TechSpot

Odd Google redirect and Avast shields being disabled

By 1010101
Jul 17, 2010
  1. Hello.

    Tried everything I know but I'm stuck.

    Yesterday, I started noticing odd behavior on Google. Any time that I would try to type anything into the search bar, I would get a few characters typed and then the page would refresh itself. I'd try to type again and get the same result. Hitting spacebar seemed to make the refresh come sooner, but that might just be me seeing something that isn't really there. If I would type quickly and hit the search button, I would be redirected back to Google with some extra stuff appended onto the address. Here are five examples I copied and pasted so you could see what I'm talking about:

    hxxp://www.google.com/webhp?emsg=NCSR&ei=vE9BTIzWLIPcefa_3bMN
    hxxp://www.google.com/webhp?emsg=NCSR&ei=xE9BTIa8B5fCePuRwK0N
    hxxp://www.google.com/webhp?emsg=NCSR&ei=0U9BTN2eNofEeJT25MUN
    hxxp://www.google.com/webhp?emsg=NCSR&ei=309BTJW7KZD0eNCthbsN
    hxxp://www.google.com/webhp?emsg=NCSR&ei=809BTKfYL4eMeLmC9cQN

    While I was assessing what the heck might be going on, I suddenly noticed that two of Avast's "shields" were disabled (the web shield and the mail shield). I reactivated them but one reboot later and they were disabled again. This happened multiple times, though they seem to be staying on now...

    Also about that time, I noticed that my recycle bin icon was not refreshing back to the "empty" icon when I'd empty it unless I hit F5. I'll admit, this might not be related, but I thought I should mention it. Might as well mention, too, that the first time I tried submitting this thread, the system locked up to the point where I had to reset it, which hasn't happened before.

    The logs requested by the eight steps are attached to this message.

    I can't express how grateful I am that there are kind people that so graciously give their time and effort to help out people like me. Thank you in advance!

    NOTE from Bobbye: I have edited the URLs so they are not valid hyperlinks. It's okay to leave examples, but when it isn't known whether they have malware, the URL should not be typed in as a link.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have edited the URLs you left so that they are not valid links.
    I notice you have the program UnHackMe. This is an Anti Rootkit Software program. It is not advisable to run this type of program without the guidance or recommendation of your helper.

    I also notice Combofix running, installed on the same date, 7/17, which is also the date of the log. Please disable UnHackMe and any other similar programs while I am helping you.

    Since you already have Combofix::
    1. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    2. .Close any open browsers.
    3. . Double click combofix.exe & follow the prompts to run.
    4. NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    5. . If Combofix asks you to install Recovery Console, please allow it.
    6. . If Combofix asks you to update the program, always allow.
    7. Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    8. . A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
    =================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I may have you uninstall Combofix, then reinstall it deending on what I see.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. 1010101

    1010101 TS Rookie Topic Starter

    I had already uninstalled UnHackMe prior to making the 8 step logs. Do current logs show it is still active in some way? I saw remnants of it during these next two scans, though I suppose those were just files left over? The requested logs are attached. Thank you.
     

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by 1010101 at 3:08:56.42 on Sat 07/17/2010
    Section: Created Last 30
    2010-07-17 04:55:32 0 d-----w- c:\program files\UnHackMe201
    -------------------------------------
    ComboFix 10-07-16.01 - 1010101 07/17/2010 14:16:04.2.2 - x86
    Files Created from 2010-06-17 to 2010-07-17
    2010-07-17 04:55 . 2010-07-17 06:25 -------- d-----w- c:\program files\UnHackMe

    Don't shoot me! Can only go by what I see. I can remove this entry in the script I write for you.

    You can go ahead and run this for the entries found in Eset:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files 
      C:\Documents and Settings\1010101\Application Data\Thunderbird\Profiles\fq234dqj.default\Mail\Local Folders\Inbox	
      C:\Documents and Settings\1010101\Application Data\Thunderbird\Profiles\fq234dqj.default\Mail\Local Folders\Sent		
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    It looks like you may have opened an attachment that came in your email. It was infected by the HTML/TrojanClicker.IFrame.NAG trojan.
    Then your Sent box has multiple threats in it.

    I advise you to look into how you can delete both your Inbox and Sent box. I know it can be done in OE, but am not familiar with how in Thunderbird. Check the support site. If it's like OE, all of the mail in the box will be removed when you delete a store box. So be sure you deal with any incoming mail first. Stay away from any attachments and limit your sending until the mail boxes are clean.

    The other entries, in System Volume are in the restore points which I will have you drop at the end of cleaning. They are not active in the system. Do not attempt to do a system restore however until I have had you remove them

    Will review Combofix in a bit.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'd like you to run HijackThis and paste the log in your next reply:

    Choose v2.0.4

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    I note that you did some serious game downloading especially on 7/8 and 7/11/2010. Can you relate any of the current problems to shortly after that? Games themselves can be legitimate, but sometimes either the sites where you play or where you got the downloads can have malicious content.

    It's very important that you paste the HJT log in your post. That way, I can search directly from my browser and not have to do copy and paste which is taking me too long.

    It is also important that you don't add anything new as it will change the logs.
     
  6. 1010101

    1010101 TS Rookie Topic Starter

    OTMoveIt log:

    HijackThis log:

    Regarding the 7/08 and 7/11 stuff, I don't think I had any issues back then. Now, the one installed on 7/8 was done by my brother while he was here visiting, so I can't say for certain that it was clean, but the 7/11 one is an MMO I resubscribed to (Age of Conan) and came directly from the company's servers (they let you download it to encourage you to come back and it was far easier than digging through the garage for the discs :p). I know that I'd been doing Google searches for the MMO, though, after I started playing again, and that would be after the 7/08 one, and I didn't have any problems. The first time I noticed a problem was the day before my first post. I can't promise no problem existed before then, of course.

    As far as email goes, I don't tend to open attachments at all in emails. Don't think that I've opened an attachment in over a year, honestly.

    Thanks so much for your help so far. Top notch and I greatly appreciate it.

    Again, thank you. Means the world to me.

    Oh, and might as well mention that the redirect is still happening, but I would suppose we haven't gotten that far yet :)
     
  7. 1010101

    1010101 TS Rookie Topic Starter

    I apologize if consecutive posts is frowned upon here, but I wanted to let you know that the OTMoveIt stuff did get my Thunderbird inbox and sent folders. I know you had mentioned you weren't sure about how to do it in Thunderbird.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If the program had been in Outlook Express, I would have removed entries in OTMoveIt and then recommended that both the Inbox and the Sent box be deleted. OE then builds a new stops box. I did tell you that I don't know the procedure for Thunderbird and advised you to check their support.
     
  9. 1010101

    1010101 TS Rookie Topic Starter

    That's all I was doing was letting you know. It just wiped the contents of both boxes. That's what you wanted, or as I understood it. Was just confirming that the OTMoveIt script did empty both (it did not delete the folders themselves, or rather I suppose Thunderbird just recreated empty versions of both upon starting and not finding them). No problem with that, I hope?

    Thank you again.
     
  10. 1010101

    1010101 TS Rookie Topic Starter

    An interesting turn of events, at least from my perspective. I rebooted again a few moments ago (well, actually shut down and restarted a few minutes later... had a fan making noise in the tower I wanted to check out) and now the redirect isn't happening.

    OTMoveIt had me reboot, though, so I find it odd. Rebooted again just to see if the problem came back, and it didn't. Is it possible it was something hiding in the Firefox cache, perhaps, and OTMoveIt took care of it? Doesn't explain how it survived one reboot, though, but not a second. Then again, what do I know?

    I won't consider the system clean until you declare it so, so no worries about me running off and going crazy.

    Thanks so much for the help so far.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good to known the store boxes for the email were handled. Save you having to do it. About the reboots. I won't attempt to second guess that but if you want to see if they had any significance, use the Event Viewer. You'll have to guess the time:

    If you haven't used this feature before, know that the OS logs everything that happens. You'll see a lot of Information Events and that's all they are> telling you what the OS was doing at that time. You'll see Warnings which usually resolve and if they don't, you will see Errors. Since the Events are time-coded, it's a great diagnostic function:

    Start> Run> type in eventvwr

    Do this on each the System and the Applications logs:

    1. [1]. Click to open the log>
      [2]. Look for the Error>
      [3] .Double click on the Error: you will see Event ID#, Source and Description.
      [4]. Click on Copy button, top right, if you want.
      [5]. Paste in Wordpad or Notepad (Ctrl V)

    This is an FYI for you so you don't need to paste the Errors here.
    Understand that OTM had you reboot because it was part of the removal process. It was a 'restart' or 'warm boot.' The CPU and peripherals are already powered up. When you rebooted again, since you shut down first, that was a 'cold boot' or 'hard boot'. This clears memory and many internal settings.

    The HijackThis log is fine. Just a few moves in Combofix:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\program files\UnHackMe
    c:\windows\iun507.exe
    
    FileLook::
    c:\windows\winstart.bat
    
    Folder::
    
    Registry::
    Driver::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please include this log- there is one file I want to check.
    ====================
    If this is clear and if the original problems have been resolved, I'll have you remove the cleaning tools and their logs.
     
  12. 1010101

    1010101 TS Rookie Topic Starter

    Thanks so much! Here is the ComboFix log (ComboFix did ask to update, which I allowed it to do; hope that was okay).

    Ugh. Log is too long to paste into the body; will break this into two posts:

     
  13. 1010101

    1010101 TS Rookie Topic Starter

     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    
    Folder::
    c:\program files\UnHackMe
    Registry::
    Driver::
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . No log needed.
    ====================
    Are there any malware related problems remaining?
     
  15. 1010101

    1010101 TS Rookie Topic Starter

    Ran ComboFix with the script as instructed. It wanted to update again, so I let it. It sat on the screen where it says it is producing the log for a VERY long time compared to the other times I ran it. I see a new section in the log:

    I'm seeing no problems with the system at all (thank you!), but should I be at all concerned about the UNKNOWN thing in the new ComboFix log?

    I'm very happy that everything seems to be working so well and just want to be sure :)

    Thank you!
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You don't need to copy anything from the logs. I see it all when I open it. You also don't need to put the logs in a quote> that cuts down on the space.

    I need the log please.
     
  17. 1010101

    1010101 TS Rookie Topic Starter

    Log follows in the next two posts. Thank you.

    ComboFix 10-07-21.01 - 1010101 07/21/2010 19:55:05.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1536.1104 [GMT -4:00]
    Running from: c:\documents and settings\1010101\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\1010101\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\UnHackMe
    c:\program files\UnHackMe\appdata.exe
    c:\program files\UnHackMe\appdata.ini
    c:\program files\UnHackMe\database.rdb
    c:\program files\UnHackMe\insdata.exe
    c:\program files\UnHackMe\readmea.txt
    c:\program files\UnHackMe\reanimator.ini
    c:\program files\UnHackMe\reanimator.zip
    c:\program files\UnHackMe\ReanimatorStart.exe
    c:\program files\UnHackMe\unhackme.ini
    c:\program files\UnHackMe\unhackme.log
    c:\program files\UnHackMe\unins001.dat
    c:\program files\UnHackMe\unins001.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
    .

    2010-07-21 13:21 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
    2010-07-21 13:21 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2010-07-19 23:56 . 2010-07-19 23:56 -------- d-----w- c:\program files\Trend Micro
    2010-07-19 23:47 . 2010-07-19 23:47 -------- d-----w- C:\_OTM
    2010-07-19 11:47 . 2010-07-19 11:47 115120 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2010-07-18 05:04 . 2010-07-18 05:04 -------- d-----w- C:\Temp
    2010-07-18 05:03 . 2010-07-18 05:06 -------- d-----w- c:\program files\Winnydows
    2010-07-17 18:30 . 2010-07-17 18:30 -------- d-----w- c:\program files\ESET
    2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\documents and settings\1010101\Application Data\Malwarebytes
    2010-07-17 06:33 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-17 06:33 . 2010-07-17 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-17 06:33 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-17 05:05 . 2010-07-17 05:05 2 --shatr- c:\windows\winstart.bat
    2010-07-17 04:21 . 2010-07-17 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-07-17 04:21 . 2010-07-17 06:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-17 04:16 . 2010-07-17 04:16 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Sunbelt Software
    2010-07-17 00:55 . 2010-07-17 00:55 -------- d-----w- c:\documents and settings\1010101\Application Data\TightVNC
    2010-07-16 17:47 . 2010-07-16 17:47 -------- d-----w- c:\documents and settings\1010101\Application Data\Smith Micro
    2010-07-16 17:46 . 2007-02-28 04:57 61440 ----a-w- c:\windows\system32\pthswmcp.dll
    2010-07-16 17:46 . 2010-07-16 17:46 -------- d-----w- c:\program files\PANTECH
    2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\Common Files\VerizonWireless
    2010-07-16 17:45 . 2007-02-26 10:46 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
    2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\Common Files\DGSETUP
    2010-07-16 17:45 . 2010-07-16 17:45 -------- d-----w- c:\program files\LG Electronics
    2010-07-16 17:44 . 2010-07-16 17:44 -------- d-----w- c:\program files\Samsung
    2010-07-16 17:44 . 2009-01-09 20:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
    2010-07-16 17:39 . 2010-07-16 17:39 -------- d-----w- c:\program files\Motorola
    2010-07-16 17:38 . 2009-07-10 17:01 25856 ----a-w- c:\windows\system32\drivers\motoandroid.sys
    2010-07-16 17:38 . 2010-04-01 18:31 23424 ----a-w- c:\windows\system32\drivers\Motousbnet.sys
    2010-07-16 17:38 . 2010-01-25 23:56 9472 ----a-w- c:\windows\system32\drivers\motusbdevice.sys
    2010-07-16 17:38 . 2009-01-29 21:11 6016 ----a-w- c:\windows\system32\drivers\motfilt.sys
    2010-07-16 17:38 . 2009-10-27 16:02 23936 ----a-w- c:\windows\system32\drivers\motmodem.sys
    2010-07-16 17:38 . 2009-06-19 20:59 19712 ----a-w- c:\windows\system32\drivers\motccgp.sys
    2010-07-16 17:38 . 2009-01-29 21:18 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys
    2010-07-16 17:38 . 2007-11-02 19:51 6400 ----a-w- c:\windows\system32\drivers\motswch.sys
    2010-07-16 17:38 . 2010-07-16 17:38 -------- d-----w- c:\program files\Common Files\Motorola Shared
    2010-07-16 16:07 . 2010-07-16 16:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\TightVNC
    2010-07-16 16:07 . 2010-07-17 04:00 -------- d-----w- c:\program files\TightVNC
    2010-07-16 16:01 . 2010-07-16 16:01 -------- d-----w- c:\program files\Common Files\Java
    2010-07-14 05:46 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-13 02:14 . 2010-07-13 02:14 -------- d-----w- c:\program files\QuickTime
    2010-07-13 02:05 . 2010-07-13 02:05 -------- d-----w- c:\program files\Apple Software Update
    2010-07-11 21:46 . 2010-07-11 21:46 -------- d-----w- c:\program files\AoCQS
    2010-07-11 21:46 . 2010-07-11 21:46 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Vikingworks
    2010-07-11 21:42 . 2010-07-11 21:42 -------- d-----w- c:\program files\VikingWorks
    2010-07-11 07:07 . 2010-07-11 07:11 -------- d-----w- c:\documents and settings\1010101\Application Data\WallpaperSSPro
    2010-07-11 07:07 . 2010-07-11 07:07 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-11 03:15 . 2010-07-11 03:15 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\Funcom
    2010-07-11 03:12 . 2010-07-11 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\media center programs
    2010-07-11 02:00 . 2010-07-11 02:00 -------- d-----w- c:\program files\Funcom
    2010-07-11 01:59 . 2010-07-11 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Funcom
    2010-07-10 06:03 . 2010-07-10 06:03 -------- d-----w- c:\program files\Bluetack
    2010-07-08 04:21 . 2010-07-08 04:21 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM
    2010-07-08 04:08 . 2010-07-08 04:08 -------- d-----w- c:\program files\2K Games
    2010-07-08 04:06 . 2010-07-08 04:06 -------- d-----w- c:\program files\DIFX
    2010-07-08 04:06 . 2010-07-08 04:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-07-07 04:33 . 2010-07-07 04:39 -------- d-----w- c:\documents and settings\1010101\Local Settings\Application Data\pcsx2
    2010-07-07 04:33 . 2010-07-07 04:59 -------- d-----w- c:\program files\PCSX2 0.9.7
    2010-07-04 06:38 . 2010-07-04 06:42 -------- d-----w- c:\program files\MMSSTV
    2010-07-01 12:46 . 2009-12-21 23:20 112056 ----a-w- c:\windows\system32\acaptuser32.dll
    2010-07-01 01:14 . 2010-07-01 01:18 -------- d-----w- c:\program files\VitalDesktop
    2010-06-30 21:15 . 2007-01-24 02:14 69632 ----a-w- c:\windows\system32\RemoveFocusRect.dll
    2010-06-30 20:09 . 2010-06-30 20:19 -------- d-----w- c:\documents and settings\1010101\Application Data\Dream Aquarium
    2010-06-30 20:08 . 2010-06-30 20:09 -------- d-----w- c:\program files\Dream Aquarium
    2010-06-29 03:30 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-21 23:50 . 2010-03-27 07:37 -------- d-----w- c:\documents and settings\1010101\Application Data\uTorrent
    2010-07-21 15:38 . 2010-03-27 08:01 -------- d-----w- c:\program files\Mozilla Thunderbird
    2010-07-21 13:21 . 2010-07-21 13:21 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motoandroid_01007.Wdf
    2010-07-18 11:51 . 2010-05-02 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-07-18 05:14 . 2010-04-28 06:10 -------- d-----w- c:\documents and settings\1010101\Application Data\avidemux
    2010-07-17 06:25 . 2010-05-04 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2010-07-16 17:47 . 2010-03-27 06:46 47240 ----a-w- c:\documents and settings\1010101\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-07-16 17:45 . 2010-03-27 06:13 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-16 17:44 . 2010-03-27 06:08 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Motousbnet_01007.Wdf
    2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motfilt_01007.Wdf
    2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01007.Wdf
    2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgpfl_01007.Wdf
    2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motccgp_01007.Wdf
    2010-07-16 17:39 . 2010-07-16 17:39 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motusbdevice_01007.Wdf
    2010-07-16 15:58 . 2010-04-25 03:53 -------- d-----w- c:\program files\Java
    2010-07-13 02:15 . 2010-05-03 03:21 -------- d-----w- c:\program files\Common Files\Apple
    2010-07-13 02:14 . 2010-05-03 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-07-11 01:58 . 2010-05-20 03:01 -------- d-----w- c:\documents and settings\1010101\Application Data\FileZilla
    2010-07-11 01:48 . 2010-05-20 03:01 -------- d-----w- c:\program files\FileZilla FTP Client
    2010-07-09 07:20 . 2010-03-27 08:02 -------- d-----w- c:\program files\IconTweaker
    2010-07-08 04:06 . 2010-05-09 01:47 -------- d-----w- c:\program files\AGEIA Technologies
    2010-06-30 02:37 . 2010-05-31 07:47 -------- d-----w- c:\program files\Valve
    2010-06-28 20:57 . 2010-03-27 08:17 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-03-27 08:17 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-03-27 08:17 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-03-27 08:17 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-03-27 08:17 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-03-27 08:17 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-03-27 08:17 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-03-27 08:17 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-06-24 05:50 . 2010-06-02 03:51 -------- d-----w- c:\program files\Half-Life 2 Ultimate Edition 7
    2010-06-22 08:36 . 2010-04-25 03:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-20 04:25 . 2010-06-20 04:25 -------- d-----w- c:\program files\Virtual Earth 3D
    2010-06-14 14:31 . 2010-03-27 06:57 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
    2010-06-11 05:29 . 2010-06-11 05:29 -------- d-----w- c:\program files\BreakPoint Software
    2010-06-10 07:50 . 2010-05-06 02:33 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-03 05:26 . 2010-06-03 05:26 -------- d-----w- c:\program files\Majesco Entertainment
    2010-06-02 08:55 . 2010-07-07 04:51 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
    2010-06-02 08:55 . 2010-07-07 04:51 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
    2010-06-02 08:55 . 2010-07-07 04:51 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
    2010-06-01 01:09 . 2010-06-01 01:09 -------- d-----w- c:\program files\Nem's Tools
    2010-05-31 22:41 . 2010-05-31 22:41 -------- d-----w- c:\program files\CFToolbox
    2010-05-27 03:04 . 2010-05-03 03:23 -------- d-----w- c:\program files\iTunes
    2010-05-26 15:41 . 2010-07-07 04:51 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
    2010-05-26 15:41 . 2010-07-07 04:51 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
    2010-05-26 15:41 . 2010-07-07 04:51 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
    2010-05-26 15:41 . 2010-07-07 04:51 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
    2010-05-26 15:41 . 2010-07-07 04:51 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
    2010-05-23 06:59 . 2010-05-20 08:17 -------- d-----w- c:\program files\RogueSynapse
    2010-05-23 06:55 . 2010-05-23 06:55 -------- d-----w- c:\documents and settings\1010101\Application Data\Wenovo
    2010-05-21 02:24 . 2010-05-21 02:25 873472 ----a-w- c:\windows\WATERYDS.SCR
    2010-05-09 15:41 . 2010-05-09 15:41 4096 ----a-w- c:\windows\d3dx.dat
    2010-05-06 10:41 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 04:42 . 2010-05-04 04:42 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-05-02 05:22 . 2001-08-23 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-28 06:35 . 2010-04-28 06:35 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
    2010-04-28 06:35 . 2010-04-28 06:35 47360 ----a-w- c:\documents and settings\1010101\Application Data\pcouffin.sys
    .
     
  18. 1010101

    1010101 TS Rookie Topic Starter

    ((((((((((((((((((((((((((((( SnapShot@2010-07-17_05.43.38 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-07-22 00:05 . 2010-07-22 00:05 16384 c:\windows\temp\Perflib_Perfdata_7b8.dat
    + 2010-07-19 23:56 . 2010-07-19 23:56 1094656 c:\windows\Installer\5945b.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2010-01-18 23:12 86280 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2008-05-03 13529088]
    "nwiz"="nwiz.exe" [2008-05-03 1630208]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2008-05-03 86016]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^1010101^Start Menu^Programs^Startup^V CAST Media Monitor.lnk]
    path=c:\documents and settings\1010101\Start Menu\Programs\Startup\V CAST Media Monitor.lnk
    backup=c:\windows\pss\V CAST Media Monitor.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    c:\windows\system32\dumprep 0 -k [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2010-06-19 16:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
    2010-06-19 23:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 03:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    2004-08-04 03:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2004-08-04 03:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2004-08-04 03:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\xampp\\apache\\bin\\httpd.exe"=
    "c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
    "c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\ucs.exe"=
    "c:\\Documents and Settings\\1010101\\Desktop\\Utilities\\eMule0.50a\\emule.exe"=
    "c:\\Program Files\\Valve\\garrysmod\\hl2.exe"=
    "c:\\Program Files\\Half-Life 2 Ultimate Edition 7\\Engine3\\hl2.exe"=
    "c:\\Program Files\\Half-Life 2 Ultimate Edition 7\\Engine2\\hl2.exe"=
    "c:\\Program Files\\2K Games\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
    "c:\\Program Files\\TightVNC\\tvnserver.exe"=
    "c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\EQEmuLoginServer.exe"=
    "c:\\xampp\\mysql\\bin\\mysqld.exe"=
    "c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\World.exe"=
    "c:\\Documents and Settings\\1010101\\Desktop\\Games\\EQEmu\\build\\Zone.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5900:TCP"= 5900:TCP:vnc port
    "8080:TCP"= 8080:TCP:uTorrent Web GUI

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/13/2010 11:36 PM 691696]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/27/2010 4:17 AM 165456]
    R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [3/27/2010 9:45 PM 112835]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/27/2010 4:17 AM 17744]
    R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [7/16/2010 1:39 PM 91456]
    R3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [3/27/2010 9:45 PM 5325]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/11/2010 11:30 AM 136176]
    S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [7/16/2010 1:38 PM 25856]
    S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [7/16/2010 1:38 PM 6016]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [7/16/2010 1:38 PM 19712]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [7/16/2010 1:38 PM 8320]
    S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [7/16/2010 1:38 PM 23424]
    S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [7/16/2010 1:38 PM 9472]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2010-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 15:30]

    2010-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-04-11 15:30]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\1010101\Application Data\Mozilla\Firefox\Profiles\q1a9n599.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
    FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
    FF - plugin: c:\documents and settings\1010101\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
    FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-21 20:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spig.sys >>UNKNOWN [0x8A286938]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf764bf28
    \Driver\ACPI -> ACPI.sys @ 0xf74a3cb8
    \Driver\atapi -> atapi.sys @ 0xf7978b40
    IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
    ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
    ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
    NDIS: SiS 900-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7b3cb0a
    PacketIndicateHandler -> NDIS.sys @ 0xf7b47a21
    SendHandler -> NDIS.sys @ 0xf7b3c949
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-682003330-573735546-1801674531-1003\Software\SecuROM\License information*]
    "datasecu"=hex:0e,57,66,6a,95,67,b2,c0,d5,d4,7f,33,79,f4,46,2b,d0,b7,a0,c5,2b,
    ad,84,62,c5,8f,81,1e,ad,83,56,09,a7,d6,71,16,d7,a9,72,34,e6,0f,21,82,ba,e6,\
    "rkeysecu"=hex:d1,75,00,ed,a9,5c,42,7e,2f,60,b3,f5,b0,6a,27,23
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1980)
    c:\windows\system32\WININET.dll
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    c:\program files\TortoiseSVN\bin\TortoiseStub.dll
    c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
    c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\System32\nvsvc32.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\Motorola\MotoConnectService\MotoConnect.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-21 20:13:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-22 00:13
    ComboFix2.txt 2010-07-21 04:19
    ComboFix3.txt 2010-07-17 05:46

    Pre-Run: 20,004,106,240 bytes free
    Post-Run: 20,032,823,296 bytes free

    - - End Of File - - BB21A959B86EB6328E7026E91A0D36D2
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have a question if you don't mind helping me out. Ive seen the numerous entries for the Tortoise Overlays. I did some searching but it has only produced that the program is for icon overlays in Windows 7.

    But there are so many entries- from shell iconoverlayidentifiers\1TortoiseNormal numerical to #8 and files for TortoiseModified. Conflict, Locked, ReadOnly, etc. What is this program and how does it work?
    ====================================
    I would like you to run the following though because of that 'unknown' section in Combofix:

    Download Bootkit Remover and save to your Desktop
    1. You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    2. After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    3. You will see a Black screen with some data on it.
    4. Right click on the screen and click Select All.
    5. Press CTRL+C to Copy
    6. Open a Notepad and press CTRL+V to Paste.
    7. Include the report in your next post.
    Credits to Broni
     
  20. 1010101

    1010101 TS Rookie Topic Starter

    The Tortoise stuff is for icon overlays used by TortoiseSVN. I use it to update some database files for an EverQuest server emulator every now and then. You can read more about it at http://tortoisesvn.net/about. Open source and works well.

    No issues at all to report with the system. Everything seems to be working well. Thanks so much for your time. That you do this for others is just amazing, really, and you guys all deserve tremendous thanks for your time and effort.

    The contents of the Bootkit Remover screen follows. Ctrl-C doesn't work on that window, by the way, but right-clicking and choosing "Select All" followed by another right-click does copy the contents of the window into the clipboard.

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    279 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for the info. I did see a lot of sites with references, but just couldn't get a handle on it! I appreciate you patience and was glad to help.

    The system looks good now so you can Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    ===========================================
    Please follow these simple steps to keep your computer clean and secure:


    Stay current on updates:
    • Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    Do regular Maintenance
    • Remove Temporary Internet Files regularly:
      [o]ATF Cleaner by Atribune
      OR
      [o]TFC
    • Disable and Enable System Restore:
      [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

    Have layered Security:
    • Antivirus Software(only one): Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o] Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
      [o]IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
      [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
      [o]Google Toolbar Get the free google toolbar to help stop pop up windows.

    Let me know if you need any more help.
     
  22. 1010101

    1010101 TS Rookie Topic Starter

    Thanks for all your help, Bobbye. Everything is working fantastically. Thanks, too, to Broni, who, based on one of your posts, lended an assist.

    I appreciate the effort you put in. Thanks a million!
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome. Glad to help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...