[Not Curable Ramnit] Google keeps redirecting me..

Status
Not open for further replies.
Welcome to TechSpot! I'll be glad to help with the malware.

Please review this direction in the preliminary thread: HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
==========================================
I couldn't get the dds to ever produce a log...
DDS produces 2 logs when a scan runs. The logs are named DDS.txt and Attach.txt. (Attach is the name of the log, not a direction of what to do with it). Did you do the following and did the scan run?

1. Downloading the tool
2. Disconnect from the internet.
3. Disable all antivirus protection.
4. Double click on the DDS icon, allow it to run.
5. When DDS has finished it will launch the two Notepad windows that display the contents of these log files.
[o]DDS.txt
[o]Attach.txt
6. Each of these should then be pasted in a reply.
Please let me know if the scan does not run.
======================================
And a note about the redirect: It is not Google that is redirecting you-it's malware that is causing the search to be directed elsewhere. If Google is the search engine you use, the redirect will happen in a Google search. Sometimes is can happen will all browsers, all search engines, depending on the particular malware.
=======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
Please paste the logs from Mbam, GMER and DDS in your next reply.
 
Be sure you are saving the download to the desktop as instructed.

After you double click on the DDS icon on the desktop, does the scan progress? If it does, there will be logs. But I need you to tell me if the scan is actually happening.

Repeat the scan please.
 
I saved the file to the desktop and tried running the scan again this morning...when I double click on dds it goes through the verification process...then a black window flashes for a fraction of a second and that's it...I waited for an hour and still no logs pop up...the internet is disconnected the firewalls are off and there arent any othr programs running....i'm confused
 
Please paste the Malwarebytes and GMER logs in so I can get some idea of what's running.
 
Edit: Code boxes removed by Bobbye

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8205

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

11/21/2011 6:45:06 PM
mbam-log-2011-11-21 (18-44-38).txt

Scan type: Quick scan
Objects scanned: 170594
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd (Trojan.Agent) -> Value: winupd -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\f3PSSavr.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\Windows\SysWOW64\f3PSSavr.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\Users\toria&ari\AppData\Local\Temp\63C1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\toria&ari\AppData\Local\Temp\6E3D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\toria&ari\Desktop\privacy protection.lnk (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\toria&ari\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\winupd.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Users\toria&ari\AppData\Local\Temp\winupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-21 18:26:13
Windows 6.1.7600
Running: 72to7ev7.exe


---- Files - GMER 1.0.15 ----

File C:\ADSM_PData_0150 0 bytes
File C:\ADSM_PData_0150\DB 0 bytes
File C:\ADSM_PData_0150\DB\SI.db 624 bytes
File C:\ADSM_PData_0150\DB\UL.db 16 bytes
File C:\ADSM_PData_0150\DB\VL.db 16 bytes
File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
File C:\ADSM_PData_0150\_avt 512 bytes
File C:\ProgramData\Microsoft\RAC\Temp\sqlD54C.tmp 20480 bytes
File C:\ProgramData\Microsoft\RAC\Temp\sqlD5AB.tmp 20480 bytes

---- EOF - GMER 1.0.15 ----
 
Part of the malware found and quarantined in Mbam was Winupd.exe. This is dropped by Bagle.N. It is a mass mailing worm, uses e-mail addresses collected from .wab, .txt, .htm, .html, .wab, .txt, .msg, .htm, .xml, .dbx, .mdx, .eml, .nch, .mmf, .ods, .cfg, .asp, .php, .pl, .adb, .tbb, .sht, .uin, and .cgi files to distribute infected messages. Bagle worm arrives as an e-mail attachment. The infected attachment will be a password protected ZIP file or an executable file with PIF extension.

The email carries a randomly named attachment with a .EXE extension. If the attachment is opened, it will infect the recipients system, launch the innocuous calc.exe (Calculator) program, and modify the registry to remain active upon reboot.
==================================
Please run the following, then we'll go back to DDS:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
========================================
If you use AVG, you will have to temporarily uninstall it before running Combofix:
Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

Please leave the logs in your next reply.
 
ESET LOG

C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3DTACTL.DLL Win32/Adware.FunWeb application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL Win32/Adware.FunWeb application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HKSTUB.DLL Win32/Toolbar.MyWebSearch.G application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL Win32/Toolbar.MyWebSearch.B application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTTPCT.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL Win32/Adware.FunWeb application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3PSSAVR.SCR Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3REGHK.DLL Win32/Toolbar.MyWebSearch.G application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL Win32/Toolbar.MyWebSearch.D application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3RESTUB.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCHMON.EXE Win32/Adware.FunWeb application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL Win32/Toolbar.MyWebSearch.P application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3AUXSTB.DLL Win32/Toolbar.MyWebSearch.H application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3DLGHK.DLL a variant of Win32/Toolbar.MyWebSearch.I application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3HTML.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL Win32/Toolbar.MyWebSearch.P application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3IMPIPE.EXE Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MSG.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL Win32/Toolbar.MyWebSearch.J application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL Win32/Toolbar.MyWebSearch.P application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKPLAY.EXE Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SLSRCH.EXE Win32/Toolbar.MyWebSearch.J application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SRCHMN.EXE Win32/Toolbar.MyWebSearch.I application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3TPINST.DLL a variant of Win32/Toolbar.MyWebSearch.I application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL a variant of Win32/Toolbar.MyWebSearch.K application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSMLBTN.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Win32/Toolbar.MyWebSearch.J application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSRCAS.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSVC.EXE Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSUABTN.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
C:\ProgramData\MicrosoftBackupUpdate.dll Win32/TrojanDownloader.Tracur.I trojan
C:\Users\autorun.inf Win32/Ramnit.A virus
C:\Users\setup1911.fon a variant of Win32/Kryptik.RSR trojan
C:\Users\All Users\MicrosoftBackupUpdate.dll Win32/TrojanDownloader.Tracur.I trojan
C:\Users\Toria&Ari\AppData\Local\ServiceAdmin.dll a variant of Win32/Kryptik.VUP trojan
C:\Users\Toria&Ari\AppData\Local\Diagnostics\DiagnosticsUpdate\Diagnosticsup.dll a variant of Win32/Injector.LGI trojan
C:\Users\Toria&Ari\AppData\Local\Google\Chrome\User Data\Default\Default\lhcjihipgdofaaejpicphmmlbdfiohij\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Toria&Ari\AppData\Local\Microsoft\MicrosoftData\Microsoftdata.dll Win32/BHO.NZK trojan
C:\Users\Toria&Ari\AppData\Local\Microsoft\MicrosoftUpdate\Microsoftupdt32.dll a variant of Win32/Kryptik.WCG trojan
C:\Users\Toria&Ari\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Toria&Ari\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\lhcjihipgdofaaejpicphmmlbdfiohij\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Toria&Ari\AppData\Local\Mozilla\MozillaUpdate\Mozillaup.dll a variant of Win32/Injector.LGI trojan
C:\Users\Toria&Ari\AppData\Local\Temp\2D3B.tmp a variant of Win32/Kryptik.WDL trojan
C:\Users\Toria&Ari\AppData\Local\Temp\33B0.tmp a variant of Win32/Kryptik.WDL trojan
C:\Users\Toria&Ari\AppData\Local\Temp\3585.tmp a variant of Win32/Kryptik.WDL trojan
C:\Users\Toria&Ari\AppData\Local\Temp\3863.tmp a variant of Win32/Kryptik.WDL trojan
C:\Users\Toria&Ari\AppData\Local\Temp\A6E8.tmp probably a variant of Win32/Kryptik.WAW trojan
C:\Users\Toria&Ari\AppData\Local\Temp\Av-test.txt Eicar test file
C:\Users\Toria&Ari\AppData\Local\Temp\jar_cache3463478816270621290.tmp a variant of Java/TrojanDownloader.OpenStream.NBV trojan
C:\Users\Toria&Ari\AppData\Local\Temp\jar_cache6138668907730256114.tmp a variant of Win32/Kryptik.WDN trojan
C:\Users\Toria&Ari\AppData\Local\Temp\jar_cache8778133321666603620.tmp a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Toria&Ari\AppData\Local\Temp\thpm6510565398488815674.tmp multiple threats
C:\Users\Toria&Ari\AppData\Local\Temp\win4036e0.dat a variant of Win32/Kryptik.SJR trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nskA16C.tmp\c3xx9x9.0hg a variant of Win32/Kryptik.VSQ trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nskA16C.tmp\ck19ccf.4cp a variant of Win32/Kryptik.VSQ trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nskA16C.tmp\qhrvmd4.sge a variant of Win32/Kryptik.VSQ trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nskA16C.tmp\xuw3oda.4um a variant of Win32/Kryptik.VSQ trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nskB90.tmp\c3iy7j9.fxr a variant of Win32/Kryptik.WCG trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nskB90.tmp\j1n9c4z.tgi Win32/BHO.NZK trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nskB90.tmp\u895aqs.3up Win32/TrojanDownloader.Tracur.I trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nskB90.tmp\v9ax85u.apj a variant of Win32/Kryptik.WCG trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nsr5711.tmp\l5drrir.icf a variant of Win32/Kryptik.VSQ trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nsr5711.tmp\pjpl51v.yxf a variant of Win32/Kryptik.VSQ trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nsr5711.tmp\rqvjfjp.1iu a variant of Win32/Kryptik.VSQ trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nsr5711.tmp\v4ivbnn.gk2 a variant of Win32/Kryptik.VSQ trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nsuAC0.tmp\omenm78.uqz a variant of Win32/Injector.LGI trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nsuAC0.tmp\rkkvtmr.edy a variant of Win32/Kryptik.VUP trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nsuAC0.tmp\x0e87j3.mvu a variant of Win32/Kryptik.VUP trojan
C:\Users\Toria&Ari\AppData\Local\Temp\nsuAC0.tmp\zeaup4q.51u a variant of Win32/Kryptik.WAQ trojan
C:\Users\Toria&Ari\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5a3a4a92-695c7aac a variant of Java/Agent.DM trojan
C:\Users\Toria&Ari\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\25ad1042-2259b447 Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Toria&Ari\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\404ca937-3f7804cb a variant of Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Toria&Ari\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\7aa787bb-67f18d2f Java/Agent.DS trojan
C:\Users\Toria&Ari\AppData\Roaming\Mozilla\Firefox\Profiles\c6nwftkw.default\extensions\{75f5cc0c-1a5b-4e1b-ab79-a820f234cf03}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Windows\System32\f3PSSavr.scr Win32/Toolbar.MyWebSearch application
C:\Windows\System32\srrstr.dll a variant of Win32/Kryptik.WCG trojan
C:\Windows\SysWOW64\f3PSSavr.scr Win32/Toolbar.MyWebSearch application
C:\Windows\SysWOW64\srrstr.dll a variant of Win32/Kryptik.WCG trojan
Operating memory multiple threats








COMBO FIX LOG

ComboFix 11-11-29.04 - Toria&Ari 11/29/2011 17:20:56.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4061.2811 [GMT -8:00]
Running from: c:\users\Toria&Ari\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\progra~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
c:\program files (x86)\Blinkx\templates\index.html
c:\program files (x86)\Blinkx\templates\noflash.html
c:\program files (x86)\Blinkx\templates\offline.html
c:\program files (x86)\Blinkx\templates\offline.swf
c:\program files (x86)\DealScout\FireFox\chrome\content\boater.xul
c:\program files (x86)\DealScout\FireFox\chrome\skin\boater_16x16.png
c:\program files (x86)\DealScout\FireFox\chrome\skin\boater_24x24.png
c:\program files (x86)\DealScout\FireFox\chrome\skin\boater_24x24_off.png
c:\program files (x86)\DealScout\FireFox\chrome\skin\toolbar-button.css
c:\program files (x86)\DealScout\FireFox\install.rdf
c:\program files (x86)\DealScout\FireFox\ziplist.txt
c:\program files (x86)\MyWebSearch\bar\1.bin\CHROME.MANIFEST
c:\program files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3HKSTUB.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3HTtpct.dll
c:\program files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files (x86)\MyWebSearch\bar\1.bin\F3REGHK.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\M3AUXSTB.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\M3DLGHK.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\M3HIGHIN.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\M3HTml.dll
c:\program files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\M3MEDINT.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\M3OUtlcn.dll
c:\program files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\M3TPINST.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSMLBTN.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSSVC.EXE
c:\program files (x86)\MyWebSearch\bar\1.bin\MWSUABTN.DLL
c:\program files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files (x86)\MyWebSearch\bar\icons\CM.ICO
c:\program files (x86)\MyWebSearch\bar\icons\MFC.ICO
c:\program files (x86)\MyWebSearch\bar\icons\PSS.ICO
c:\program files (x86)\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files (x86)\MyWebSearch\bar\icons\WB.ICO
c:\program files (x86)\MyWebSearch\bar\icons\ZWINKY.ICO
c:\programdata\MicrosoftBackupUpdate.dll
c:\users\Toria&Ari\AppData\Local\Diagnostics\DiagnosticsUpdate\Diagnosticsup.DLL
c:\users\Toria&Ari\AppData\Local\Microsoft\MicrosoftData\Microsoftdata.DLL
c:\users\Toria&Ari\AppData\Local\Microsoft\MicrosoftUpdate\Microsoftupdt32.dll
c:\users\Toria&Ari\AppData\Local\Mozilla\MozillaUpdate\Mozillaup.DLL
c:\users\Toria&Ari\AppData\Local\ServiceAdmin.dll
c:\users\Toria&Ari\AppData\Local\TrayWin32.dll
c:\users\Toria&Ari\AppData\Roaming\2E15.tmp
c:\users\Toria&Ari\AppData\Roaming\Mozilla\Firefox\Profiles\c6nwftkw.default\extensions\{75f5cc0c-1a5b-4e1b-ab79-a820f234cf03}\chrome.manifest
c:\users\Toria&Ari\AppData\Roaming\Mozilla\Firefox\Profiles\c6nwftkw.default\extensions\{75f5cc0c-1a5b-4e1b-ab79-a820f234cf03}\chrome\xulcache.jar
c:\users\Toria&Ari\AppData\Roaming\Mozilla\Firefox\Profiles\c6nwftkw.default\extensions\{75f5cc0c-1a5b-4e1b-ab79-a820f234cf03}\defaults\preferences\xulcache.js
c:\users\Toria&Ari\AppData\Roaming\Mozilla\Firefox\Profiles\c6nwftkw.default\extensions\{75f5cc0c-1a5b-4e1b-ab79-a820f234cf03}\install.rdf
c:\windows\SysWow64\f3PSSavr.scr
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Dhcp32
-------\Service_MyWebSearchService
.
.
((((((((((((((((((((((((( Files Created from 2011-10-28 to 2011-11-30 )))))))))))))))))))))))))))))))
.
.
2011-11-30 01:33 . 2011-11-30 01:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-29 02:10 . 2011-11-29 02:10 -------- d-----w- c:\program files (x86)\ESET
2011-11-26 10:25 . 2011-11-26 10:25 -------- d-----w- c:\program files (x86)\Conduit
2011-11-26 10:25 . 2011-11-26 10:25 -------- d-----w- c:\users\Toria&Ari\AppData\Local\Conduit
2011-11-26 10:25 . 2011-11-26 10:25 -------- d-----w- c:\program files (x86)\BitTorrent
2011-11-26 10:24 . 2011-11-29 07:36 -------- d-----w- c:\users\Toria&Ari\AppData\Roaming\BitTorrent
2011-11-26 10:24 . 2011-11-26 10:24 -------- d-----w- c:\users\Toria&Ari\AppData\Local\BitTorrent
2011-11-26 10:23 . 2011-11-26 10:23 867824 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-26 10:21 . 2009-04-15 19:03 118888 ----a-w- c:\windows\system32\drivers\StarPortLite.sys
2011-11-26 10:21 . 2011-11-26 10:23 -------- d-----w- c:\program files (x86)\BDDecrypter
2011-11-21 07:34 . 2011-11-21 07:34 -------- d-----w- c:\users\Toria&Ari\AppData\Roaming\Avira
2011-11-21 07:22 . 2011-10-20 00:56 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-11-21 07:22 . 2011-10-20 00:56 97312 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-11-21 07:22 . 2011-10-20 00:56 130760 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-11-21 07:22 . 2011-11-21 07:22 -------- d-----w- c:\programdata\Avira
2011-11-21 07:22 . 2011-11-21 07:22 -------- d-----w- c:\program files (x86)\Avira
2011-11-21 07:21 . 2011-11-21 07:21 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2011-11-20 18:57 . 2011-11-20 18:57 -------- d-----w- c:\programdata\ASUS
2011-11-20 18:57 . 2011-11-23 07:09 -------- d-----w- c:\users\Toria&Ari\AppData\Local\ASUS
2011-11-16 03:28 . 2011-11-25 00:00 103936 ----a-w- c:\windows\SysWow64\srrstr.dll
2011-11-13 17:51 . 2011-09-29 16:24 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-12 19:13 . 2011-10-01 05:28 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-12 19:13 . 2011-10-01 04:43 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-12 19:13 . 2011-09-29 04:09 3141120 ----a-w- c:\windows\system32\win32k.sys
2011-11-12 19:13 . 2011-08-15 05:08 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-11-12 19:13 . 2011-08-15 04:25 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll
2011-11-12 14:59 . 2011-11-05 03:21 2106216 ----a-w- c:\program files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-11-12 14:59 . 2011-11-05 03:21 1998168 ----a-w- c:\program files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-11-03 03:18 . 2011-11-04 01:23 -------- d-----w- c:\users\Toria&Ari\AppData\Roaming\3EA06
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-21 07:19 . 2011-06-04 16:19 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-10-01 03:21 . 2011-10-13 14:12 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-10-01 02:59 . 2011-10-13 14:12 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2009-04-08 17:31 . 2009-04-08 17:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
2008-08-12 04:45 . 2008-08-12 04:45 155648 ----a-w- c:\program files (x86)\Common Files\MSIactionall.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files (x86)\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\BitTorrentBar\prxtbBitT.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}"= "c:\program files (x86)\BitTorrentBar\prxtbBitT.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 00:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Desktop Software"="c:\program files (x86)\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"EA Core"="c:\program files (x86)\Electronic Arts\EADM\Core.exe" [2009-04-29 3338240]
"spotimote"="c:\program files (x86)\spotimote\spotimote.exe" [2011-07-22 1305088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-09-17 2245120]
"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]
"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2009-08-17 6859392]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMedia.exe" [2009-08-20 170624]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ddoctorv2"="c:\program files (x86)\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-10-20 258512]
.
c:\users\Toria&Ari\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
thpm7993275172498948577.lnk - \\globalroot\Device\HarddiskVolume2\Users\TORIA&~1\AppData\Local\Temp\thpm7993275172498948577.tmp [N/A]
thpm8549064606048665423.lnk - \\globalroot\Device\HarddiskVolume2\Users\TORIA&~1\AppData\Local\Temp\thpm8549064606048665423.tmp [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
FancyStart daemon.lnk - c:\windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe [2010-5-13 12862]
SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2010-5-13 156952]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-9-21 9216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-06 136176]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-06 136176]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
R3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\DRIVERS\nwvmmdm.sys [x]
R3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\DRIVERS\nwvmser.sys [x]
R3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwvmser2.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 X6va001;X6va001;c:\users\TORIA&~1\AppData\Local\Temp\001564.tmp [x]
R3 X6va003;X6va003;c:\users\TORIA&~1\AppData\Local\Temp\0032EA6.tmp [x]
R3 X6va005;X6va005;c:\users\TORIA&~1\AppData\Local\Temp\005E8.tmp [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\DRIVERS\StarPortLite.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-10-20 86224]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
S2 NvtlService;NovaCore SDK Service;c:\program files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [2009-08-25 82432]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2010-09-16 80896]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-06 07:31]
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-06 07:31]
.
2011-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-532817484-2867476177-2734296622-1000Core.job
- c:\users\Toria&Ari\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-17 14:15]
.
2011-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-532817484-2867476177-2734296622-1000UA.job
- c:\users\Toria&Ari\AppData\Local\Google\Update\GoogleUpdate.exe [2011-07-17 14:15]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 23:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-09-30 621440]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-09-01 323584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 660360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://asus.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Toria&Ari\AppData\Roaming\Mozilla\Firefox\Profiles\c6nwftkw.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-thpm7993275172498948577 - \\.\globalroot\Device\HarddiskVolume2\Users\TORIA&~1\AppData\Local\Temp\thpm7993275172498948577.tmp
Wow6432Node-HKCU-Run-Mobpjgmswp Update - (no file)
Wow6432Node-HKCU-Run-Bugsplat Update - (no file)
Wow6432Node-HKCU-Run-NCH Update - (no file)
Wow6432Node-HKCU-Run-Yahoo Update - c:\users\Toria&Ari\AppData\Local\Mozilla\MozillaUpdate\Mozillaup.DLL
Wow6432Node-HKCU-Run-Macromedia Update - c:\users\Toria&Ari\AppData\Local\Diagnostics\DiagnosticsUpdate\Diagnosticsup.DLL
Wow6432Node-HKCU-Run-MicrosoftData - c:\users\Toria&Ari\AppData\Local\Microsoft\MicrosoftData\Microsoftdata.DLL
Wow6432Node-HKCU-Run-Mozilla Update - c:\users\Toria&Ari\AppData\Local\Microsoft\MicrosoftUpdate\Microsoftupdt32.DLL
Wow6432Node-HKCU-Run-MicrosoftBackupUpdate - c:\programdata\MicrosoftBackupUpdate.dll
Toolbar-Locked - (no file)
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
HKLM-Run-Setwallpaper - c:\programdata\SetWallpaper.cmd
HKLM-Run-combofix - c:\combofix\CF4215.3XE
AddRemove-ASUS_Screensaver - c:\windows\system32\ASUS_Screensaver.scr
AddRemove-Sideload Wonder Machine1.2 - c:\ac_swm\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va001]
"ImagePath"="\??\c:\users\TORIA&~1\AppData\Local\Temp\001564.tmp"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va003]
"ImagePath"="\??\c:\users\TORIA&~1\AppData\Local\Temp\0032EA6.tmp"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\TORIA&~1\AppData\Local\Temp\005E8.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\ASUS\ATK Hotkey\Atouch64.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe
c:\program files (x86)\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
c:\windows\AsScrPro.exe
c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe
c:\program files (x86)\Mozilla Firefox\firefox.exe
c:\program files (x86)\Mozilla Firefox\plugin-container.exe
.
**************************************************************************
.
Completion time: 2011-11-29 18:07:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-30 02:07
.
Pre-Run: 206,283,067,392 bytes free
Post-Run: 205,915,676,672 bytes free
.
- - End Of File - - C2A4D810323DA13E84FC1EB7FB319A81
 
You system is badly infected. In addition to other malwares, there is an entry for Ramnit
C:\Users\autorun.inf Win32/Ramnit.A virus

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer.

Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A.

Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

With this particular infection the safest solution and only sure way to remove it effectively is to ]reformat and reinstall the OS. Here's why:

The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively curable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Please read:
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

I realize that this is not good news for you. But when you system has been reformatted and reinstalled, I suggest you avoid the file sharing and downloads from unsafe sites.
========================================
You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/support/ind...and-repair-xp-vista-7/page__p__5329#entry5329
 
Status
Not open for further replies.
Back