TechSpot

Another victim, Firefox redirect with combofix log

By mikmaze
Jul 22, 2010
  1. ComboFix 10-07-22.01 - MIKE 07/22/2010 19:04:33.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3263.2285 [GMT -4:00]
    Running from: c:\users\MIKE\Downloads\ComboFix.exe
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
    .

    2010-07-22 23:11 . 2010-07-22 23:11 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-07-22 23:11 . 2010-07-22 23:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-22 23:11 . 2010-07-22 23:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-07-22 23:02 . 2010-07-22 23:03 -------- d-----w- C:\32788R22FWJFW
    2010-07-22 21:16 . 2010-07-22 21:16 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
    2010-07-22 21:09 . 2010-07-22 21:29 -------- d-----w- c:\programdata\ParetoLogic
    2010-07-22 21:09 . 2010-07-22 21:29 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-07-21 12:35 . 2010-07-21 12:35 921440 ----a-w- c:\programdata\avg9\update\backup\avgemc.exe
    2010-07-21 12:35 . 2010-07-21 12:35 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
    2010-07-21 12:35 . 2010-07-21 12:35 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
    2010-07-21 12:35 . 2010-07-21 12:35 1373536 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
    2010-07-21 12:35 . 2010-07-21 12:35 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
    2010-07-21 00:47 . 2010-07-22 17:16 63488 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-21 00:47 . 2010-07-21 00:47 52224 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-21 00:47 . 2010-07-22 17:16 117760 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-21 00:47 . 2010-07-21 00:47 -------- d-----w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com
    2010-07-21 00:47 . 2010-07-21 00:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-07-21 00:47 . 2010-07-22 01:16 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-21 00:32 . 2010-07-21 00:32 -------- d-----w- c:\program files\Common Files\Java
    2010-07-18 00:48 . 2010-07-22 20:42 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-18 00:47 . 2010-07-18 00:52 -------- d-----w- c:\programdata\Hitman Pro
    2010-07-18 00:47 . 2010-07-18 00:47 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-07-17 21:51 . 2010-07-17 21:51 -------- d-----w- c:\users\MIKE\AppData\Local\Sunbelt Software
    2010-07-17 21:39 . 2010-07-17 21:39 -------- dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-07-17 21:39 . 2010-07-12 08:56 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
    2010-07-16 12:41 . 2010-07-16 12:41 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
    2010-07-16 12:41 . 2010-07-16 12:41 216200 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
    2010-07-16 12:40 . 2010-07-16 12:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-16 12:39 . 2010-07-16 12:39 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
    2010-07-16 12:39 . 2010-07-16 12:39 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
    2010-07-16 12:39 . 2010-07-16 12:39 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
    2010-07-16 12:39 . 2010-07-16 12:39 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
    2010-07-05 22:10 . 2010-07-05 22:10 -------- d-----w- c:\users\MIKE\AppData\Local\Cooliris
    2010-07-05 22:10 . 2010-06-14 16:08 4687872 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
    2010-07-05 22:10 . 2010-06-14 16:08 545280 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
    2010-07-05 22:10 . 2010-06-14 16:08 4687360 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
    2010-07-05 22:10 . 2010-06-14 16:08 103424 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
    2010-07-05 22:10 . 2010-06-14 16:08 425984 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
    2010-07-05 22:10 . 2010-06-14 16:08 152064 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
    2010-07-05 22:10 . 2010-06-14 16:08 57856 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    2010-06-28 21:19 . 2010-06-28 21:19 -------- d-----w- c:\users\MIKE\AppData\Roaming\Enplase
    2010-06-23 07:00 . 2009-11-25 16:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 07:00 . 2009-11-25 16:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-06-23 07:00 . 2009-11-25 16:47 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-06-23 07:00 . 2009-11-25 16:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-06-23 07:00 . 2009-11-25 16:47 1130824 ----a-w- c:\windows\system32\dfshim.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-21 00:31 . 2010-06-06 23:29 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-16 12:40 . 2009-12-16 22:32 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-16 12:40 . 2009-12-16 22:32 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-15 07:01 . 2009-12-19 15:43 -------- d-----w- c:\programdata\Microsoft Help
    2010-07-12 08:55 . 2010-06-05 22:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-12 08:55 . 2010-01-04 14:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-08 01:12 . 2009-12-23 01:58 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-02 13:36 . 2009-12-16 22:32 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-05-28 16:58 . 2009-12-16 22:48 600680 ----a-w- c:\windows\system32\nvuninst.exe
    2010-05-27 07:24 . 2010-06-09 08:13 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49 . 2010-06-09 08:13 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-26 22:00 . 2009-12-16 22:32 -------- d-----w- c:\programdata\avg9
    2010-05-26 00:15 . 2010-05-26 00:15 -------- d-----w- c:\program files\Wondershare
    2010-05-21 05:18 . 2010-06-09 08:13 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-01 14:49 . 2010-06-09 08:13 2326528 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 19:39 . 2010-01-25 13:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2010-01-25 13:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-17_15.03.22 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-17 01:05 . 2010-07-22 21:58 29122 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 04:55 . 2010-07-22 21:58 36528 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
    - 2010-06-05 22:57 . 2010-06-05 22:56 64288 c:\windows\System32\DRVSTORE\lbd_9C578CA880A99903668A8694DEFB21244E9C4C62\Lbd.sys
    + 2010-06-05 22:57 . 2010-07-12 08:55 64288 c:\windows\System32\DRVSTORE\lbd_9C578CA880A99903668A8694DEFB21244E9C4C62\Lbd.sys
    - 2009-12-17 01:14 . 2010-07-17 12:55 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-17 01:14 . 2010-07-22 21:57 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-17 01:14 . 2010-07-22 21:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-17 01:14 . 2010-07-17 12:55 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:41 . 2010-07-22 21:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:41 . 2010-07-17 12:55 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:34 . 2010-07-22 21:15 85688 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-17 00:02 . 2010-07-22 23:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-17 00:02 . 2010-07-17 15:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-17 00:02 . 2010-07-17 15:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2009-12-17 00:02 . 2010-07-22 23:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2009-12-17 00:02 . 2010-07-22 23:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    - 2009-12-17 00:02 . 2010-07-17 15:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    - 2009-12-16 22:50 . 2010-07-17 15:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-12-16 22:50 . 2010-07-22 23:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 22:57 . 2010-07-22 21:58 7106 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2735080834-11081467-332214384-1001_UserData.bin
    - 2010-06-23 07:16 . 2010-06-23 07:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-07-22 21:57 . 2010-07-22 21:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-07-22 21:57 . 2010-07-22 21:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2010-06-23 07:16 . 2010-06-23 07:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-07-14 02:05 . 2010-07-22 22:01 618264 c:\windows\System32\perfh009.dat
    - 2009-07-14 02:05 . 2010-07-16 23:20 618264 c:\windows\System32\perfh009.dat
    + 2009-07-14 02:05 . 2010-07-22 22:01 104546 c:\windows\System32\perfc009.dat
    - 2009-07-14 02:05 . 2010-07-16 23:20 104546 c:\windows\System32\perfc009.dat
    - 2010-06-06 23:29 . 2010-06-06 23:29 153376 c:\windows\System32\javaws.exe
    + 2010-07-21 00:32 . 2010-07-21 00:31 153376 c:\windows\System32\javaws.exe
    - 2010-06-06 23:29 . 2010-06-06 23:29 145184 c:\windows\System32\javaw.exe
    + 2010-07-21 00:32 . 2010-07-21 00:31 145184 c:\windows\System32\javaw.exe
    - 2010-06-06 23:29 . 2010-06-06 23:29 145184 c:\windows\System32\java.exe
    + 2010-07-21 00:32 . 2010-07-21 00:31 145184 c:\windows\System32\java.exe
    + 2010-07-21 00:32 . 2010-07-21 00:32 183808 c:\windows\Installer\ffa125e.msi
    + 2010-07-21 00:31 . 2010-07-21 00:31 681984 c:\windows\Installer\ffa1257.msi
    + 2009-07-14 02:03 . 2010-07-22 22:10 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
    - 2009-07-14 02:03 . 2010-07-17 05:16 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
    + 2010-07-17 21:39 . 2010-07-17 21:39 1869312 c:\windows\Installer\7eaf728e.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-22 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13605408]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
    "PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-02-27 315392]
    "ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 583016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^MIKE^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\MIKE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
    2010-07-16 12:40 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2008-06-06 18:52 1832232 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-03-06 16:52 13605408 ----a-w- c:\windows\System32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2009-03-06 16:52 92704 ----a-w- c:\windows\System32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
    2006-01-30 16:00 98304 ----a-r- c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDiagnosticM]
    2007-02-27 21:29 315392 ----a-w- c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-03-28 07:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
     
  2. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-03-28 07:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
    R2 MSWU-56c79e92;MSWU-56c79e92;c:\windows\system32\56c79e92.exe [x]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
    S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-16 243024]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
    S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-21 921952]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\DRIVERS\lknuhst.sys [2006-12-15 13824]
    S3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\DRIVERS\lknuhub.sys [2006-12-15 35840]
    S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2008-11-19 16640]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-07-22 19:13:39
    ComboFix-quarantined-files.txt 2010-07-22 23:13
    ComboFix2.txt 2010-07-17 15:05

    Pre-Run: 73,448,296,448 bytes free
    Post-Run: 73,404,821,504 bytes free

    - - End Of File - - 5845FA688C3789BDEDB9B7A7D4B1B6BC
     
  3. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Never run Combofix on your own.
    I can see, you ran Combofix before already.
    I'd like to see ComboFix2.txt log.

    Is Firefox the only browser affected?

    Please, download DDS from one of the 2 mirrors and save it to your desktop.

    Mirror 1
    Mirror 2

    * Disable any script blocking protection (if present)
    * Double click the dds icon to run the tool.
    * When done, DDS will open two logs:
    1. DDS.txt
    2. Attach.txt
    * Save both reports to your desktop by clicking File>Save As in each log.

    Include the contents of both logs in your new topic. The scan will instruct you to post Attach.txt as an attachment. No need for that though ..... just post it's contents as you would any other log.

    ======================================================================

    STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.



    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  4. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by MIKE at 20:47:10.64 on Thu 07/22/2010
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3263.1970 [GMT -4:00]

    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k HsfXAudioService
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe
    C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\DllHost.exe
    C:\Windows\Explorer.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Windows\WindowsMobile\WmdHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\MIKE\Downloads\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bing.com/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [PSDiagnosticM] "c:\program files\linksys wireless-g print server\PSDiagnosticM.exe"
    mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    AppInit_DLLs: c:\windows\system32\avgrsstx.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\mike\appdata\roaming\mozilla\firefox\profiles\5h6vm4il.default\
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\users\mike\appdata\roaming\mozilla\firefox\profiles\5h6vm4il.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\users\mike\appdata\roaming\mozilla\firefox\profiles\5h6vm4il.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-5 64288]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-16 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-16 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-16 243024]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
    R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
    R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [2009-12-17 13824]
    R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [2009-12-17 35840]
    R3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2010-5-8 16640]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
    S2 MSWU-56c79e92;MSWU-56c79e92;c:\windows\system32\56c79e92.exe --> c:\windows\system32\56c79e92.exe [?]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-13 1343400]

    =============== Created Last 30 ================

    2010-07-23 00:12:10 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
    2010-07-23 00:10:47 0 d-----w- c:\windows\WindowsMobile
    2010-07-22 23:12:46 0 d-sh--w- C:\$RECYCLE.BIN
    2010-07-22 21:16:04 3162 ----a-w- C:\rollback.ini
    2010-07-22 21:09:07 0 d-----w- c:\programdata\ParetoLogic
    2010-07-22 21:09:07 0 d-----w- c:\program files\common files\ParetoLogic
    2010-07-21 00:47:19 0 d-----w- c:\users\mike\appdata\roaming\SUPERAntiSpyware.com
    2010-07-21 00:47:19 0 d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-07-21 00:47:12 0 d-----w- c:\program files\SUPERAntiSpyware
    2010-07-18 00:48:24 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-18 00:47:37 0 d-----w- c:\programdata\Hitman Pro
    2010-07-18 00:47:35 0 d-----w- c:\program files\Hitman Pro 3.5
    2010-07-17 21:39:49 0 dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-07-17 14:55:35 98816 ----a-w- c:\windows\sed.exe
    2010-07-17 14:55:35 77312 ----a-w- c:\windows\MBR.exe
    2010-07-17 14:55:35 256512 ----a-w- c:\windows\PEV.exe
    2010-07-17 14:55:35 161792 ----a-w- c:\windows\SWREG.exe
    2010-07-16 12:40:50 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-06-28 21:19:51 0 d-----w- c:\users\mike\appdata\roaming\Enplase
    2010-06-23 07:00:33 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 07:00:33 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-06-23 07:00:33 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-06-23 07:00:33 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-06-23 07:00:33 1130824 ----a-w- c:\windows\system32\dfshim.dll

    ==================== Find3M ====================

    2010-07-21 00:31:58 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-16 12:40:51 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-16 12:40:14 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-12 08:55:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-05-28 16:58:26 600680 ----a-w- c:\windows\system32\nvuninst.exe
    2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-01 14:49:25 2326528 ----a-w- c:\windows\system32\win32k.sys
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2010-01-23 08:18:40 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 20:47:29.22 ===============
     
  5. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4339

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    7/22/2010 8:56:13 PM
    mbam-log-2010-07-22 (20-56-13).txt

    Scan type: Quick scan
    Objects scanned: 136137
    Time elapsed: 5 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  6. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-07-22 21:11:53
    Windows 6.1.7600
    Running: bk5tnhgz.exe; Driver: C:\Users\MIKE\AppData\Local\Temp\kwlyipow.sys


    ---- System - GMER 1.0.15 ----

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1CAF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1C104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1C3F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A052D8
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A04898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1C1DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1C958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1C6F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1CF2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1D1A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A7C599 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA0F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x9283F340, 0x3EE217, 0xE8000020]
    .text peauth.sys 9F81FC9D 28 Bytes [8F, B5, 53, B8, 30, 62, 2A, ...]
    .text peauth.sys 9F81FCC1 28 Bytes [8F, B5, 53, B8, 30, 62, 2A, ...]
    PAGE peauth.sys 9F825B9B 72 Bytes [A0, 73, EC, 75, B6, AF, AF, ...]
    PAGE peauth.sys 9F825BEC 111 Bytes [2E, 22, F4, 18, 31, EC, 2A, ...]
    PAGE peauth.sys 9F825E20 101 Bytes [64, A5, CD, 6C, 78, 17, AA, ...]
    PAGE ...
    ? C:\Users\MIKE\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
    ? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
    ? C:\Users\MIKE\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!LdrLoadDll 77C0F585 5 Bytes JMP 013213F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\rundll32.exe[1220] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1220] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1220] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\system32\rundll32.exe[1220] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2924] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2924] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2924] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[2924] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3288] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3288] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3288] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\System32\rundll32.exe[3288] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75C55E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  7. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    I still need Attach.txt part of DDS log and ComboFix2.txt
     
  8. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    combo fix is what I got, if I need to run it again to find the log, I will. what part of dds do you need to see ?
     
  9. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    DDS (Ver_10-03-17.01)

    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/16/2009 5:19:34 PM
    System Uptime: 7/22/2010 5:56:36 PM (4 hours ago)

    Motherboard: Quanta | | 30EA
    Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-57 | Socket S1 | 1900/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 100 GiB total, 67.983 GiB free.
    D: is FIXED (NTFS) - 12 GiB total, 1.724 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is FIXED (NTFS) - 298 GiB total, 279.397 GiB free.
    H: is Removable
    I: is Removable
    J: is Removable
    K: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30EA103C&REV_12\4&2A4C3A5&0&2A40
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_30EA103C&REV_12\4&2A4C3A5&0&2A40
    Service:

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: FCR-HS219/1
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_FCR-HS219#1&REV_9738#094603005580&3#
    Manufacturer: Kingston
    Name: K:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_FCR-HS219#1&REV_9738#094603005580&3#
    Service: WUDFRd

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: WALKMAN NWZ-E345
    Device ID: USB\VID_054C&PID_03FC\0E497423108382
    Manufacturer: Sony Corporation
    Name: WALKMAN
    PNP Device ID: USB\VID_054C&PID_03FC\0E497423108382
    Service: WUDFRd

    Class GUID:
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30EA103C&REV_12\4&2A4C3A5&0&2940
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_30EA103C&REV_12\4&2A4C3A5&0&2940
    Service:

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: FCR-HS219/1
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_FCR-HS219#1&REV_9738#094603005580&0#
    Manufacturer: Kingston
    Name: I:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_FCR-HS219#1&REV_9738#094603005580&0#
    Service: WUDFRd

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: FCR-HS219/1
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_FCR-HS219#1&REV_9738#094603005580&1#
    Manufacturer: Kingston
    Name: H:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_FCR-HS219#1&REV_9738#094603005580&1#
    Service: WUDFRd

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: FCR-HS219/1
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_FCR-HS219#1&REV_9738#094603005580&2#
    Manufacturer: Kingston
    Name: J:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_FCR-HS219#1&REV_9738#094603005580&2#
    Service: WUDFRd

    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: WPD FileSystem Volume Driver
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_SD#VID_17&OID_5457&PID_&REV_1.0#5&267FDEAA&0&0#
    Manufacturer: Microsoft
    Name: F:\
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_SD#VID_17&OID_5457&PID_&REV_1.0#5&267FDEAA&0&0#
    Service: WUDFRd

    ==== System Restore Points ===================

    RP107: 6/28/2010 5:48:24 PM - Removed Ask Toolbar.
    RP108: 7/6/2010 12:27:33 AM - Scheduled Checkpoint
    RP109: 7/14/2010 1:45:35 AM - Scheduled Checkpoint
    RP110: 7/15/2010 3:00:20 AM - Windows Update
    RP113: 7/16/2010 8:40:54 AM - Avg Update
    RP114: 7/20/2010 8:29:26 PM - Removed Java(TM) 6 Update 20
    RP115: 7/20/2010 8:31:42 PM - Installed Java(TM) 6 Update 21
    RP117: 7/22/2010 5:08:39 PM - Installed ParetoLogic Anti-Virus PLUS.
    RP118: 7/22/2010 5:28:09 PM - Removed ParetoLogic Anti-Virus PLUS.
    RP119: 7/22/2010 5:28:45 PM - Removed ParetoLogic Anti-Virus PLUS.
    RP120: 7/22/2010 8:11:10 PM - Installed Windows Mobile Device Center

    ==== Installed Programs ======================

    µTorrent
    Ad-Aware
    Ad-Aware Email Scanner for Outlook
    Adobe Flash Player 10 Plugin
    Adobe Photoshop Elements 7.0
    Adobe Reader 9.3.3
    Adobe® Flash® Player 10 ActiveX
    Apple Application Support
    Apple Software Update
    AVG Free 9.0
    Belarc Advisor 8.1
    CCleaner
    Conexant HD Audio
    Content Transfer
    CopperHeadEFI
    EPSON Printer Software
    EPSON Scan
    Google Earth
    HDAUDIO Soft Data Fax Modem with SmartCP
    HP OrderReminder
    Java Auto Updater
    Java(TM) 6 Update 21
    LaserJet 1018
    Linksys Wireless-G Print Server
    Malwarebytes' Anti-Malware
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Easy Assist v2
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Live Add-in 1.4
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.7)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero 8 Essentials
    neroxml
    NVIDIA Drivers
    NVIDIA PhysX
    NWZ-E340 WALKMAN Guide
    QuickTime
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB980376)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB969613)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB982135)
    Sothink Logo Maker
    Spelling Dictionaries Support For Adobe Reader 9
    SUPERAntiSpyware
    Synaptics Pointing Device Driver
    System Requirements Lab
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (kb2202131)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Messenger
    Windows Live Upload Tool
    Windows Media Player Firefox Plugin
    Windows Mobile Device Center
    Wondershare Streaming Audio Recorder(Build 1.0.10.1)

    ==== Event Viewer Messages From Past Week ========

    7/22/2010 8:11:03 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR1.
    7/22/2010 7:22:56 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer TIM-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{594F5156-0126-46CD-A862-30D07FF5B7B. The master browser is stopping or an election is being forced.
    7/22/2010 7:11:15 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    7/22/2010 5:57:12 PM, Error: Microsoft-Windows-WHEA-Logger [18] - A fatal hardware error has occurred. Reported by component: Processor Core Error Source: Machine Check Exception Error Type: Unknown Error Processor ID: 1 The details view of this entry contains further information.
    7/22/2010 5:28:41 PM, Error: Service Control Manager [7034] - The plasservice service terminated unexpectedly. It has done this 1 time(s).
    7/21/2010 9:16:26 PM, Error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    7/17/2010 8:57:42 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer HOLLY-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{594F5156-0126-46CD-A862-30D07FF5B. The master browser is stopping or an election is being forced.
    7/17/2010 6:01:59 PM, Error: Service Control Manager [7000] - The Lbd service failed to start due to the following error: The system cannot find the file specified.
    7/17/2010 5:51:18 PM, Error: Service Control Manager [7030] - The Lavasoft Ad-Aware Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

    ==== End Of File ===========================
     
  10. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Thank you :)

    Are you still being redirected?

    Please, navigate to:
    C:\Qoobox
    Open ComboFix-quarantined-files.txt in a Notepad, copy everything, and paste into your next reply.
     
  11. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    yes, still getting redirected, quite annoying.

    ComboFix 10-07-22.01 - MIKE 07/22/2010 19:04:33.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3263.2285 [GMT -4:00]
    Running from: c:\users\MIKE\Downloads\ComboFix.exe
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
    .

    2010-07-22 23:11 . 2010-07-22 23:11 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-07-22 23:11 . 2010-07-22 23:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-22 23:11 . 2010-07-22 23:11 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-07-22 23:02 . 2010-07-22 23:03 -------- d-----w- C:\32788R22FWJFW
    2010-07-22 21:16 . 2010-07-22 21:16 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
    2010-07-22 21:09 . 2010-07-22 21:29 -------- d-----w- c:\programdata\ParetoLogic
    2010-07-22 21:09 . 2010-07-22 21:29 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-07-21 12:35 . 2010-07-21 12:35 921440 ----a-w- c:\programdata\avg9\update\backup\avgemc.exe
    2010-07-21 12:35 . 2010-07-21 12:35 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
    2010-07-21 12:35 . 2010-07-21 12:35 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
    2010-07-21 12:35 . 2010-07-21 12:35 1373536 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
    2010-07-21 12:35 . 2010-07-21 12:35 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
    2010-07-21 00:47 . 2010-07-22 17:16 63488 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-21 00:47 . 2010-07-21 00:47 52224 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-21 00:47 . 2010-07-22 17:16 117760 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-21 00:47 . 2010-07-21 00:47 -------- d-----w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com
    2010-07-21 00:47 . 2010-07-21 00:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-07-21 00:47 . 2010-07-22 01:16 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-21 00:32 . 2010-07-21 00:32 -------- d-----w- c:\program files\Common Files\Java
    2010-07-18 00:48 . 2010-07-22 20:42 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-18 00:47 . 2010-07-18 00:52 -------- d-----w- c:\programdata\Hitman Pro
    2010-07-18 00:47 . 2010-07-18 00:47 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-07-17 21:51 . 2010-07-17 21:51 -------- d-----w- c:\users\MIKE\AppData\Local\Sunbelt Software
    2010-07-17 21:39 . 2010-07-17 21:39 -------- dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-07-17 21:39 . 2010-07-12 08:56 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
    2010-07-16 12:41 . 2010-07-16 12:41 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
    2010-07-16 12:41 . 2010-07-16 12:41 216200 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
    2010-07-16 12:40 . 2010-07-16 12:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-16 12:39 . 2010-07-16 12:39 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
    2010-07-16 12:39 . 2010-07-16 12:39 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
    2010-07-16 12:39 . 2010-07-16 12:39 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
    2010-07-16 12:39 . 2010-07-16 12:39 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
    2010-07-05 22:10 . 2010-07-05 22:10 -------- d-----w- c:\users\MIKE\AppData\Local\Cooliris
    2010-07-05 22:10 . 2010-06-14 16:08 4687872 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
    2010-07-05 22:10 . 2010-06-14 16:08 545280 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
    2010-07-05 22:10 . 2010-06-14 16:08 4687360 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
    2010-07-05 22:10 . 2010-06-14 16:08 103424 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
    2010-07-05 22:10 . 2010-06-14 16:08 425984 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
    2010-07-05 22:10 . 2010-06-14 16:08 152064 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
    2010-07-05 22:10 . 2010-06-14 16:08 57856 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    2010-06-28 21:19 . 2010-06-28 21:19 -------- d-----w- c:\users\MIKE\AppData\Roaming\Enplase
    2010-06-23 07:00 . 2009-11-25 16:47 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 07:00 . 2009-11-25 16:47 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-06-23 07:00 . 2009-11-25 16:47 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-06-23 07:00 . 2009-11-25 16:47 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-06-23 07:00 . 2009-11-25 16:47 1130824 ----a-w- c:\windows\system32\dfshim.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-21 00:31 . 2010-06-06 23:29 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-16 12:40 . 2009-12-16 22:32 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-16 12:40 . 2009-12-16 22:32 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-15 07:01 . 2009-12-19 15:43 -------- d-----w- c:\programdata\Microsoft Help
    2010-07-12 08:55 . 2010-06-05 22:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-12 08:55 . 2010-01-04 14:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-08 01:12 . 2009-12-23 01:58 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-02 13:36 . 2009-12-16 22:32 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-05-28 16:58 . 2009-12-16 22:48 600680 ----a-w- c:\windows\system32\nvuninst.exe
    2010-05-27 07:24 . 2010-06-09 08:13 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49 . 2010-06-09 08:13 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-26 22:00 . 2009-12-16 22:32 -------- d-----w- c:\programdata\avg9
    2010-05-26 00:15 . 2010-05-26 00:15 -------- d-----w- c:\program files\Wondershare
    2010-05-21 05:18 . 2010-06-09 08:13 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-01 14:49 . 2010-06-09 08:13 2326528 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 19:39 . 2010-01-25 13:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2010-01-25 13:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-17_15.03.22 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-12-17 01:05 . 2010-07-22 21:58 29122 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 04:55 . 2010-07-22 21:58 36528 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
    - 2010-06-05 22:57 . 2010-06-05 22:56 64288 c:\windows\System32\DRVSTORE\lbd_9C578CA880A99903668A8694DEFB21244E9C4C62\Lbd.sys
    + 2010-06-05 22:57 . 2010-07-12 08:55 64288 c:\windows\System32\DRVSTORE\lbd_9C578CA880A99903668A8694DEFB21244E9C4C62\Lbd.sys
    - 2009-12-17 01:14 . 2010-07-17 12:55 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-17 01:14 . 2010-07-22 21:57 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-17 01:14 . 2010-07-22 21:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-17 01:14 . 2010-07-17 12:55 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:41 . 2010-07-22 21:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:41 . 2010-07-17 12:55 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:34 . 2010-07-22 21:15 85688 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-12-17 00:02 . 2010-07-22 23:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-17 00:02 . 2010-07-17 15:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-17 00:02 . 2010-07-17 15:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2009-12-17 00:02 . 2010-07-22 23:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2009-12-17 00:02 . 2010-07-22 23:10 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    - 2009-12-17 00:02 . 2010-07-17 15:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    - 2009-12-16 22:50 . 2010-07-17 15:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-12-16 22:50 . 2010-07-22 23:10 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-16 22:50 . 2010-06-23 07:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 22:50 . 2010-07-22 21:57 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-12-16 22:57 . 2010-07-22 21:58 7106 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2735080834-11081467-332214384-1001_UserData.bin
    - 2010-06-23 07:16 . 2010-06-23 07:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-07-22 21:57 . 2010-07-22 21:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2010-07-22 21:57 . 2010-07-22 21:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2010-06-23 07:16 . 2010-06-23 07:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2009-07-14 02:05 . 2010-07-22 22:01 618264 c:\windows\System32\perfh009.dat
    - 2009-07-14 02:05 . 2010-07-16 23:20 618264 c:\windows\System32\perfh009.dat
    + 2009-07-14 02:05 . 2010-07-22 22:01 104546 c:\windows\System32\perfc009.dat
    - 2009-07-14 02:05 . 2010-07-16 23:20 104546 c:\windows\System32\perfc009.dat
    - 2010-06-06 23:29 . 2010-06-06 23:29 153376 c:\windows\System32\javaws.exe
    + 2010-07-21 00:32 . 2010-07-21 00:31 153376 c:\windows\System32\javaws.exe
    - 2010-06-06 23:29 . 2010-06-06 23:29 145184 c:\windows\System32\javaw.exe
    + 2010-07-21 00:32 . 2010-07-21 00:31 145184 c:\windows\System32\javaw.exe
    - 2010-06-06 23:29 . 2010-06-06 23:29 145184 c:\windows\System32\java.exe
    + 2010-07-21 00:32 . 2010-07-21 00:31 145184 c:\windows\System32\java.exe
    + 2010-07-21 00:32 . 2010-07-21 00:32 183808 c:\windows\Installer\ffa125e.msi
    + 2010-07-21 00:31 . 2010-07-21 00:31 681984 c:\windows\Installer\ffa1257.msi
    + 2009-07-14 02:03 . 2010-07-22 22:10 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
    - 2009-07-14 02:03 . 2010-07-17 05:16 7077888 c:\windows\System32\SMI\Store\Machine\schema.dat
    + 2010-07-17 21:39 . 2010-07-17 21:39 1869312 c:\windows\Installer\7eaf728e.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
     
  12. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-22 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13605408]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
    "PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-02-27 315392]
    "ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 583016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^MIKE^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\MIKE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
    2010-07-16 12:40 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2008-06-06 18:52 1832232 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-03-06 16:52 13605408 ----a-w- c:\windows\System32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2009-03-06 16:52 92704 ----a-w- c:\windows\System32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
    2006-01-30 16:00 98304 ----a-r- c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDiagnosticM]
    2007-02-27 21:29 315392 ----a-w- c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-03-28 07:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
    R2 MSWU-56c79e92;MSWU-56c79e92;c:\windows\system32\56c79e92.exe [x]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
    S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-16 243024]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
    S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-21 921952]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\DRIVERS\lknuhst.sys [2006-12-15 13824]
    S3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\DRIVERS\lknuhub.sys [2006-12-15 35840]
    S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2008-11-19 16640]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-07-22 19:13:39
    ComboFix-quarantined-files.txt 2010-07-22 23:13
    ComboFix2.txt 2010-07-17 15:05

    Pre-Run: 73,448,296,448 bytes free
    Post-Run: 73,404,821,504 bytes free

    - - End Of File - - 5845FA688C3789BDEDB9B7A7D4B1B6BC
     
  13. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    the redirects happen like this, say I go to bing, type in overstock on the search bar, result page comes up, shows the link for overstock, but when I hover I can see its not going to go well, I can see the bs down the bottom of the page with what should be the link to overstock, is not that at all, and if I click the link to overstock, it takes me to the ad site, car and driver, tons of crap sites that just irritates me to no end because I can not get rid of it, and it happens if I use IE also.

    EDIT well I am on east coast time here, and alarm clock goes off in 7 hours, I thank you for your help so far but I need to get some sleep. cya tomorrow.
     
  14. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    No problem :)
    Don't worry, we'll fix your issue.

    You posted another Combofix log.
    What I asked was:

    Please, navigate to:
    C:\Qoobox
    Open ComboFix-quarantined-files.txt in a Notepad, copy everything, and paste into your next reply.
     
  15. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    here ya go.......

    2010-07-17 15:04:33 . 2010-07-17 15:04:33 928 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-SunJavaUpdateSched.reg.dat
    2010-07-17 15:04:22 . 2010-07-17 15:04:22 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
    2010-07-17 15:00:34 . 2010-07-22 23:08:29 4,991 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
    2010-07-17 14:55:30 . 2010-07-22 23:04:33 175 ----a-w- C:\Qoobox\Quarantine\catchme.log
     
  16. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Which browser is getting redirected?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\56c79e92.exe
    
    
    Driver::
    MSWU-56c79e92
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  17. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    I am dying here, tried starting combo fix like you said, it stopped runing 2 minutes into it, does that cf script text make the program run a different scan or can I just launch the program normally by clicking the icon ? I can find the combofix quarantined files, and the log which you said I posted twice already, I do not see , computer has no combofix.txt file that it can find.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Restart computer in safe mode and run my steps from there.
     
  19. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    tried your way in safe mode, I end up with the same log, maybe its the new version of combo fix that is saving the file in a different way/ format ?
     
  20. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Delete your Combofix file, download fresh one, but rename combofix.exe to broni.com BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now, drag CFScript.txt to broni.com
     
  21. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    ok, rank rkill then broni,com....... here is the result, posted in two parts due to 2k charcture limit.

    ComboFix 10-07-23.01 - MIKE 07/23/2010 18:08:27.7.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3263.2212 [GMT -4:00]
    Running from: c:\users\MIKE\Desktop\broni.com.exe
    Command switches used :: c:\qoobox\CFScript_used_2010-07-23_16.19.29.txt
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    .

    ((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
    .

    2010-07-23 22:14 . 2010-07-23 22:14 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-07-23 22:14 . 2010-07-23 22:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-23 22:14 . 2010-07-23 22:14 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-07-23 22:05 . 2010-07-23 22:05 -------- d-----w- C:\32788R22FWJFW
    2010-07-23 00:10 . 2010-07-23 00:11 -------- d-----w- c:\windows\WindowsMobile
    2010-07-22 21:16 . 2010-07-22 21:16 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
    2010-07-22 21:09 . 2010-07-22 21:29 -------- d-----w- c:\programdata\ParetoLogic
    2010-07-22 21:09 . 2010-07-22 21:29 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-07-21 00:47 . 2010-07-23 20:22 63488 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-21 00:47 . 2010-07-21 00:47 52224 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-21 00:47 . 2010-07-23 20:22 117760 ----a-w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-21 00:47 . 2010-07-21 00:47 -------- d-----w- c:\users\MIKE\AppData\Roaming\SUPERAntiSpyware.com
    2010-07-21 00:47 . 2010-07-21 00:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-07-21 00:47 . 2010-07-22 01:16 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-21 00:32 . 2010-07-21 00:32 -------- d-----w- c:\program files\Common Files\Java
    2010-07-18 00:48 . 2010-07-22 20:42 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-07-18 00:47 . 2010-07-18 00:52 -------- d-----w- c:\programdata\Hitman Pro
    2010-07-18 00:47 . 2010-07-18 00:47 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-07-17 21:51 . 2010-07-17 21:51 -------- d-----w- c:\users\MIKE\AppData\Local\Sunbelt Software
    2010-07-17 21:39 . 2010-07-17 21:39 -------- dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-07-17 21:39 . 2010-07-12 08:56 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
    2010-07-16 12:40 . 2010-07-16 12:40 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-05 22:10 . 2010-07-05 22:10 -------- d-----w- c:\users\MIKE\AppData\Local\Cooliris
    2010-07-05 22:10 . 2010-06-14 16:08 4687872 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
    2010-07-05 22:10 . 2010-06-14 16:08 545280 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
    2010-07-05 22:10 . 2010-06-14 16:08 4687360 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
    2010-07-05 22:10 . 2010-06-14 16:08 103424 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
    2010-07-05 22:10 . 2010-06-14 16:08 425984 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
    2010-07-05 22:10 . 2010-06-14 16:08 152064 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
    2010-07-05 22:10 . 2010-06-14 16:08 57856 ----a-w- c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    2010-06-28 21:19 . 2010-06-28 21:19 -------- d-----w- c:\users\MIKE\AppData\Roaming\Enplase

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-23 00:12 . 2010-07-23 00:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
    2010-07-21 00:31 . 2010-06-06 23:29 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-16 12:40 . 2009-12-16 22:32 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-16 12:40 . 2009-12-16 22:32 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-15 07:01 . 2009-12-19 15:43 -------- d-----w- c:\programdata\Microsoft Help
    2010-07-12 08:55 . 2010-06-05 22:57 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-12 08:55 . 2010-01-04 14:44 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-08 01:12 . 2009-12-23 01:58 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-02 13:36 . 2009-12-16 22:32 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-05-28 16:58 . 2009-12-16 22:48 600680 ----a-w- c:\windows\system32\nvuninst.exe
    2010-05-27 07:24 . 2010-06-09 08:13 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49 . 2010-06-09 08:13 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-26 22:00 . 2009-12-16 22:32 -------- d-----w- c:\programdata\avg9
    2010-05-26 00:15 . 2010-05-26 00:15 -------- d-----w- c:\program files\Wondershare
    2010-05-21 05:18 . 2010-06-09 08:13 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-01 14:49 . 2010-06-09 08:13 2326528 ----a-w- c:\windows\system32\win32k.sys
    2010-04-29 19:39 . 2010-01-25 13:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2010-01-25 13:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-23_21.58.10 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-12-17 00:02 . 2010-07-23 21:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2009-12-17 00:02 . 2010-07-23 22:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2009-12-17 00:02 . 2010-07-23 22:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2009-12-17 00:02 . 2010-07-23 21:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2009-12-17 00:02 . 2010-07-23 21:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    + 2009-12-17 00:02 . 2010-07-23 22:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    + 2009-12-16 22:50 . 2010-07-23 22:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-12-16 22:50 . 2010-07-23 21:14 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-22 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-06 13605408]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-06 92704]
    "PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-02-27 315392]
    "ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 583016]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
    backupExtension=.CommonStartup

    [HKLM\~\startupfolder\C:^Users^MIKE^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\MIKE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
    2010-07-16 12:40 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2008-06-06 18:52 1832232 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-03-06 16:52 13605408 ----a-w- c:\windows\System32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2009-03-06 16:52 92704 ----a-w- c:\windows\System32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
    2006-01-30 16:00 98304 ----a-r- c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSDiagnosticM]
    2007-02-27 21:29 315392 ----a-w- c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2008-03-28 07:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
     
  22. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-13 1343400]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
    S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-16 243024]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
    S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-21 921952]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\DRIVERS\lknuhst.sys [2006-12-15 13824]
    S3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\DRIVERS\lknuhub.sys [2006-12-15 35840]
    S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2008-11-19 16640]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\users\MIKE\AppData\Roaming\Mozilla\Firefox\Profiles\5h6vm4il.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-07-23 18:17:10
    ComboFix-quarantined-files.txt 2010-07-23 22:17
    ComboFix2.txt 2010-07-23 22:00

    Pre-Run: 72,180,559,872 bytes free
    Post-Run: 72,126,263,296 bytes free

    - - End Of File - - 161DA0AF7A123E57699C1B1439518A1B
     
  23. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    whatever you are asking me to do still generates the same log file in combofix.txt I right clicked and selected properties of the file and it is indeed labled combofix.txt.
     
  24. Broni

    Broni Malware Annihilator Posts: 52,884   +344

    Looks good now.
    How is redirection?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.
     
  25. mikmaze

    mikmaze TS Rookie Topic Starter Posts: 36

    restarted and yah, big surprise........... still redirecting to the same dam sites, I give up
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...