1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Search Timeout in every browser on google msn and yahoo

Discussion in 'Virus & Other Malware Removal' started by spiritedblaize, Feb 26, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. spiritedblaize

    spiritedblaize Thread Starter

    Joined:
    Feb 26, 2011
    Messages:
    3
    I am posting this here because I believe it it is malware related. It is the boyfriends computer, Windows Vista, primary browser is Firefox. He did get hijacked. We ran Malwarebytes and fixed some issues. For quite some time now he has not been able to log into his gmail. He was getting a page time out error. Beginning yesterday he is getting that error if he tries to go to google at all or search using yahoo or msn. I am typing this on his computer. Most pages if you know the url and type it in the address bar you can go without issue. I tried turning off all firewalls and increasing time out rates in the registry. Ping www.google.com gives me 100% loss.

    I do not know enough about the registry to determine what is causing the problem.

    *** Results from hijackthis ***

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:33:32 PM, on 2/26/2011
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18565)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\System32\mobsync.exe
    C:\Users\Dagoth\Desktop\HijackThis.exe
    C:\Windows\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL

    = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch

    =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

    Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyServer = http=127.0.0.1:25426
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

    Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

    =
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-

    7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

    0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows

    Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe

    oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows

    Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program

    Files\Dell\DellDock\DellDock.exe (User 'Default user')
    O15 - Trusted Zone: http://www.gmail.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1301AE-F989-4B0D-9520-

    58BC11746ABD}: NameServer = 8.8.8.8,8.8.4.4
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1C1301AE-F989-4B0D-9520-

    58BC11746ABD}: NameServer = 8.8.8.8,8.8.4.4
    O17 - HKLM\System\CS3\Services\Tcpip\..\{1C1301AE-F989-4B0D-9520-

    58BC11746ABD}: NameServer = 8.8.8.8,8.8.4.4
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -

    C:\Program Files\Google\Google

    Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll
    O20 - Winlogon Notify: GoToAssist - C:\Program

    Files\Citrix\GoToAssist\514\G2AWinLogon.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon -

    {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32

    \browseui.dll

    --
    End of file - 3206 bytes


    **** results from dds.txt file *** attach.txt in post attachments ****

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Dagoth at 12:38:48.01 on Sat 02/26/2011
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1963 [GMT -5:00]

    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\System32\alg.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Dagoth\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uWindow Title = Internet Explorer provided by Dell
    uStart Page = hxxp://www.yahoo.com/
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
    mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:25426
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    uPolicies-explorer: DisallowRun = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    Trusted Zone: gmail.com\www
    TCP: {1C1301AE-F989-4B0D-9520-58BC11746ABD} = 8.8.8.8,8.8.4.4
    Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll
    IFEO: image file execution options -
    Hosts: 74.125.45.100 4-open-davinci.com
    Hosts: 74.125.45.100 securitysoftwarepayments.com
    Hosts: 74.125.45.100 privatesecuredpayments.com
    Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    Hosts: 74.125.45.100 getantivirusplusnow.com

    Note: multiple HOSTS entries found. Please refer to Attach.txt

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\dagoth\appdata\roaming\mozilla\firefox\profiles\wtt5yz39.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 25426
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\dagoth\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\users\dagoth\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-27 64288]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-12-22 217032]
    R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2008-9-24 27648]
    S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2008-12-11 599040]
    S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-9-24 18432]
    S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-9-24 19008]
    S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
    S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
    S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
    S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-24 30192]

    =============== Created Last 30 ================

    2011-02-26 15:24:46 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ebd9b482-7747-4aa2-9c18-4361123c1c65}\mpengine.dll
    2011-02-19 20:39:22 -------- d-----w- c:\users\dagoth\appdata\local\Yahoo!
    2011-02-18 19:36:26 -------- d-----w- c:\program files\Phoenix Viewer
    2011-02-06 14:13:52 -------- d-----w- c:\program files\Bonjour
    2011-02-06 14:05:00 -------- d-----w- c:\program files\common files\Macrovision Shared
    2011-02-06 13:40:16 -------- d-----w- C:\AdobeTemp
    2011-02-04 09:25:58 -------- d-----w- c:\users\dagoth\appdata\local\lptmp3898

    ==================== Find3M ====================

    2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-08 07:50:00 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 05:57:10 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:25:17 2038784 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 14:57:35 409600 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-25 13:24:26 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-12-20 15:40:24 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 15:37:57 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-12-20 14:12:59 389632 ----a-w- c:\windows\system32\html.iec
    2010-12-20 13:51:45 1383424 ----a-w- c:\windows\system32\mshtml.tlb
    2010-12-14 15:49:30 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

    ============= FINISH: 12:39:03.96 ===============


    **** ark.txt file ****

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-02-26 13:32:04
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 ->

    \Device\Ide\IdeDeviceP0T0L0-0 ST3320620AS rev.3.ADJ
    Running: s70u33bd.exe; Driver:

    C:\Users\Dagoth\AppData\Local\Temp\fwryrpog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\Users\Dagoth\AppData\Local\Temp\mbr.sys

    The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[1772] ntdll.dll!

    LdrLoadDll 772079B3 5 Bytes JMP 012313F0 C:\Program

    Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3624]

    USER32.dll!TrackPopupMenu 76051417 5 Bytes JMP 6A7F2342

    C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat

    fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@start

    1
    Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@type

    1
    Reg HKLM\SYSTEM\ControlSet001

    \Services\MSIVXserv.sys@imagepath

    \systemroot\system32

    \drivers\MSIVXosiwuvsybyqdcbkrwipeyoffptdrwire.sys
    Reg HKLM\SYSTEM\ControlSet001

    \Services\MSIVXserv.sys@group file system

    ---- EOF - GMER 1.0.15 ----

    :confused: no idea what to look for in these. Any help is appreciated. Thank you!
     

    Attached Files:

  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,157
    Hiya spiritedblaize,

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop, do not save to or run from anywhere else. <--Very important

    Before saving Combofix to the Desktop re-name to Gotcha.exe as below:

    [​IMG]

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection

    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in your reply,

    Kevin
     
  3. spiritedblaize

    spiritedblaize Thread Starter

    Joined:
    Feb 26, 2011
    Messages:
    3
    **** Combofix Log ****
    ComboFix 11-02-16.01 - Dagoth 02/26/2011 20:48:47.1.2 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6001.1.1252.1.1033.18.3069.2119 [GMT -5:00]
    Running from: c:\users\Dagoth\Desktop\Gotcha.exe
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Install.exe
    c:\programdata\Desktop
    c:\users\Dagoth\AUTORUN.INF
    c:\windows\system32\twunk_32.exe
    J:\Autorun.inf
    .
    ((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
    .
    2011-02-27 01:50 . 2011-02-27 01:51 -------- d-----w- c:\users\Dagoth\AppData\Local\temp
    2011-02-27 01:50 . 2011-02-27 01:50 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-26 15:24 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EBD9B482-7747-4AA2-9C18-4361123C1C65}\mpengine.dll
    2011-02-19 20:39 . 2011-02-19 20:39 -------- d-----w- c:\users\Dagoth\AppData\Local\Yahoo!
    2011-02-18 19:36 . 2011-02-18 19:37 -------- d-----w- c:\program files\Phoenix Viewer
    2011-02-06 14:13 . 2011-02-06 14:13 -------- d-----w- c:\program files\Bonjour
    2011-02-06 14:05 . 2011-02-06 14:05 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2011-02-06 13:40 . 2011-02-06 13:41 -------- d-----w- C:\AdobeTemp
    2011-02-04 09:25 . 2011-02-04 09:25 -------- d-----w- c:\users\Dagoth\AppData\Local\lptmp3898
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 22:11 . 2009-10-06 12:30 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-12-28 14:57 . 2011-01-12 19:59 409600 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-25 13:24 . 2010-12-25 13:24 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-12-22 03:48 . 2010-12-22 03:48 40960 ----a-r- c:\users\Dagoth\AppData\Roaming\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
    2010-12-20 23:09 . 2010-12-22 11:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2010-12-22 11:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-14 15:49 . 2011-01-12 19:59 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2010-12-09 11:02 . 2010-12-09 11:02 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-07-27 01:02 . 2010-02-17 20:52 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 2 (0x2)
    "EnableUIADesktopToggle"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-09-24 06:37 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    %ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
    2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
    2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2010-07-27 01:02 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2011-01-17 23:17 136176 ----atw- c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
    2010-03-09 14:40 1286608 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
    2006-11-08 20:01 49152 ----a-w- c:\windows\System32\ico.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-12-25 02:55 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2008-03-06 11:52 4706304 ----a-w- c:\windows\RtHDVCpl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-09-24 06:29 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
    2010-09-24 18:19 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-27 30192]
    R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2008-01-31 599040]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
    R3 pmxmouse;pmxmouse;c:\windows\system32\DRIVERS\pmxmouse.sys [2007-06-01 18432]
    R3 pmxusblf;pmxusblf;c:\windows\system32\DRIVERS\pmxusblf.sys [2007-05-24 19008]
    R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
    S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-10 217032]
    S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
    S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-03-06 27648]
    S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \shell\AutoRun\command - E:\setup.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
    \shell\AutoRun\command - j:\wd_windows_tools\setup.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{204c8b02-c7fc-11dd-9e7a-806e6f6e6963}]
    \shell\AutoRun\command - j:\wd_windows_tools\setup.exe
    .
    Contents of the 'Scheduled Tasks' folder
    2011-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-27 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-09-13 21:19]
    2011-02-20 c:\windows\Tasks\DriverRobot.job
    - c:\program files\Driver Robot\DriverRobot.exe [2008-12-12 22:19]
    2011-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-432833793-4244938426-1870455723-1000Core.job
    - c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17 23:17]
    2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-432833793-4244938426-1870455723-1000UA.job
    - c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17 23:17]
    2011-02-27 c:\windows\Tasks\RtlNICDiagVistaStart.job
    - c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2008-09-24 11:44]
    2011-02-27 c:\windows\Tasks\SDMsgUpdate (TE).job
    - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-02-25 11:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:25426
    Trusted Zone: gmail.com\www
    TCP: {1C1301AE-F989-4B0D-9520-58BC11746ABD} = 8.8.8.8,8.8.4.4
    FF - ProfilePath - c:\users\Dagoth\AppData\Roaming\Mozilla\Firefox\Profiles\wtt5yz39.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 25426
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    SafeBoot-Lavasoft Ad-Aware Service
    MSConfigStartUp-AdobeCS4ServiceManager - c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-26 20:50
    Windows 6.0.6001 Service Pack 1 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2011-02-26 20:55:03
    ComboFix-quarantined-files.txt 2011-02-27 01:54
    Pre-Run: 129,021,419,520 bytes free
    Post-Run: 128,958,021,632 bytes free
    - - End Of File - - D86836DE832399F1D51E5388227AA471
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,157
    Hiya spiritedblaize,

    Proceed as follows :-

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    
    KillAll::
    DirLook::
    c:\users\Dagoth\AppData\Local\lptmp3898
    DDS::
    uInternet Settings,ProxyOverride = *.local
    uInternet Settings,ProxyServer = http=127.0.0.1:25426
    Firefox::
    FF - ProfilePath - c:\users\Dagoth\AppData\Roaming\Mozilla\Firefox\Profiles\wtt5yz39.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 25426
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    
    Save this as CFScript.txt, and as Type: All Files [(*.*)[/b] in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    Please download OTM by OldTimer.
    Alternative Mirror
    Save it to your desktop.
    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
    • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      -------------------------------------------------------------------

      :Services
      :Files
      ipconfig /flushdns /c
      :Commands
      [EmptyTemp]
      [ResetHosts]

      ---------------------------------------------------------------------
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

    Step 3

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take between one and several hours to complete depending on the size of your system.

    What i`d like in your reply :-

    • Log from Combofix
    • Log from OTM
    • Log from ESET
    • System update, Improvements? issues?

    Kevin
     
  5. spiritedblaize

    spiritedblaize Thread Starter

    Joined:
    Feb 26, 2011
    Messages:
    3
    Good Morning,

    I thank you so so much for your assistance. He is reporting much faster speed browsing and the ability to search and log into gmail for the first time in weeks. I am concerned about the found threat still, but it does seem that we have removed alot of problems already.

    ****log from combofix****
    ComboFix 11-02-16.01 - Dagoth 02/27/2011 0:22.2.2 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6001.1.1252.1.1033.18.3069.2247 [GMT -5:00]
    Running from: c:\users\Dagoth\Desktop\Gotcha.exe
    Command switches used :: c:\users\Dagoth\Desktop\CFScript.txt
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    ((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
    .
    2011-02-27 05:23 . 2011-02-27 05:25 -------- d-----w- c:\users\Dagoth\AppData\Local\temp
    2011-02-26 15:24 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EBD9B482-7747-4AA2-9C18-4361123C1C65}\mpengine.dll
    2011-02-19 20:39 . 2011-02-19 20:39 -------- d-----w- c:\users\Dagoth\AppData\Local\Yahoo!
    2011-02-18 19:36 . 2011-02-18 19:37 -------- d-----w- c:\program files\Phoenix Viewer
    2011-02-06 14:13 . 2011-02-06 14:13 -------- d-----w- c:\program files\Bonjour
    2011-02-06 14:05 . 2011-02-06 14:05 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2011-02-06 13:40 . 2011-02-06 13:41 -------- d-----w- C:\AdobeTemp
    2011-02-04 09:25 . 2011-02-04 09:25 -------- d-----w- c:\users\Dagoth\AppData\Local\lptmp3898
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 22:11 . 2009-10-06 12:30 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-12-28 14:57 . 2011-01-12 19:59 409600 ----a-w- c:\windows\system32\odbc32.dll
    2010-12-25 13:24 . 2010-12-25 13:24 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-12-22 03:48 . 2010-12-22 03:48 40960 ----a-r- c:\users\Dagoth\AppData\Roaming\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
    2010-12-20 23:09 . 2010-12-22 11:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 23:08 . 2010-12-22 11:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-14 15:49 . 2011-01-12 19:59 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2010-12-09 11:02 . 2010-12-09 11:02 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-07-27 01:02 . 2010-02-17 20:52 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\users\Dagoth\AppData\Local\lptmp3898 ----
    2011-02-04 09:25 . 2011-02-04 09:42 4812 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\zh_TW\zh_TW.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 58583 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\zh_TW\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 59854 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\zh_CN\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4794 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\zh_CN\zh_CN.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2522 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\vi_VN\vi_VN.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 71089 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\vi_VN\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 5028 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ur_PK\ur_PK.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 587 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ur_PK\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2878 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\uk_UA\uk_UA.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 45180 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\uk_UA\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2634 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\tr_TR\tr_TR.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 38476 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\tr_TR\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\tl_PH\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 5044 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\tl_PH\tl_PH.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2773 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\th_TH\th_TH.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 10286 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\th_TH\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2798 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sv_SE\sv_SE.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 39217 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sv_SE\messages.mo
    2011-02-04 09:25 . 2011-02-04 09:42 63601 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sv_SE\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 80842 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sr_RS\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2395 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sr_RS\sr_RS.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sq_AL\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 5037 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sq_AL\sq_AL.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2887 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sl_SI\sl_SI.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 15709 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sl_SI\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2939 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sk_SK\sk_SK.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 24540 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\sk_SK\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 5054 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\si_LK\si_LK.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2119 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\si_LK\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2667 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ru_RU\ru_RU.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 80321 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ru_RU\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 12313 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ro_RO\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2926 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ro_RO\ro_RO.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 5024 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pt_PT\pt_PT.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 36513 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pt_PT\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 66269 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pt_BR\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2860 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pt_BR\pt_BR.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 64091 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pl_PL\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2202 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pl_PL\pl_PL.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 770 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pa_IN\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2968 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\pa_IN\pa_IN.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 11485 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nn_NO\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2503 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nn_NO\nn_NO.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2676 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nl_NL\nl_NL.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 40948 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nl_NL\messages.mo
    2011-02-04 09:25 . 2011-02-04 09:42 65218 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nl_NL\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 124 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nl_NL\junk.html
    2011-02-04 09:25 . 2011-02-04 09:42 2503 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nb_NO\nb_NO.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 62874 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\nb_NO\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2425 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ms_MY\ms_MY.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 5289 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ms_MY\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 5038 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ml_IN\ml_IN.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ml_IN\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 5057 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\mk_MK\mk_MK.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 1087 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\mk_MK\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4744 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\lv_LV\lv_LV.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 4110 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\lv_LV\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 3070 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\lt_LT\lt_LT.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 67243 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\lt_LT\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 36729 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ko_KR\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2449 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ko_KR\ko_KR.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\kn_IN\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 5038 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\kn_IN\kn_IN.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 72318 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ja_JP\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 1523 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ja_JP\ja_JP.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 66525 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\it_IT\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2293 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\it_IT\it_IT.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 8919 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\is_IS\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2567 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\is_IS\is_IS.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 3864 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\id_ID\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4744 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\id_ID\id_ID.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 66974 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hu_HU\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2405 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hu_HU\hu_HU.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 46026 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hr_HR\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2564 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hr_HR\hr_HR.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2968 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hi_IN\hi_IN.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2499 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\hi_IN\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 34313 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\he_IL\messages.mo
    2011-02-04 09:25 . 2011-02-04 09:42 42460 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\he_IL\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 1703 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\he_IL\he_IL.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\gu_IN\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2968 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\gu_IN\gu_IN.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 4995 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ga_IE\ga_IE.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2354 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ga_IE\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 39684 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_FR\messages.mo
    2011-02-04 09:25 . 2011-02-04 09:42 68848 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_FR\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2558 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_FR\fr_FR.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 64363 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_CA\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4774 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fr_CA\fr_CA.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 63136 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fi_FI\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2521 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fi_FI\fi_FI.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 10774 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fa_IR\messages.mo
    2011-02-04 09:25 . 2011-02-04 09:42 26842 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fa_IR\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2855 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\fa_IR\fa_IR.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 43738 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\et_EE\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4937 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\et_EE\et_EE.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 66019 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\es_MX\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4802 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\es_MX\es_MX.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 65183 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\es_ES\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2682 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\es_ES\es_ES.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 62965 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\en_US\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2659 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\en_US\en_US.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 62944 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\en_GB\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 5012 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\en_GB\en_GB.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 23145 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\el_GR\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2925 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\el_GR\el_GR.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 17128 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\de_DE\wxstd.mo
    2011-02-04 09:25 . 2011-02-04 09:42 44224 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\de_DE\messages.mo
    2011-02-04 09:25 . 2011-02-04 09:42 66178 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\de_DE\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 3043 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\de_DE\de_DE.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 62950 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\da_DK\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2457 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\da_DK\da_DK.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 65420 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\cs_CZ\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4830 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\cs_CZ\cs_CZ.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 16926 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ca_ES\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4754 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ca_ES\ca_ES.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 415 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bs_BA\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4796 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bn_BD\bn_BD.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2234 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bn_BD\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 53181 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bg_BG\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4752 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\bg_BG\bg_BG.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 5072 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\az_AZ\az_AZ.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 25346 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\az_AZ\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 14954 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ar_SA\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 2719 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ar_SA\ar_SA.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 2832 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ar_EG\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4798 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\ar_EG\ar_EG.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 63503 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\af_ZA\lastpass.mo
    2011-02-04 09:25 . 2011-02-04 09:42 4898 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\languages\af_ZA\af_ZA.xpm
    2011-02-04 09:25 . 2011-02-04 09:42 930463 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\lp_languages.zip
    2011-02-04 09:25 . 2011-02-04 09:42 1061944 ----a-w- c:\users\Dagoth\AppData\Local\lptmp3898\lp_dbghelp.dll

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 2 (0x2)
    "EnableUIADesktopToggle"= 0 (0x0)
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-09-24 06:37 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    %ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dellsupportcenter]
    2009-05-21 15:13 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
    2008-03-11 17:44 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2010-07-27 01:02 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2011-01-17 23:17 136176 ----atw- c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
    2010-03-09 14:40 1286608 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMX Daemon]
    2006-11-08 20:01 49152 ----a-w- c:\windows\System32\ico.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-12-25 02:55 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2008-03-06 11:52 4706304 ----a-w- c:\windows\RtHDVCpl.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-09-24 06:29 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
    2010-09-24 18:19 159472 ----a-w- c:\program files\Zune\ZuneLauncher.exe
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-27 30192]
    R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2008-01-31 599040]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [x]
    R3 pmxmouse;pmxmouse;c:\windows\system32\DRIVERS\pmxmouse.sys [2007-06-01 18432]
    R3 pmxusblf;pmxusblf;c:\windows\system32\DRIVERS\pmxusblf.sys [2007-05-24 19008]
    R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
    S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-10 217032]
    S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbguard.exe [2007-10-16 81920]
    S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-03-06 27648]
    S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_1\bin\fbserver.exe [2007-10-16 2711552]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \shell\AutoRun\command - E:\setup.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
    \shell\AutoRun\command - j:\wd_windows_tools\setup.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{204c8b02-c7fc-11dd-9e7a-806e6f6e6963}]
    \shell\AutoRun\command - j:\wd_windows_tools\setup.exe
    .
    Contents of the 'Scheduled Tasks' folder
    2011-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-27 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-21 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 15:39]
    2011-02-27 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2010-09-13 21:19]
    2011-02-20 c:\windows\Tasks\DriverRobot.job
    - c:\program files\Driver Robot\DriverRobot.exe [2008-12-12 22:19]
    2011-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-432833793-4244938426-1870455723-1000Core.job
    - c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17 23:17]
    2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-432833793-4244938426-1870455723-1000UA.job
    - c:\users\Dagoth\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-17 23:17]
    2011-02-27 c:\windows\Tasks\RtlNICDiagVistaStart.job
    - c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2008-09-24 11:44]
    2011-02-27 c:\windows\Tasks\SDMsgUpdate (TE).job
    - c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-02-25 11:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080924
    Trusted Zone: gmail.com\www
    TCP: {1C1301AE-F989-4B0D-9520-58BC11746ABD} = 8.8.8.8,8.8.4.4
    FF - ProfilePath - c:\users\Dagoth\AppData\Roaming\Mozilla\Firefox\Profiles\wtt5yz39.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-27 00:25
    Windows 6.0.6001 Service Pack 1 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-27 00:29:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-27 05:28
    ComboFix2.txt 2011-02-27 01:55
    Pre-Run: 128,893,313,024 bytes free
    Post-Run: 128,748,589,056 bytes free
    - - End Of File - - 2B8C75A835F4861C44BDACC03A7D4F9A

    ****log from otm****
    All processes killed
    ========== SERVICES/DRIVERS ==========
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Dagoth\Desktop\cmd.bat deleted successfully.
    C:\Users\Dagoth\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Dagoth
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 16490090 bytes
    ->Java cache emptied: 26213073 bytes
    ->FireFox cache emptied: 70877484 bytes
    ->Google Chrome cache emptied: 29480142 bytes
    ->Flash cache emptied: 1177 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56504 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 160424928 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 7057914 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 296.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTM by OldTimer - Version 3.1.17.2 log created on 02272011_003241

    **** log from eset****
    C:\Users\Dagoth\Desktop\FFSetup220.zip Win32/Adware.ADON application
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,157
    Yep starting to look a lot better, continue as follows please :-

    Step 1

    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
    • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      -------------------------------------------------------------------

      :Files
      C:\Users\Dagoth\Desktop\FFSetup220.zip
      :Commands
      [EmptyTemp]

      ---------------------------------------------------------------------
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

    Step 2

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document

    Post the two logs in your reply, also let me know if there are any remaining issues.

    Kevin
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/982953