C-CF62-4EF3-AF9D-70FF313FE221}\iTunesIco.exe
+ 2009-07-14 02:03 . 2010-09-06 15:41 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:03 . 2010-09-02 14:38 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2010-04-20 00:47 . 2010-04-20 00:47 3062048 c:\windows\System32\DriverStore\FileRepository\usbaapl.inf_x86_neutral_1afa 095d447e8d52\usbaaplrc.dll
+ 2009-07-14 04:34 . 2010-09-06 15:31 4853057 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Softwar eProtectionPlatform\tokens.dat
- 2009-07-14 04:34 . 2010-08-07 23:58 4853057 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Softwar eProtectionPlatform\tokens.dat
+ 2010-09-03 21:56 . 2010-09-03 21:56 9011712 c:\windows\Installer\7894cf4.msi
+ 2009-07-14 07:18 . 2010-09-03 21:31 25335278 c:\windows\winsxs\ManifestCache\e4e8be02b8fae2a7_blobs.bin
+ 2010-09-03 21:56 . 2010-09-03 21:56 37633536 c:\windows\Installer\78957c7.msi
+ 2010-09-03 21:56 . 2010-09-03 21:56 26927616 c:\windows\Installer\7895030.msi
+ 2010-09-03 21:56 . 2010-09-03 21:56 14796800 c:\windows\Installer\7894c58.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-06 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"WebDriveTray"="c:\program files\WebDrive\webdrive.exe" [2006-05-23 1646592]
"RemoteX"="c:\program files\RemoteX\RemoteX.exe" [2010-03-22 212480]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"WinReminders 2005"="c:\program files\HES\WinReminders\WinReminders.exe" [2010-08-10 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

c:\users\David \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-5-2 576000]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2010-2-28 12746928]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-3-6 267520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\WebDrive\wdfsd.sys [2006-04-28 165888]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-05-18 13408]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-12-19 249888]

.
Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 23:25]

2010-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 23:25]

2010-09-06 c:\windows\Tasks\WinReminders Reminder Schedule for David .job
- c:\program files\HES\WinReminders\WinReminders.exe [2010-08-10 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: {01F957CC-3142-44B6-8AD4-A3F08B705A04} = 208.67.222.222,4.4.4.4,8.8.8.8
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30po\Use rChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30po"

[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30pp\Use rChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30pp"

[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30ppf\Us erChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30ppf"

[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserC hoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-09-06 17:42:06
ComboFix-quarantined-files.txt 2010-09-06 21:42
ComboFix2.txt 2010-09-03 03:45

Pre-Run: 725,879,705,600 bytes free
Post-Run: 725,871,292,416 bytes free

- - End Of File - - 181A1F3E7655B5383ABCFEF6D45E5526
CatByte's Avatar
Malware Removal Specialist with 3,373 posts.
  
Join Date: Feb 2009
06-Sep-2010, 07:52 PM #5
Hi

Please do the following

Please look for the log from the first run of combofix )that was the second), it should be located at c:\qoobox\combofix2.txt


next:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
RegLock::
[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT



submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\windows\system32\netcorehct.dll
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.
__________________
Microsoft MVP - 2010, 2011
Last edited by CatByte; 06-Sep-2010 at 08:01 PM..
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
06-Sep-2010, 10:22 PM #6
Ok. Here's the first ComboFix log. I'll do the other steps you suggested and post back once its done scanning. Thanks!

ComboFix 10-09-01.04 - David 09/02/2010 23:39:46.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.869 [GMT -4:00]
Running from: c:\users\David \Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-09-03 03:43 . 2010-09-03 03:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\users\David \AppData\Roaming\Malwarebytes
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\program files\CCleaner
2010-08-31 10:50 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\programdata\Malwarebytes
2010-08-31 10:50 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 04:09 . 2010-09-02 03:58 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-31 04:09 . 2010-08-31 04:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-31 02:49 . 2010-08-31 02:49 79360 --sha-r- c:\windows\system32\netcorehct.dll
2010-08-29 17:30 . 2010-08-29 17:30 -------- d-----w- c:\users\David \AppData\Local\HES
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_95F3A2F1DA26B96BA11820.exe
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_8BA7CBC971BCDA84F8DD2E.exe
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_6FEFF9B68218417F98F549.exe
2010-08-29 17:29 . 2010-08-29 17:29 -------- d-----w- c:\program files\HES
2010-08-28 18:03 . 2010-08-28 18:03 -------- d-----w- c:\programdata\ZoomBrowser
2010-08-28 18:02 . 2010-08-28 18:02 -------- d-----w- c:\program files\Common Files\Canon
2010-08-28 17:56 . 2010-08-28 18:04 -------- d-----w- c:\program files\Canon
2010-08-24 20:24 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-22 15:38 . 2010-08-22 15:53 -------- d-----w- c:\users\David \AppData\Roaming\vlc
2010-08-22 15:38 . 2010-08-22 15:38 -------- d-----w- c:\program files\VideoLAN
2010-08-16 01:01 . 2010-06-20 08:21 214016 ----a-w- c:\users\David \AppData\Roaming\Thunderbird\Profiles\3q46zmiz.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2010-08-15 23:02 . 2010-08-15 23:02 -------- d-----w- c:\program files\Microsoft
2010-08-15 23:01 . 2010-08-15 23:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-08-15 23:01 . 2010-08-15 23:02 -------- d-----w- c:\program files\Windows Live
2010-08-15 23:01 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-15 23:00 . 2010-08-15 23:00 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-15 22:58 . 2010-08-15 22:58 -------- d-----w- c:\program files\Common Files\Windows Live
2010-08-15 20:06 . 2010-08-15 20:06 -------- d-----w- c:\program files\Movie Rotator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 03:26 . 2010-03-01 02:24 78611317 ----a-w- c:\users\David \AppData\Roaming\Thunderbird\Profiles\3q46zmiz.default\Mail\Local Folders\Inbox.sbd\DP.com
2010-09-02 10:50 . 2010-04-24 15:22 -------- d-----w- c:\program files\RemoteX
2010-09-02 10:48 . 2010-06-10 19:45 -------- d-----w- c:\program files\LogMeIn
2010-08-31 10:39 . 2010-06-12 22:40 -------- d-----w- c:\program files\Xilisoft
2010-08-31 02:50 . 2010-06-12 22:43 -------- d-----w- c:\users\David \AppData\Roaming\Xilisoft
2010-08-28 18:05 . 2010-03-06 16:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-28 17:55 . 2010-03-06 16:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-15 19:18 . 2010-03-01 02:18 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-08-05 02:48 . 2010-04-10 03:32 -------- d-----w- c:\users\David \AppData\Roaming\mIRC
2010-08-05 02:23 . 2010-04-10 03:32 -------- d-----w- c:\program files\mIRC
2010-07-29 06:30 . 2010-08-11 23:27 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 23:27 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-28 05:16 . 2010-07-26 03:23 -------- d-----w- c:\program files\MagicISO
2010-07-28 05:16 . 2010-07-25 15:24 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2010-07-28 05:16 . 2010-07-25 15:24 -------- d-----w- c:\program files\Application Verifier
2010-07-28 01:54 . 2010-07-25 15:24 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-07-28 01:35 . 2010-04-26 02:02 -------- d-----w- c:\program files\BedtimeHelp
2010-07-25 21:40 . 2010-07-25 21:35 -------- d-----w- c:\users\David \AppData\Roaming\Ringtone Expressions
2010-07-25 15:24 . 2010-07-25 15:24 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-07-25 15:23 . 2010-07-25 15:23 -------- d-----w- c:\program files\Microsoft SDKs
2010-07-24 05:03 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
2010-07-24 05:03 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-07-23 21:22 . 2010-07-31 01:09 1496064 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-23 21:22 . 2010-07-31 01:09 43008 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-23 21:22 . 2010-07-31 01:09 338944 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-23 21:22 . 2010-07-31 01:09 346112 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-07-21 04:21 . 2010-06-21 02:58 -------- d-----w- c:\program files\iTunes
2010-07-21 04:21 . 2010-07-21 04:21 -------- d-----w- c:\program files\iPod
2010-07-21 04:21 . 2010-03-01 03:12 -------- d-----w- c:\program files\Common Files\Apple
2010-07-21 04:19 . 2010-07-21 04:19 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-16 13:03 . 2010-07-16 13:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 13:02 . 2010-03-01 03:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-06 01:32 . 2010-05-01 23:25 -------- d-----w- c:\program files\Google
2010-07-06 01:28 . 2010-07-06 01:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 06:25 . 2010-08-11 23:27 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 21:00 . 2010-06-25 02:21 1496064 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-06-22 20:59 . 2010-06-25 02:21 43008 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-06-22 20:59 . 2010-06-25 02:21 339456 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-06-22 20:59 . 2010-06-25 02:21 346112 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-22 02:47 . 2010-08-11 23:27 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 23:27 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 23:27 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 06:33 . 2010-08-11 23:27 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 23:27 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 23:27 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 23:27 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 23:27 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 23:27 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-14 03:00 . 2010-06-14 03:02 29253144 ----a-w- c:\users\Public\VZAM_7.2.1_2420b_Pantech_UM175.exe
2010-06-12 16:59 . 2010-06-12 16:59 0 ----a-w- c:\windows\nsreg.dat
2010-06-08 06:02 . 2010-08-11 23:27 1233920 ----a-w- c:\windows\system32\msxml3.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-04-01 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-06 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"WebDriveTray"="c:\program files\WebDrive\webdrive.exe" [2006-05-23 1646592]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"RemoteX"="c:\program files\RemoteX\RemoteX.exe" [2010-03-22 212480]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
"WinReminders 2005"="c:\program files\HES\WinReminders\WinReminders.exe" [2010-08-10 221184]

c:\users\David \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-5-2 576000]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2010-2-28 12746928]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-3-6 267520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\WebDrive\wdfsd.sys [2006-04-28 165888]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-05-18 13408]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-12-19 249888]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD24
*Deregistered* - klmd24
.
Contents of the 'Scheduled Tasks' folder

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 23:25]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 23:25]

2010-09-02 c:\windows\Tasks\WinReminders Reminder Schedule for David .job
- c:\program files\HES\WinReminders\WinReminders.exe [2010-08-10 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: {01F957CC-3142-44B6-8AD4-A3F08B705A04} = 208.67.222.222,4.4.4.4,8.8.8.8
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30po\Use rChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30po"

[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30pp\Use rChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30pp"

[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30ppf\Us erChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30ppf"

[HKEY_USERS\S-1-5-21-623889280-2913089192-2681729872-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserC hoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-09-02 23:45:03
ComboFix-quarantined-files.txt 2010-09-03 03:45

Pre-Run: 725,844,606,976 bytes free
Post-Run: 725,895,602,176 bytes free

- - End Of File - - 2B0D5197D6B10D5F8B24549858473456
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
06-Sep-2010, 10:36 PM #7
ComboFix with CFScript:

ComboFix 10-09-06.03 - David 09/06/2010 21:25:22.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.905 [GMT -4:00]
Running from: c:\users\David \Desktop\ComboFix.exe
Command switches used :: c:\users\David \Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe

c:\windows\System32\Dxpserver.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-07 01:29 . 2010-09-07 01:29 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-07 01:29 . 2010-09-07 01:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-03 21:59 . 2010-09-03 21:59 -------- d-----w- c:\program files\iTunes
2010-09-03 21:59 . 2010-09-03 21:59 -------- d-----w- c:\program files\iPod
2010-09-03 21:57 . 2010-09-03 21:58 -------- d-----w- c:\program files\QuickTime
2010-09-03 21:12 . 2010-09-03 21:15 -------- d-----w- c:\users\David \AppData\Roaming\X-Chat 2
2010-09-03 21:12 . 2010-09-03 21:56 -------- d-----w- c:\program files\xchat
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\users\David \AppData\Roaming\Malwarebytes
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\program files\CCleaner
2010-08-31 10:50 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\programdata\Malwarebytes
2010-08-31 10:50 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 04:09 . 2010-09-02 03:58 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-31 04:09 . 2010-08-31 04:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-31 02:49 . 2010-08-31 02:49 79360 --sha-r- c:\windows\system32\netcorehct.dll
2010-08-29 17:30 . 2010-08-29 17:30 -------- d-----w- c:\users\David \AppData\Local\HES
2010-08-29 17:29 . 2010-08-29 17:29 -------- d-----w- c:\program files\HES
2010-08-28 18:03 . 2010-08-28 18:03 -------- d-----w- c:\programdata\ZoomBrowser
2010-08-28 18:02 . 2010-08-28 18:02 -------- d-----w- c:\program files\Common Files\Canon
2010-08-28 17:56 . 2010-08-28 18:04 -------- d-----w- c:\program files\Canon
2010-08-24 20:24 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-22 15:38 . 2010-08-22 15:53 -------- d-----w- c:\users\David \AppData\Roaming\vlc
2010-08-22 15:38 . 2010-08-22 15:38 -------- d-----w- c:\program files\VideoLAN
2010-08-15 23:02 . 2010-08-15 23:02 -------- d-----w- c:\program files\Microsoft
2010-08-15 23:01 . 2010-08-15 23:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-08-15 23:01 . 2010-08-15 23:02 -------- d-----w- c:\program files\Windows Live
2010-08-15 23:01 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-15 23:00 . 2010-08-15 23:00 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-15 22:58 . 2010-08-15 22:58 -------- d-----w- c:\program files\Common Files\Windows Live
2010-08-15 20:06 . 2010-08-15 20:06 -------- d-----w- c:\program files\Movie Rotator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 01:31 . 2010-04-24 15:22 -------- d-----w- c:\program files\RemoteX
2010-09-06 09:47 . 2010-06-10 19:45 -------- d-----w- c:\program files\LogMeIn
2010-09-04 05:47 . 2010-03-01 02:24 78620325 ----a-w- c:\users\David \AppData\Roaming\Thunderbird\Profiles\3q46zmiz.default\Mail\Local Folders\Inbox.sbd\DP.com
2010-09-03 21:59 . 2010-03-01 03:12 -------- d-----w- c:\program files\Common Files\Apple
2010-09-03 21:56 . 2010-09-03 21:56 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-03 21:21 . 2010-04-10 03:32 -------- d-----w- c:\program files\mIRC
2010-09-03 21:21 . 2010-04-10 03:32 -------- d-----w- c:\users\David \AppData\Roaming\mIRC
2010-08-31 10:39 . 2010-06-12 22:40 -------- d-----w- c:\program files\Xilisoft
2010-08-31 02:50 . 2010-06-12 22:43 -------- d-----w- c:\users\David \AppData\Roaming\Xilisoft
2010-08-30 18:34 . 2010-09-04 16:10 1496064 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-30 18:33 . 2010-09-04 16:10 43008 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-30 18:33 . 2010-09-04 16:10 338944 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-30 18:33 . 2010-09-04 16:10 346112 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_95F3A2F1DA26B96BA11820.exe
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_8BA7CBC971BCDA84F8DD2E.exe
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_6FEFF9B68218417F98F549.exe
2010-08-28 18:05 . 2010-03-06 16:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-28 17:55 . 2010-03-06 16:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-15 19:18 . 2010-03-01 02:18 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-29 06:30 . 2010-08-11 23:27 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 23:27 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-28 05:16 . 2010-07-26 03:23 -------- d-----w- c:\program files\MagicISO
2010-07-28 05:16 . 2010-07-25 15:24 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2010-07-28 05:16 . 2010-07-25 15:24 -------- d-----w- c:\program files\Application Verifier
2010-07-28 01:54 . 2010-07-25 15:24 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-07-28 01:35 . 2010-04-26 02:02 -------- d-----w- c:\program files\BedtimeHelp
2010-07-25 21:40 . 2010-07-25 21:35 -------- d-----w- c:\users\David \AppData\Roaming\Ringtone Expressions
2010-07-25 15:24 . 2010-07-25 15:24 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-07-25 15:23 . 2010-07-25 15:23 -------- d-----w- c:\program files\Microsoft SDKs
2010-07-24 05:03 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
2010-07-24 05:03 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-07-16 13:03 . 2010-07-16 13:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 13:02 . 2010-03-01 03:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-06 01:28 . 2010-07-06 01:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 06:25 . 2010-08-11 23:27 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 21:00 . 2010-06-25 02:21 1496064 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-06-22 20:59 . 2010-06-25 02:21 43008 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-06-22 20:59 . 2010-06-25 02:21 339456 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-06-22 20:59 . 2010-06-25 02:21 346112 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-22 02:47 . 2010-08-11 23:27 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 23:27 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 23:27 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-20 08:21 . 2010-08-16 01:01 214016 ----a-w- c:\users\David \AppData\Roaming\Thunderbird\Profiles\3q46zmiz.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2010-06-19 06:33 . 2010-08-11 23:27 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 23:27 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 23:27 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 23:27 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 23:27 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 23:27 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-14 03:00 . 2010-06-14 03:02 29253144 ----a-w- c:\users\Public\VZAM_7.2.1_2420b_Pantech_UM175.exe
2010-06-12 16:59 . 2010-06-12 16:59 0 ----a-w- c:\windows\nsreg.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-04-01 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-06 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"WebDriveTray"="c:\program files\WebDrive\webdrive.exe" [2006-05-23 1646592]
"RemoteX"="c:\program files\RemoteX\RemoteX.exe" [2010-03-22 212480]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"WinReminders 2005"="c:\program files\HES\WinReminders\WinReminders.exe" [2010-08-10 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

c:\users\David \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-5-2 576000]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2010-2-28 12746928]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-3-6 267520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\WebDrive\wdfsd.sys [2006-04-28 165888]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-05-18 13408]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-12-19 249888]

.
Contents of the 'Scheduled Tasks' folder

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 23:25]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 23:25]

2010-09-07 c:\windows\Tasks\WinReminders Reminder Schedule for David .job
- c:\program files\HES\WinReminders\WinReminders.exe [2010-08-10 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: {01F957CC-3142-44B6-8AD4-A3F08B705A04} = 208.67.222.222,4.4.4.4,8.8.8.8
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\atieclxx.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\WebDrive\wdService.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-09-06 21:35:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-07 01:35
ComboFix2.txt 2010-09-06 21:42
ComboFix3.txt 2010-09-03 03:45

Pre-Run: 725,948,153,856 bytes free
Post-Run: 725,925,027,840 bytes free

- - End Of File - - 384B67573E04389D96DCB380FA750900
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
06-Sep-2010, 10:45 PM #8
MBAM.. clean:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4558

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

9/6/2010 9:41:39 PM
mbam-log-2010-09-06 (21-41-39).txt

Scan type: Quick scan
Objects scanned: 136811
Time elapsed: 3 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
06-Sep-2010, 10:48 PM #9
Nice and interesting when trying to submit that file to virus total.. it was read-only, and I didnt have permission to access it ("You don't have permission to open this file") even though I am the Admin. I changed some security settings and managed to upload the file for analysis, here are the results (Preview.. 2/43 ID'd as a virus):

http://www.virustotal.com/file-scan/...e85-1283823869
CatByte's Avatar
Malware Removal Specialist with 3,373 posts.
  
Join Date: Feb 2009
06-Sep-2010, 11:07 PM #10
Hi,

Please do the following:

Note: make sure you have an internet connection as I am requesting that file be uploaded
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
http://forums.techguy.org/virus-other-malware-removal/947293-firefox-ie-google-redirect-virus.html

Suspect::
c:\windows\system32\netcorehct.dll
c:\windows\System32\user32.dll
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:
    :filefind
*user32*
*Dxpserver*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
__________________
Microsoft MVP - 2010, 2011
Last edited by CatByte; 06-Sep-2010 at 11:14 PM..
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
06-Sep-2010, 11:32 PM #11
SystemLook:

SystemLook 04.09.10 by jpshortstuff
Log created at 22:31 on 06/09/2010 by David
Administrator - Elevation successful

========== filefind ==========

Searching for "*user32*"
C:\Program Files\Debugging Tools for Windows (x86)\winext\manifest\user32.h --a---- 130274 bytes [18:38 24/08/2009] [18:38 24/08/2009] 12A39571E13FDB0E495C597F76A068B3
C:\Symbols\user32.pdb\C1D1D6EB9354465389912A697CCB2D502\user32.pdb --a---- 1108992 bytes [20:29 16/07/2009] [20:29 16/07/2009] BD60A3907CF6B2EC89A125CD96B6BDE3
C:\Symbols\wuser32.pdb\438BB768E2434151BA04E6929C0100522\wuser32.pdb --a---- 1264640 bytes [20:10 16/07/2009] [20:10 16/07/2009] E41D6F2D05F45238DF8E22181FA824EA
C:\Windows\System32\acaptuser32.dll --a---- 111992 bytes [04:43 12/06/2008] [04:43 12/06/2008] B412D322235CA1D4AF85F2BB850C3FF5
C:\Windows\System32\user32.dll --a---- 811520 bytes [23:24 13/07/2009] [01:38 01/04/2010] 7BD7F45FF37FA0669CD32CA0EF46E22C
C:\Windows\System32\user32.dll.bak --a---- 811520 bytes [23:24 13/07/2009] [01:16 14/07/2009] 34B7E222E81FAFA885F0C5F2CFA56861
C:\Windows\System32\en-US\user32.dll.mui --a---- 17920 bytes [04:55 14/07/2009] [02:03 14/07/2009] D448B52149F95F1250100F9BD0ED7152
C:\Windows\System32\manifeststore\user32.amx --a---- 368328 bytes [23:25 13/07/2009] [23:25 13/07/2009] 74FA96FC74E0C6B3CCC328A6781D6DFC
C:\Windows\winsxs\Backup\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3dd44ded8c70cf7e.manifest --a---- 2378 bytes [04:56 14/07/2009] [04:56 14/07/2009] 312B257CA3798A27278FBE7CC4E55E92
C:\Windows\winsxs\Backup\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3dd44ded8c70cf7e_user32.dll.mui_14652dbb --a---- 17920 bytes [04:56 14/07/2009] [04:56 14/07/2009] D448B52149F95F1250100F9BD0ED7152
C:\Windows\winsxs\Backup\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3.manifest --a---- 2731 bytes [02:19 14/07/2009] [02:18 14/07/2009] FEB66AF751DE4AF556DE1FAF69C49A37
C:\Windows\winsxs\Backup\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3_user32.dll_55f 4ed20 --a---- 811520 bytes [02:19 14/07/2009] [02:18 14/07/2009] 34B7E222E81FAFA885F0C5F2CFA56861
C:\Windows\winsxs\Manifests\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3dd44ded8c70cf7e.manifest --a---- 2378 bytes [04:54 14/07/2009] [02:29 14/07/2009] 312B257CA3798A27278FBE7CC4E55E92
C:\Windows\winsxs\Manifests\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3.manifest --a---- 2731 bytes [02:03 14/07/2009] [01:58 14/07/2009] FEB66AF751DE4AF556DE1FAF69C49A37
C:\Windows\winsxs\x86_microsoft-windows-a..structure-manifests_31bf3856ad364e35_6.1.7600.16385_none_9da1bb3614a5f5bf\user32.amx --a---- 368328 bytes [23:25 13/07/2009] [23:25 13/07/2009] 74FA96FC74E0C6B3CCC328A6781D6DFC
C:\Windows\winsxs\x86_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3dd44ded8c70cf7e\user32.dll.mui --a---- 17920 bytes [04:55 14/07/2009] [02:03 14/07/2009] D448B52149F95F1250100F9BD0ED7152
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll --a---- 811520 bytes [23:24 13/07/2009] [01:16 14/07/2009] 34B7E222E81FAFA885F0C5F2CFA56861

Searching for "*Dxpserver*"
C:\Symbols\dxpserver.pdb\D134622C66EE4A6FADC199F3E0552DE71\dxpserver.pdb --a---- 429056 bytes [20:26 16/07/2009] [20:26 16/07/2009] 7E5A949EA7683E4C6C3ABFCB2974B7F9
C:\Windows\System32\Dxpserver.exe --a---- 208384 bytes [00:06 14/07/2009] [01:14 14/07/2009] E570CC96463A5E480E2807B032E7F52E
C:\Windows\System32\en-US\dxpserver.exe.mui --a---- 2560 bytes [04:55 14/07/2009] [02:07 14/07/2009] 2BE5D2C7A79DD29BE00898546F492087
C:\Windows\winsxs\x86_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7600.16385_none_46fb81e75b1ad412\Dxps erver.exe --a---- 208384 bytes [00:06 14/07/2009] [01:14 14/07/2009] E570CC96463A5E480E2807B032E7F52E
C:\Windows\winsxs\x86_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ebd042867fa8d1d8\dxpserver.exe.mui --a---- 2560 bytes [04:55 14/07/2009] [02:07 14/07/2009] 2BE5D2C7A79DD29BE00898546F492087

-= EOF =-
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
06-Sep-2010, 11:47 PM #12
ComboFix:

ComboFix 10-09-06.03 - David 09/06/2010 22:36:16.5.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2046.736 [GMT -4:00]
Running from: c:\users\David \Desktop\ComboFix.exe
Command switches used :: c:\users\David \Desktop\CFScript.txt
* Created a new restore point

file zipped: c:\windows\System32\netcorehct.dll
file zipped: c:\windows\System32\user32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-07 to 2010-09-07 )))))))))))))))))))))))))))))))
.

2010-09-07 02:40 . 2010-09-07 02:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-07 02:40 . 2010-09-07 02:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-03 21:59 . 2010-09-03 21:59 -------- d-----w- c:\program files\iTunes
2010-09-03 21:59 . 2010-09-03 21:59 -------- d-----w- c:\program files\iPod
2010-09-03 21:57 . 2010-09-03 21:58 -------- d-----w- c:\program files\QuickTime
2010-09-03 21:12 . 2010-09-03 21:15 -------- d-----w- c:\users\David \AppData\Roaming\X-Chat 2
2010-09-03 21:12 . 2010-09-03 21:56 -------- d-----w- c:\program files\xchat
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\users\David \AppData\Roaming\Malwarebytes
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\program files\CCleaner
2010-08-31 10:50 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-31 10:50 . 2010-08-31 10:50 -------- d-----w- c:\programdata\Malwarebytes
2010-08-31 10:50 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-31 04:09 . 2010-09-02 03:58 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-31 04:09 . 2010-08-31 04:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-31 02:49 . 2010-08-31 02:49 79360 --sha-r- c:\windows\system32\netcorehct.dll
2010-08-29 17:30 . 2010-08-29 17:30 -------- d-----w- c:\users\David \AppData\Local\HES
2010-08-29 17:29 . 2010-08-29 17:29 -------- d-----w- c:\program files\HES
2010-08-28 18:03 . 2010-08-28 18:03 -------- d-----w- c:\programdata\ZoomBrowser
2010-08-28 18:02 . 2010-08-28 18:02 -------- d-----w- c:\program files\Common Files\Canon
2010-08-28 17:56 . 2010-08-28 18:04 -------- d-----w- c:\program files\Canon
2010-08-24 20:24 . 2010-04-07 07:10 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-08-22 15:38 . 2010-08-22 15:53 -------- d-----w- c:\users\David \AppData\Roaming\vlc
2010-08-22 15:38 . 2010-08-22 15:38 -------- d-----w- c:\program files\VideoLAN
2010-08-15 23:02 . 2010-08-15 23:02 -------- d-----w- c:\program files\Microsoft
2010-08-15 23:01 . 2010-08-15 23:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-08-15 23:01 . 2010-08-15 23:02 -------- d-----w- c:\program files\Windows Live
2010-08-15 23:01 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-08-15 23:00 . 2010-08-15 23:00 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-08-15 22:58 . 2010-08-15 22:58 -------- d-----w- c:\program files\Common Files\Windows Live
2010-08-15 20:06 . 2010-08-15 20:06 -------- d-----w- c:\program files\Movie Rotator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 02:41 . 2010-04-24 15:22 -------- d-----w- c:\program files\RemoteX
2010-09-06 09:47 . 2010-06-10 19:45 -------- d-----w- c:\program files\LogMeIn
2010-09-04 05:47 . 2010-03-01 02:24 78620325 ----a-w- c:\users\David \AppData\Roaming\Thunderbird\Profiles\3q46zmiz.default\Mail\Local Folders\Inbox.sbd\DP.com
2010-09-03 21:59 . 2010-03-01 03:12 -------- d-----w- c:\program files\Common Files\Apple
2010-09-03 21:56 . 2010-09-03 21:56 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-09-03 21:21 . 2010-04-10 03:32 -------- d-----w- c:\program files\mIRC
2010-09-03 21:21 . 2010-04-10 03:32 -------- d-----w- c:\users\David \AppData\Roaming\mIRC
2010-08-31 10:39 . 2010-06-12 22:40 -------- d-----w- c:\program files\Xilisoft
2010-08-31 02:50 . 2010-06-12 22:43 -------- d-----w- c:\users\David \AppData\Roaming\Xilisoft
2010-08-30 18:34 . 2010-09-04 16:10 1496064 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-08-30 18:33 . 2010-09-04 16:10 43008 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-08-30 18:33 . 2010-09-04 16:10 338944 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-08-30 18:33 . 2010-09-04 16:10 346112 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_95F3A2F1DA26B96BA11820.exe
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_8BA7CBC971BCDA84F8DD2E.exe
2010-08-29 17:29 . 2010-08-29 17:29 26694 ----a-r- c:\users\David \AppData\Roaming\Microsoft\Installer\{798D525D-4C54-4DF6-8465-849A7789F964}\_6FEFF9B68218417F98F549.exe
2010-08-28 18:05 . 2010-03-06 16:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-28 17:55 . 2010-03-06 16:32 -------- d-----w- c:\program files\Common Files\InstallShield
2010-08-15 19:18 . 2010-03-01 02:18 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-29 06:30 . 2010-08-11 23:27 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30 . 2010-08-11 23:27 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-07-28 05:16 . 2010-07-26 03:23 -------- d-----w- c:\program files\MagicISO
2010-07-28 05:16 . 2010-07-25 15:24 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2010-07-28 05:16 . 2010-07-25 15:24 -------- d-----w- c:\program files\Application Verifier
2010-07-28 01:54 . 2010-07-25 15:24 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2010-07-28 01:35 . 2010-04-26 02:02 -------- d-----w- c:\program files\BedtimeHelp
2010-07-25 21:40 . 2010-07-25 21:35 -------- d-----w- c:\users\David \AppData\Roaming\Ringtone Expressions
2010-07-25 15:24 . 2010-07-25 15:24 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-07-25 15:23 . 2010-07-25 15:23 -------- d-----w- c:\program files\Microsoft SDKs
2010-07-24 05:03 . 2009-07-13 23:36 13824 ----a-w- c:\windows\system32\slwga.dll
2010-07-24 05:03 . 2009-07-13 23:40 409088 ----a-w- c:\windows\system32\systemcpl.dll
2010-07-16 13:03 . 2010-07-16 13:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 13:02 . 2010-03-01 03:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-06 01:28 . 2010-07-06 01:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 06:25 . 2010-08-11 23:27 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-22 21:00 . 2010-06-25 02:21 1496064 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-06-22 20:59 . 2010-06-25 02:21 43008 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-06-22 20:59 . 2010-06-25 02:21 339456 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-06-22 20:59 . 2010-06-25 02:21 346112 ----a-w- c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\0uyrpnzn.default\extensions\{3112 ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-06-22 02:47 . 2010-08-11 23:27 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 02:47 . 2010-08-11 23:27 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 02:47 . 2010-08-11 23:27 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-20 08:21 . 2010-08-16 01:01 214016 ----a-w- c:\users\David \AppData\Roaming\Thunderbird\Profiles\3q46zmiz.default\extensions\{e2fda1a4-762b-4020-b5ad-a41df1933103}\components\calbscmp.dll
2010-06-19 06:33 . 2010-08-11 23:27 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-19 06:33 . 2010-08-11 23:27 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:23 . 2010-08-11 23:27 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07 . 2010-08-11 23:27 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 05:48 . 2010-08-11 23:27 224256 ----a-w- c:\windows\system32\schannel.dll
2010-06-14 06:12 . 2010-08-11 23:27 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-06-14 03:00 . 2010-06-14 03:02 29253144 ----a-w- c:\users\Public\VZAM_7.2.1_2420b_Pantech_UM175.exe
2010-06-12 16:59 . 2010-06-12 16:59 0 ----a-w- c:\windows\nsreg.dat
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

------- Sigcheck -------

[-] 2010-04-01 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7600.16385] . . c:\windows\System32\user32.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-09-06_21.40.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:55 . 2010-09-07 02:25 29222 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-03-01 01:39 . 2010-09-07 02:41 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2010-03-01 01:39 . 2010-09-04 17:02 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2010-03-01 01:39 . 2010-09-04 17:02 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2010-03-01 01:39 . 2010-09-07 02:41 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2010-09-04 17:02 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-09-07 02:41 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2010-03-01 02:24 . 2010-09-07 02:42 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
- 2010-03-01 02:24 . 2010-09-04 05:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
- 2010-03-01 02:24 . 2010-09-04 05:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
+ 2010-03-01 02:24 . 2010-09-07 02:42 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
+ 2010-03-01 02:24 . 2010-09-07 02:42 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
- 2010-03-01 02:24 . 2010-09-04 05:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
- 2010-03-01 02:24 . 2010-09-04 05:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2010-03-01 02:24 . 2010-09-07 02:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2010-03-01 05:00 . 2010-09-07 02:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-01 05:00 . 2010-09-06 21:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-01 05:00 . 2010-09-07 02:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History. IE5\index.dat
- 2010-03-01 05:00 . 2010-09-06 21:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History. IE5\index.dat
- 2010-03-01 05:00 . 2010-09-06 21:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.da t
+ 2010-03-01 05:00 . 2010-09-07 02:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.da t
+ 2010-03-01 02:24 . 2010-09-07 02:42 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Content.IE5\index.dat
- 2010-03-01 02:24 . 2010-09-06 21:06 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Tem porary Internet Files\Content.IE5\index.dat
+ 2010-03-01 02:24 . 2010-09-07 02:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2010-03-01 02:24 . 2010-09-04 05:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
+ 2010-03-01 05:19 . 2010-09-07 02:25 5492 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-623889280-2913089192-2681729872-1000_UserData.bin
- 2010-09-04 05:49 . 2010-09-04 05:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-04 05:49 . 2010-09-07 02:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-09-04 05:49 . 2010-09-04 05:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-09-04 05:49 . 2010-09-07 02:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:05 . 2010-09-07 02:28 659580 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-09-04 05:53 659580 c:\windows\System32\perfh009.dat
+ 2009-07-14 02:05 . 2010-09-07 02:28 120508 c:\windows\System32\perfc009.dat
- 2009-07-14 02:05 . 2010-09-04 05:53 120508 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-06 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-11 1468256]
"WebDriveTray"="c:\program files\WebDrive\webdrive.exe" [2006-05-23 1646592]
"RemoteX"="c:\program files\RemoteX\RemoteX.exe" [2010-03-22 212480]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"WinReminders 2005"="c:\program files\HES\WinReminders\WinReminders.exe" [2010-08-10 221184]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]

c:\users\David \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-5-2 576000]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2010-2-28 12746928]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-3-6 267520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 136176]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1343400]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 176128]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-01-27 12856]
S2 WebDriveFSD;WebDrive Filesystem Driver;c:\program files\WebDrive\wdfsd.sys [2006-04-28 165888]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys [2010-05-18 13408]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-12-19 249888]

.
Contents of the 'Scheduled Tasks' folder

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 23:25]

2010-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-01 23:25]

2010-09-07 c:\windows\Tasks\WinReminders Reminder Schedule for David .job
- c:\program files\HES\WinReminders\WinReminders.exe [2010-08-10 17:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: {01F957CC-3142-44B6-8AD4-A3F08B705A04} = 208.67.222.222,4.4.4.4,8.8.8.8
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\users\David \AppData\Roaming\Mozilla\Firefox\Profiles\4xynkign.Dave\extensions\{3112ca9 c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\atieclxx.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\WebDrive\wdService.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Adobe\Acrobat 9.0\Acrobat\AcrobatInfo.exe
.
**************************************************************************
.
Completion time: 2010-09-06 22:45:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-07 02:45
ComboFix2.txt 2010-09-07 02:28
ComboFix3.txt 2010-09-07 01:35
ComboFix4.txt 2010-09-06 21:42
ComboFix5.txt 2010-09-07 02:33

Pre-Run: 725,930,274,816 bytes free
Post-Run: 725,840,240,640 bytes free

- - End Of File - - 924B6B5BC6A0027BBAA7C9B7CB8D8F2F
Upload was successful
CatByte's Avatar
Malware Removal Specialist with 3,373 posts.
  
Join Date: Feb 2009
07-Sep-2010, 12:04 AM #13
Please do the following:

submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file
    Code:
    C:\Windows\winsxs\x86_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7600.16385_none_46fb81e75b1ad412\Dxpserver.exe
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


Please do the same for the following file;

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll
__________________
Microsoft MVP - 2010, 2011
da123's Avatar
Computer Specs
Junior Member with 24 posts.
  
Join Date: Sep 2010
Experience: Advanced
07-Sep-2010, 12:28 AM #14
Both looked clean but I dont mind being cautious and doing whatever needs to get done to replace these files. Also - should I do something about the one that previously came back as possibly infected? (netcorehct.dll)

http://www.virustotal.com/file-scan/...0c2-1283829900

http://www.virustotal.com/file-scan/...7b6-1283829937
CatByte's Avatar
Malware Removal Specialist with 3,373 posts.
  
Join Date: Feb 2009
07-Sep-2010, 07:26 PM #15
Hi

Please do the following:

Please do another scan with System Look, Note: this scan may take quite a while as we are searching the whole registry:
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:
    :regfind
netcorehct.dll
IAS.DLL
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


NEXT
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
FCopy::
C:\Windows\winsxs\x86_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7600.16385_none_46fb81e75b1ad412\Dxpserver.exe | C:\Windows\System32\Dxpserver.exe
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll | c:\windows\System32\user32.dll
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
__________________
Microsoft MVP - 2010, 2011
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 3 1 23

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
Google Redirecting Virus? I have no clue amado728 Virus & Other Malware Removal 0 17-Mar-2010 06:38 PM
Google Redirect Virus & Weak Security System? EOfTL Virus & Other Malware Removal 0 21-Jan-2010 09:40 PM
Google redirect virus redirects search links, iTunes & Adobe fail cubesismyname Virus & Other Malware Removal 0 15-Jan-2010 10:05 PM
Google redirect virus jp81 Virus & Other Malware Removal 0 24-Mar-2009 07:21 PM
Google Redirect Virus sheateawholepie Virus & Other Malware Removal 1 01-Oct-2008 09:54 PM


Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:05 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.