My computer is/was infected by System Tool 2011 and Disk deffragmenter virus. I have run Malware Bytes and TFC but now my computer will not boot in normal mode. I am able to boot in safe mode. Also when using google I am sent to random web sites.
Below are the Logs from Malware and DDS. Second DDS and Gmer logs are in the next post
THanks for the help.
Mark
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5347
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
12/18/2010 12:41:52 AM
mbam-log-2010-12-18 (00-41-52).txt
Scan type: Full scan (C:\|)
Objects scanned: 264066
Time elapsed: 38 minute(s), 35 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 35
Memory Processes Infected:
c:\documents and settings\Owner\application data\ctvrwsk2fcmlnibgef3orkosiozqvql2\csrss.exe (Spyware.Passwords) -> 1132 -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Value: bk -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssend (Spyware.Passwords) -> Value: mssend -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe "C:\Documents and Settings\Owner\Application Data\ctvrwsk2fcmlnibgef3orkosiozqvql2\csrss.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Owner\application data\ctvrwsk2fcmlnibgef3orkosiozqvql2\csrss.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0006025.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\xssend2\svcnost.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007143.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\nndib06101\nndib06101.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\Desktop\update.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\19792079 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\RY1NB2BT\e4jejwe4jj3[1].exe (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004016.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004020.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004021.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004022.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004025.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004026.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007336.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007138.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007343.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007214.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007227.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007240.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007242.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007243.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007251.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007306.exe (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007321.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007322.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007331.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007374.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007337.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007383.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007373.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\program files\HPZUCI12.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007376.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\Adobe\plugs\kb34876640.exe (Trojan.Agent) -> Quarantined and deleted successfully.
DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Owner at 17:04:51.14 on Sat 12/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.185 [GMT -5:00]
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://srch-us4.hpwis.com/
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [S3TRAY2] S3tray2.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\sony handheld\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: doi.gov\doilearn
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.8.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131427983998
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://gscascrm02.wr.usgs.gov/dwa8W.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/media/5.1.3.1429-3.0.0.7207/MILive.cab
DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
S2 gupdate1c9cd19c71c231a;Google Update Service (gupdate1c9cd19c71c231a);c:\program files\google\update\GoogleUpdate.exe [2009-5-4 133104]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2008-9-14 87416]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101210.002\naveng.sys [2010-12-10 86136]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101210.002\navex15.sys [2010-12-10 1360248]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2001-11-16 164864]
S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2001-7-31 130332]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
=============== Created Last 30 ================
2010-12-18 04:56:24 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-12-18 04:56:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-18 04:56:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-18 04:56:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 04:56:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-18 04:43:16 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-18 04:43:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-18 04:42:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\nNdIb06101
2010-12-18 04:39:55 -------- d-----w- c:\program files\Coupons
2010-12-18 04:39:55 -------- d-----w- c:\docume~1\owner\applic~1\Catalina Marketing Corp
2010-12-17 20:10:01 29996 ---h--w- c:\docume~1\owner\applic~1\ntuser.dat
2010-12-16 21:57:15 -------- d-----w- c:\docume~1\owner\applic~1\xssend2
2010-12-16 21:56:07 -------- d-----w- c:\docume~1\owner\applic~1\ctvrwsk2fcmlnibgef3orkosiozqvql2
2010-12-15 13:55:39 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-15 13:55:10 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-01 22:48:32 -------- d-----w- c:\program files\Picaboo X
==================== Find3M ====================
2010-12-18 16:10:45 90112 ----a-w- c:\windows\DUMP9eb1.tmp
2010-12-16 21:57:18 9728 ---h--w- c:\docume~1\owner\applic~1\desktop.ini
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2003-04-22 14:46:52 2719744 ------w- c:\program files\aiodrv.msi
2003-04-22 14:42:04 2588672 ------w- c:\program files\aiosw.msi
2003-04-09 17:13:50 577536 ----a-w- c:\program files\Setup.exe
2003-03-10 01:30:44 184320 ----a-w- c:\program files\hpzscr07.dll
2003-03-10 01:30:42 274432 ----a-w- c:\program files\hpzglu07.exe
2003-03-10 01:30:42 237568 ----a-w- c:\program files\hpzc3212.dll
2002-09-09 22:48:20 22608 ----a-w- c:\program files\usbprint.sys
2002-09-09 22:48:12 12288 ----a-w- c:\program files\usbmon.dll
2002-09-09 22:47:52 254005 ----a-w- c:\program files\msvcrt.dll
2002-09-09 22:47:44 70656 ----a-w- c:\program files\msvcirt.dll
2002-09-09 22:47:00 212992 ----a-w- c:\program files\hpzpnp07.dll
2002-09-09 22:46:50 49212 ----a-w- c:\program files\hpzjvp01.dll
2002-09-09 22:46:42 249913 ----a-w- c:\program files\hpzjut01.dll
2002-09-09 22:46:32 417849 ----a-w- c:\program files\hpzjpp01.dll
2002-09-09 22:46:24 28722 ----a-w- c:\program files\hpzjlog.dll
2002-09-06 14:54:56 995383 ----a-w- c:\program files\MFC42.DLL
============= FINISH: 17:05:42.90 ===============
Below are the Logs from Malware and DDS. Second DDS and Gmer logs are in the next post
THanks for the help.
Mark
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5347
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
12/18/2010 12:41:52 AM
mbam-log-2010-12-18 (00-41-52).txt
Scan type: Full scan (C:\|)
Objects scanned: 264066
Time elapsed: 38 minute(s), 35 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 35
Memory Processes Infected:
c:\documents and settings\Owner\application data\ctvrwsk2fcmlnibgef3orkosiozqvql2\csrss.exe (Spyware.Passwords) -> 1132 -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Value: bk -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssend (Spyware.Passwords) -> Value: mssend -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe "C:\Documents and Settings\Owner\Application Data\ctvrwsk2fcmlnibgef3orkosiozqvql2\csrss.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\documents and settings\Owner\application data\ctvrwsk2fcmlnibgef3orkosiozqvql2\csrss.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0006025.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\xssend2\svcnost.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007143.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\nndib06101\nndib06101.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\Desktop\update.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\19792079 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\RY1NB2BT\e4jejwe4jj3[1].exe (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004016.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004020.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004021.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004022.dll (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004025.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP1\A0004026.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007336.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007138.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007343.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007214.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007227.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007240.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007242.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007243.exe (Rogue.SystemTool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP2\A0007251.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007306.exe (Trojan.FakeAV.Gen) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007321.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007322.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007331.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007374.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007337.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007383.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007373.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\program files\HPZUCI12.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\system volume information\_restore{0a438c3b-a487-4c6d-850c-c76cc3327fd0}\RP3\A0007376.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\Adobe\plugs\kb34876640.exe (Trojan.Agent) -> Quarantined and deleted successfully.
DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Owner at 17:04:51.14 on Sat 12/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.480.185 [GMT -5:00]
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = hxxp://srch-us4.hpwis.com/
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [S3TRAY2] S3tray2.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\sony handheld\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {17A27031-71FC-11d4-815C-005004D0F1FA} - c:\program files\marketbrowser\lmt\MarketBrowser_Launch.xpy
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
Trusted Zone: doi.gov\doilearn
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.0.8.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131427983998
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://gscascrm02.wr.usgs.gov/dwa8W.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_5.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/Entriq_3_4_0_15_Silent.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://online.invokesolutions.com/events/bin/media/5.1.3.1429-3.0.0.7207/MILive.cab
DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/NBCUniversal_1_0_0_3.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://juniper.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2} - c:\program files\pixiepack codec pack\InstallerHelper.exe
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
S2 gupdate1c9cd19c71c231a;Google Update Service (gupdate1c9cd19c71c231a);c:\program files\google\update\GoogleUpdate.exe [2009-5-4 133104]
S2 JuniperAccessService;Juniper Unified Network Service;c:\program files\common files\juniper networks\juns\dsAccessService.exe [2008-9-14 87416]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-28 102448]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101210.002\naveng.sys [2010-12-10 86136]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101210.002\navex15.sys [2010-12-10 1360248]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2001-11-16 164864]
S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2001-7-31 130332]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
=============== Created Last 30 ================
2010-12-18 04:56:24 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-12-18 04:56:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-18 04:56:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-18 04:56:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-18 04:56:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-18 04:43:16 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-12-18 04:43:16 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-18 04:42:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\nNdIb06101
2010-12-18 04:39:55 -------- d-----w- c:\program files\Coupons
2010-12-18 04:39:55 -------- d-----w- c:\docume~1\owner\applic~1\Catalina Marketing Corp
2010-12-17 20:10:01 29996 ---h--w- c:\docume~1\owner\applic~1\ntuser.dat
2010-12-16 21:57:15 -------- d-----w- c:\docume~1\owner\applic~1\xssend2
2010-12-16 21:56:07 -------- d-----w- c:\docume~1\owner\applic~1\ctvrwsk2fcmlnibgef3orkosiozqvql2
2010-12-15 13:55:39 45568 ------w- c:\windows\system32\dllcache\wab.exe
2010-12-15 13:55:10 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-01 22:48:32 -------- d-----w- c:\program files\Picaboo X
==================== Find3M ====================
2010-12-18 16:10:45 90112 ----a-w- c:\windows\DUMP9eb1.tmp
2010-12-16 21:57:18 9728 ---h--w- c:\docume~1\owner\applic~1\desktop.ini
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2003-04-22 14:46:52 2719744 ------w- c:\program files\aiodrv.msi
2003-04-22 14:42:04 2588672 ------w- c:\program files\aiosw.msi
2003-04-09 17:13:50 577536 ----a-w- c:\program files\Setup.exe
2003-03-10 01:30:44 184320 ----a-w- c:\program files\hpzscr07.dll
2003-03-10 01:30:42 274432 ----a-w- c:\program files\hpzglu07.exe
2003-03-10 01:30:42 237568 ----a-w- c:\program files\hpzc3212.dll
2002-09-09 22:48:20 22608 ----a-w- c:\program files\usbprint.sys
2002-09-09 22:48:12 12288 ----a-w- c:\program files\usbmon.dll
2002-09-09 22:47:52 254005 ----a-w- c:\program files\msvcrt.dll
2002-09-09 22:47:44 70656 ----a-w- c:\program files\msvcirt.dll
2002-09-09 22:47:00 212992 ----a-w- c:\program files\hpzpnp07.dll
2002-09-09 22:46:50 49212 ----a-w- c:\program files\hpzjvp01.dll
2002-09-09 22:46:42 249913 ----a-w- c:\program files\hpzjut01.dll
2002-09-09 22:46:32 417849 ----a-w- c:\program files\hpzjpp01.dll
2002-09-09 22:46:24 28722 ----a-w- c:\program files\hpzjlog.dll
2002-09-06 14:54:56 995383 ----a-w- c:\program files\MFC42.DLL
============= FINISH: 17:05:42.90 ===============