Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Search Timeout in every browser on google msn and yahoo

(In Progress)
(!)

spiritedblaize's Avatar
spiritedblaize spiritedblaize is offline
Junior Member with 3 posts.
THREAD STARTER
 
Join Date: Feb 2011
Experience: Intermediate
26-Feb-2011, 01:53 PM #1
Search Timeout in every browser on google msn and yahoo
I am posting this here because I believe it it is malware related. It is the boyfriends computer, Windows Vista, primary browser is Firefox. He did get hijacked. We ran Malwarebytes and fixed some issues. For quite some time now he has not been able to log into his gmail. He was getting a page time out error. Beginning yesterday he is getting that error if he tries to go to google at all or search using yahoo or msn. I am typing this on his computer. Most pages if you know the url and type it in the address bar you can go without issue. I tried turning off all firewalls and increasing time out rates in the registry. Ping www.google.com gives me 100% loss.

I do not know enough about the registry to determine what is causing the problem.

*** Results from hijackthis ***

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:33:32 PM, on 2/26/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18565)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Users\Dagoth\Desktop\HijackThis.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch

=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = http=127.0.0.1:25426
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-

7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows

Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe

oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows

Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program

Files\Dell\DellDock\DellDock.exe (User 'Default user')
O15 - Trusted Zone: http://www.gmail.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1301AE-F989-4B0D-9520-

58BC11746ABD}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{1C1301AE-F989-4B0D-9520-

58BC11746ABD}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS3\Services\Tcpip\..\{1C1301AE-F989-4B0D-9520-

58BC11746ABD}: NameServer = 8.8.8.8,8.8.4.4
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -

C:\Program Files\Google\Google

Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll
O20 - Winlogon Notify: GoToAssist - C:\Program

Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32

\browseui.dll

--
End of file - 3206 bytes


**** results from dds.txt file *** attach.txt in post attachments ****

DDS (Ver_10-12-12.02) - NTFSx86
Run by Dagoth at 12:38:48.01 on Sat 02/26/2011
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1963 [GMT -5:00]

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\alg.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dagoth\Downloads\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Internet Explorer provided by Dell
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25426
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uPolicies-explorer: DisallowRun = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: gmail.com\www
TCP: {1C1301AE-F989-4B0D-9520-58BC11746ABD} = 8.8.8.8,8.8.4.4
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll
IFEO: image file execution options -
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\users\dagoth\appdata\roaming\mozilla\firefox\profiles\wtt5yz39.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 25426
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dagoth\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dl l
FF - plugin: c:\users\dagoth\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserpl us_2.9.8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-27 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-12-22 217032]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2008-9-24 27648]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2008-12-11 599040]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-9-24 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-9-24 19008]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-24 30192]

=============== Created Last 30 ================

2011-02-26 15:24:46 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ebd9b482-7747-4aa2-9c18-4361123c1c65}\mpengine.dll
2011-02-19 20:39:22 -------- d-----w- c:\users\dagoth\appdata\local\Yahoo!
2011-02-18 19:36:26 -------- d-----w- c:\program files\Phoenix Viewer
2011-02-06 14:13:52 -------- d-----w- c:\program files\Bonjour
2011-02-06 14:05:00 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-02-06 13:40:16 -------- d-----w- C:\AdobeTemp
2011-02-04 09:25:58 -------- d-----w- c:\users\dagoth\appdata\local\lptmp3898

==================== Find3M ====================

2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-08 07:50:00 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57:10 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:25:17 2038784 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 14:57:35 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-25 13:24:26 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-12-20 15:40:24 833024 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 15:37:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 14:12:59 389632 ----a-w- c:\windows\system32\html.iec
2010-12-20 13:51:45 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-12-14 15:49:30 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 12:39:03.96 ===============


**** ark.txt file ****

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-26 13:32:04
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 ->

\Device\Ide\IdeDeviceP0T0L0-0 ST3320620AS rev.3.ADJ
Running: s70u33bd.exe; Driver:

C:\Users\Dagoth\AppData\Local\Temp\fwryrpog.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\Users\Dagoth\AppData\Local\Temp\mbr.sys

The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1772] ntdll.dll!

LdrLoadDll 772079B3 5 Bytes JMP 012313F0 C:\Program

Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3624]

USER32.dll!TrackPopupMenu 76051417 5 Bytes JMP 6A7F2342

C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat

fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@start

1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@type

1
Reg HKLM\SYSTEM\ControlSet001

\Services\MSIVXserv.sys@imagepath

\systemroot\system32

\drivers\MSIVXosiwuvsybyqdcbkrwipeyoffptdrwire.sys
Reg HKLM\SYSTEM\ControlSet001

\Services\MSIVXserv.sys@group file system

---- EOF - GMER 1.0.15 ----

no idea what to look for in these. Any help is appreciated. Thank you!
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,629 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
26-Feb-2011, 06:02 PM #2
Hiya spiritedblaize,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop, do not save to or run from anywhere else. <--Very important

Before saving Combofix to the Desktop re-name to Gotcha.exe as below:



Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in your reply,

Kevin
spiritedblaize's Avatar
spiritedblaize spiritedblaize is offline
Junior Member with 3 posts.
THREAD STARTER
 
Join Date: Feb 2011
Experience: Intermediate
26-Feb-2011, 08:58 PM #3
**** Combofix Log ****
ComboFix 11-02-16.01 - Dagoth 02/26/2011 20:48:47.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2119 [GMT -5:00]
Running from: c:\users\Dagoth\Desktop\Gotcha.exe
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Install.exe
c:\programdata\Desktop
c:\users\Dagoth\AUTORUN.INF
c:\windows\system32\twunk_32.exe
J:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.
2011-02-27 01:50 . 2011-02-27 01:51 -------- d-----w- c:\users\Dagoth\AppData\Local\temp
2011-02-27 01:50 . 2011-02-27 01:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-26 15:24 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EBD9B482-7747-4AA2-9C18-4361123C1C65}\mpengine.dll
2011-02-19 20:39 . 2011-02-19 20:39 -------- d-----w- c:\users\Dagoth\AppData\Local\Yahoo!
2011-02-18 19:36 . 2011-02-18 19:37 -------- d-----w- c:\program files\Phoenix Viewer
2011-02-06 14:13 . 2011-02-06 14:13 -------- d-----w- c:\program files\Bonjour
2011-02-06 14:05 . 2011-02-06 14:05 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-02-06 13:40 . 2011-02-06 13:41 -------- d-----w- C:\AdobeTemp
2011-02-04 09:25 . 2011-02-04 09:25 -------- d-----w- c:\users\Dagoth\AppData\Local\lptmp3898
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:11 . 2009-10-06 12:30 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 14:57 . 2011-01-12 19:59 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-25 13:24 . 2010-12-25 13:24 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-12-22 03:48 . 2010-12-22 03:48 40960 ----a-r- c:\users\Dagoth\AppData\Roaming\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2010-12-20 23:09 . 2010-12-22 11:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-12-22 11:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 15:49 . 2011-01-12 19:59 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-09 11:02 . 2010-12-09 11:02 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\Spotlight Resources.dll
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 01:02 . 2010-02-17 20:52 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-24 06:37 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSv c]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-27 01:02 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-17 23:17 136176 ----atw- c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-03-09 14:40 1286608 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
2006-11-08 20:01 49152 ----a-w- c:\windows\System32\ico.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-12-25 02:55 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-03-06 11:52 4706304 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-24 06:29 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-09-24 18:19 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-27 30192]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2008-01-31 599040]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
R3 pmxmouse;pmxmouse;c:\windows\system32\DRIVERS\pmxmouse.sys [2007-06-01 18432]
R3 pmxusblf;pmxusblf;c:\windows\system32\DRIVERS\pmxusblf.sys [2007-05-24 19008]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-10 217032]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-03-06 27648]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\E]
\shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\J]
\shell\AutoRun\command - j:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{204c8b02-c7fc-11dd-9e7a-806e6f6e6963}]
\shell\AutoRun\command - j:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2011-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-27 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-09-13 21:19]
2011-02-20 c:\windows\Tasks\DriverRobot.job
- c:\program files\Driver Robot\DriverRobot.exe [2008-12-12 22:19]
2011-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-432833793-4244938426-1870455723-1000Core.job
- c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17 23:17]
2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-432833793-4244938426-1870455723-1000UA.job
- c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17 23:17]
2011-02-27 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2008-09-24 11:44]
2011-02-27 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-02-25 11:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25426
Trusted Zone: gmail.com\www
TCP: {1C1301AE-F989-4B0D-9520-58BC11746ABD} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Dagoth\AppData\Roaming\Mozilla\Firefox\Profiles\wtt5yz39.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 25426
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-WudfPf
SafeBoot-WudfRd
SafeBoot-Lavasoft Ad-Aware Service
MSConfigStartUp-AdobeCS4ServiceManager - c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-26 20:50
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-26 20:55:03
ComboFix-quarantined-files.txt 2011-02-27 01:54
Pre-Run: 129,021,419,520 bytes free
Post-Run: 128,958,021,632 bytes free
- - End Of File - - D86836DE832399F1D51E5388227AA471
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,629 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
26-Feb-2011, 09:31 PM #4
Hiya spiritedblaize,

Proceed as follows :-

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code:
KillAll::
DirLook::
c:\users\Dagoth\AppData\Local\lptmp3898
DDS::
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:25426
Firefox::
FF - ProfilePath - c:\users\Dagoth\AppData\Roaming\Mozilla\Firefox\Profiles\wtt5yz39.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 25426
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
Save this as CFScript.txt, and as Type: All Files [(*.*)[/b] in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
  • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    -------------------------------------------------------------------

    :Services
    :Files
    ipconfig /flushdns /c
    :Commands
    [EmptyTemp]
    [ResetHosts]

    ---------------------------------------------------------------------
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Step 3

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

What i`d like in your reply :-
  • Log from Combofix
  • Log from OTM
  • Log from ESET
  • System update, Improvements? issues?

Kevin
spiritedblaize's Avatar
spiritedblaize spiritedblaize is offline
Junior Member with 3 posts.
THREAD STARTER
 
Join Date: Feb 2011
Experience: Intermediate
27-Feb-2011, 07:09 AM #5
Good Morning,

I thank you so so much for your assistance. He is reporting much faster speed browsing and the ability to search and log into gmail for the first time in weeks. I am concerned about the found threat still, but it does seem that we have removed alot of problems already.

****log from combofix****
ComboFix 11-02-16.01 - Dagoth 02/27/2011 0:22.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2247 [GMT -5:00]
Running from: c:\users\Dagoth\Desktop\Gotcha.exe
Command switches used :: c:\users\Dagoth\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.
2011-02-27 05:23 . 2011-02-27 05:25 -------- d-----w- c:\users\Dagoth\AppData\Local\temp
2011-02-26 15:24 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EBD9B482-7747-4AA2-9C18-4361123C1C65}\mpengine.dll
2011-02-19 20:39 . 2011-02-19 20:39 -------- d-----w- c:\users\Dagoth\AppData\Local\Yahoo!
2011-02-18 19:36 . 2011-02-18 19:37 -------- d-----w- c:\program files\Phoenix Viewer
2011-02-06 14:13 . 2011-02-06 14:13 -------- d-----w- c:\program files\Bonjour
2011-02-06 14:05 . 2011-02-06 14:05 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-02-06 13:40 . 2011-02-06 13:41 -------- d-----w- C:\AdobeTemp
2011-02-04 09:25 . 2011-02-04 09:25 -------- d-----w- c:\users\Dagoth\AppData\Local\lptmp3898
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 22:11 . 2009-10-06 12:30 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-12-28 14:57 . 2011-01-12 19:59 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-25 13:24 . 2010-12-25 13:24 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-12-22 03:48 . 2010-12-22 03:48 40960 ----a-r- c:\users\Dagoth\AppData\Roaming\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2010-12-20 23:09 . 2010-12-22 11:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-12-22 11:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 15:49 . 2011-01-12 19:59 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-09 11:02 . 2010-12-09 11:02 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\Spotlight Resources.dll
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 01:02 . 2010-02-17 20:52 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Dagoth\AppData\Local\lptmp3898 ----
2011-02-04 09:25 . 2011-02-04 09:42 4812 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\zh_TW\zh_TW.xpm
2011-02-04 09:25 . 2011-02-04 09:42 58583 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\zh_TW\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 59854 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\zh_CN\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4794 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\zh_CN\zh_CN.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2522 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\vi_VN\vi_VN.xpm
2011-02-04 09:25 . 2011-02-04 09:42 71089 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\vi_VN\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 5028 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ur_PK\ur_PK.xpm
2011-02-04 09:25 . 2011-02-04 09:42 587 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ur_PK\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2878 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\uk_UA\uk_UA.xpm
2011-02-04 09:25 . 2011-02-04 09:42 45180 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\uk_UA\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2634 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\tr_TR\tr_TR.xpm
2011-02-04 09:25 . 2011-02-04 09:42 38476 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\tr_TR\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\tl_PH\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 5044 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\tl_PH\tl_PH.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2773 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\th_TH\th_TH.xpm
2011-02-04 09:25 . 2011-02-04 09:42 10286 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\th_TH\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2798 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sv_SE\sv_SE.xpm
2011-02-04 09:25 . 2011-02-04 09:42 39217 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sv_SE\messages.mo
2011-02-04 09:25 . 2011-02-04 09:42 63601 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sv_SE\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 80842 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sr_RS\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2395 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sr_RS\sr_RS.xpm
2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sq_AL\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 5037 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sq_AL\sq_AL.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2887 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sl_SI\sl_SI.xpm
2011-02-04 09:25 . 2011-02-04 09:42 15709 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sl_SI\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2939 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sk_SK\sk_SK.xpm
2011-02-04 09:25 . 2011-02-04 09:42 24540 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sk_SK\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 5054 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\si_LK\si_LK.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2119 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\si_LK\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2667 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ru_RU\ru_RU.xpm
2011-02-04 09:25 . 2011-02-04 09:42 80321 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ru_RU\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 12313 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ro_RO\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2926 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ro_RO\ro_RO.xpm
2011-02-04 09:25 . 2011-02-04 09:42 5024 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pt_PT\pt_PT.xpm
2011-02-04 09:25 . 2011-02-04 09:42 36513 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pt_PT\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 66269 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pt_BR\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2860 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pt_BR\pt_BR.xpm
2011-02-04 09:25 . 2011-02-04 09:42 64091 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pl_PL\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2202 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pl_PL\pl_PL.xpm
2011-02-04 09:25 . 2011-02-04 09:42 770 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pa_IN\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2968 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pa_IN\pa_IN.xpm
2011-02-04 09:25 . 2011-02-04 09:42 11485 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nn_NO\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2503 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nn_NO\nn_NO.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2676 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nl_NL\nl_NL.xpm
2011-02-04 09:25 . 2011-02-04 09:42 40948 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nl_NL\messages.mo
2011-02-04 09:25 . 2011-02-04 09:42 65218 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nl_NL\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 124 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nl_NL\junk.html
2011-02-04 09:25 . 2011-02-04 09:42 2503 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nb_NO\nb_NO.xpm
2011-02-04 09:25 . 2011-02-04 09:42 62874 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nb_NO\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2425 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ms_MY\ms_MY.xpm
2011-02-04 09:25 . 2011-02-04 09:42 5289 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ms_MY\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 5038 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ml_IN\ml_IN.xpm
2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ml_IN\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 5057 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\mk_MK\mk_MK.xpm
2011-02-04 09:25 . 2011-02-04 09:42 1087 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\mk_MK\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4744 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\lv_LV\lv_LV.xpm
2011-02-04 09:25 . 2011-02-04 09:42 4110 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\lv_LV\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 3070 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\lt_LT\lt_LT.xpm
2011-02-04 09:25 . 2011-02-04 09:42 67243 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\lt_LT\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 36729 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ko_KR\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2449 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ko_KR\ko_KR.xpm
2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\kn_IN\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 5038 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\kn_IN\kn_IN.xpm
2011-02-04 09:25 . 2011-02-04 09:42 72318 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ja_JP\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 1523 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ja_JP\ja_JP.xpm
2011-02-04 09:25 . 2011-02-04 09:42 66525 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\it_IT\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2293 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\it_IT\it_IT.xpm
2011-02-04 09:25 . 2011-02-04 09:42 8919 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\is_IS\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2567 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\is_IS\is_IS.xpm
2011-02-04 09:25 . 2011-02-04 09:42 3864 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\id_ID\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4744 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\id_ID\id_ID.xpm
2011-02-04 09:25 . 2011-02-04 09:42 66974 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hu_HU\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2405 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hu_HU\hu_HU.xpm
2011-02-04 09:25 . 2011-02-04 09:42 46026 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hr_HR\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2564 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hr_HR\hr_HR.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2968 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hi_IN\hi_IN.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2499 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hi_IN\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 34313 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\he_IL\messages.mo
2011-02-04 09:25 . 2011-02-04 09:42 42460 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\he_IL\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 1703 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\he_IL\he_IL.xpm
2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\gu_IN\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2968 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\gu_IN\gu_IN.xpm
2011-02-04 09:25 . 2011-02-04 09:42 4995 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ga_IE\ga_IE.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2354 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ga_IE\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 39684 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_FR\messages.mo
2011-02-04 09:25 . 2011-02-04 09:42 68848 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_FR\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2558 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_FR\fr_FR.xpm
2011-02-04 09:25 . 2011-02-04 09:42 64363 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_CA\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4774 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_CA\fr_CA.xpm
2011-02-04 09:25 . 2011-02-04 09:42 63136 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fi_FI\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2521 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fi_FI\fi_FI.xpm
2011-02-04 09:25 . 2011-02-04 09:42 10774 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fa_IR\messages.mo
2011-02-04 09:25 . 2011-02-04 09:42 26842 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fa_IR\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2855 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fa_IR\fa_IR.xpm
2011-02-04 09:25 . 2011-02-04 09:42 43738 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\et_EE\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4937 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\et_EE\et_EE.xpm
2011-02-04 09:25 . 2011-02-04 09:42 66019 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\es_MX\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4802 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\es_MX\es_MX.xpm
2011-02-04 09:25 . 2011-02-04 09:42 65183 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\es_ES\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2682 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\es_ES\es_ES.xpm
2011-02-04 09:25 . 2011-02-04 09:42 62965 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\en_US\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2659 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\en_US\en_US.xpm
2011-02-04 09:25 . 2011-02-04 09:42 62944 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\en_GB\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 5012 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\en_GB\en_GB.xpm
2011-02-04 09:25 . 2011-02-04 09:42 23145 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\el_GR\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2925 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\el_GR\el_GR.xpm
2011-02-04 09:25 . 2011-02-04 09:42 17128 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\de_DE\wxstd.mo
2011-02-04 09:25 . 2011-02-04 09:42 44224 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\de_DE\messages.mo
2011-02-04 09:25 . 2011-02-04 09:42 66178 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\de_DE\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 3043 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\de_DE\de_DE.xpm
2011-02-04 09:25 . 2011-02-04 09:42 62950 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\da_DK\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2457 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\da_DK\da_DK.xpm
2011-02-04 09:25 . 2011-02-04 09:42 65420 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\cs_CZ\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4830 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\cs_CZ\cs_CZ.xpm
2011-02-04 09:25 . 2011-02-04 09:42 16926 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ca_ES\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4754 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ca_ES\ca_ES.xpm
2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bs_BA\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4796 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bn_BD\bn_BD.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2234 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bn_BD\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 53181 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bg_BG\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4752 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bg_BG\bg_BG.xpm
2011-02-04 09:25 . 2011-02-04 09:42 5072 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\az_AZ\az_AZ.xpm
2011-02-04 09:25 . 2011-02-04 09:42 25346 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\az_AZ\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 14954 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ar_SA\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 2719 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ar_SA\ar_SA.xpm
2011-02-04 09:25 . 2011-02-04 09:42 2832 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ar_EG\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4798 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ar_EG\ar_EG.xpm
2011-02-04 09:25 . 2011-02-04 09:42 63503 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\af_ZA\lastpass.mo
2011-02-04 09:25 . 2011-02-04 09:42 4898 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\af_ZA\af_ZA.xpm
2011-02-04 09:25 . 2011-02-04 09:42 930463 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\lp_languages.zip
2011-02-04 09:25 . 2011-02-04 09:42 1061944 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\lp_dbghelp.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-09-24 06:37 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSISer ver]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSv c]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-27 01:02 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-17 23:17 136176 ----atw- c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2010-03-09 14:40 1286608 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
2006-11-08 20:01 49152 ----a-w- c:\windows\System32\ico.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-12-25 02:55 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-03-06 11:52 4706304 ----a-w- c:\windows\RtHDVCpl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-09-24 06:29 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-09-24 18:19 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-27 30192]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2008-01-31 599040]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
R3 pmxmouse;pmxmouse;c:\windows\system32\DRIVERS\pmxmouse.sys [2007-06-01 18432]
R3 pmxusblf;pmxusblf;c:\windows\system32\DRIVERS\pmxusblf.sys [2007-05-24 19008]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-10 217032]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-03-06 27648]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\E]
\shell\AutoRun\command - E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\J]
\shell\AutoRun\command - j:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{204c8b02-c7fc-11dd-9e7a-806e6f6e6963}]
\shell\AutoRun\command - j:\wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2011-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-27 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
2011-02-27 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-09-13 21:19]
2011-02-20 c:\windows\Tasks\DriverRobot.job
- c:\program files\Driver Robot\DriverRobot.exe [2008-12-12 22:19]
2011-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-432833793-4244938426-1870455723-1000Core.job
- c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17 23:17]
2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-432833793-4244938426-1870455723-1000UA.job
- c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17 23:17]
2011-02-27 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2008-09-24 11:44]
2011-02-27 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-02-25 11:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
Trusted Zone: gmail.com\www
TCP: {1C1301AE-F989-4B0D-9520-58BC11746ABD} = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Dagoth\AppData\Roaming\Mozilla\Firefox\Profiles\wtt5yz39.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-27 00:25
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-02-27 00:29:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-27 05:28
ComboFix2.txt 2011-02-27 01:55
Pre-Run: 128,893,313,024 bytes free
Post-Run: 128,748,589,056 bytes free
- - End Of File - - 2B8C75A835F4861C44BDACC03A7D4F9A

****log from otm****
All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Dagoth\Desktop\cmd.bat deleted successfully.
C:\Users\Dagoth\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dagoth
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 16490090 bytes
->Java cache emptied: 26213073 bytes
->FireFox cache emptied: 70877484 bytes
->Google Chrome cache emptied: 29480142 bytes
->Flash cache emptied: 1177 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 160424928 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\ Temporary Internet Files folder emptied: 7057914 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 296.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTM by OldTimer - Version 3.1.17.2 log created on 02272011_003241

**** log from eset****
C:\Users\Dagoth\Desktop\FFSetup220.zip Win32/Adware.ADON application
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,629 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
27-Feb-2011, 11:48 AM #6
Yep starting to look a lot better, continue as follows please :-

Step 1

Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
  • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    -------------------------------------------------------------------

    :Files
    C:\Users\Dagoth\Desktop\FFSetup220.zip
    :Commands
    [EmptyTemp]

    ---------------------------------------------------------------------
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Step 2

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document

Post the two logs in your reply, also let me know if there are any remaining issues.

Kevin
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑