idrizmiftari
Posts: 15 +0
Helping a computer illiterate friend recover his PC from viruses. At first it wouldn't load windows but I ran a battery of removers and now the only issue is that all search engines cannot be accessed. What is strange is if I physically disconnect the line and reconnect I can access them, however resetting through ipconfig doesn't work.
I ran Malwarebytes, sypbot, adware, nod32, AVG, hijackthis and Combofix. Also scanned with RKUnhooker but got to afraid to touch anything. Unfortunately time is not with me, I have logs of Hijackthis and Combofix, I forgot to take logs of the others. With Combofix it stated AVG scanner is present even though I uninstalled it and used AppRemover but still shows the alert; however it seemed like it ran fine. I will be heading off to work but will be back in 9 hours. Thank you tremendously in advance for your time and patience.
[HJT log removed by Broni]
**************************
COMBOFIX***********
**************************
ComboFix 11-09-15.05 - LT BABY 09/16/2011 11:15:39.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1635 [GMT -4:00]
Running from: c:\documents and settings\LT BABY\Desktop\lobster.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))
.
.
2011-09-16 05:09 . 2011-09-16 05:09 388096 ----a-r- c:\documents and settings\LT BABY\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-16 05:09 . 2011-09-16 05:09 -------- d-----w- c:\program files\Trend Micro
2011-09-15 15:16 . 2011-07-19 09:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-15 05:44 . 2011-09-15 05:44 -------- d-----r- c:\program files\Skype
2011-09-15 05:15 . 2011-09-15 05:15 -------- d-----w- c:\program files\iPod
2011-09-15 05:12 . 2011-09-15 05:12 -------- d-----w- c:\program files\Bonjour
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-09-15 05:11 . 2011-09-15 05:12 -------- d-----w- c:\program files\QuickTime
2011-09-15 05:07 . 2011-09-15 05:07 -------- d-----w- c:\program files\Lavasoft
2011-09-14 14:28 . 2011-09-14 14:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-14 14:26 . 2011-09-15 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-09-11 22:46 . 2011-09-14 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-09-11 22:06 . 2011-09-14 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-09-11 21:55 . 2011-09-11 21:55 -------- d-----w- c:\windows\system32\winrm
2011-09-11 21:55 . 2011-09-11 21:55 -------- d-----w- c:\windows\system32\GroupPolicy
2011-09-11 21:55 . 2011-09-11 21:55 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-09-11 17:32 . 2011-09-11 17:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-11 17:32 . 2011-09-11 17:32 -------- d-----w- c:\documents and settings\LT BABY\Application Data\AVG2012
2011-09-11 17:30 . 2011-09-11 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-09-11 17:28 . 2011-09-11 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-11 05:51 . 2011-09-11 05:51 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Sakura
2011-09-11 04:45 . 2011-09-11 04:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-11 04:10 . 2011-09-11 04:10 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\ESET
2011-09-11 03:59 . 2011-09-11 03:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-09-11 03:04 . 2011-09-11 03:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-11 01:33 . 2011-09-11 05:55 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Malwarebytes
2011-09-11 01:32 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 01:32 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 01:04 . 2011-09-11 01:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-08 21:57 . 2011-09-11 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\mJ21101PpGeC21101
2011-09-05 20:24 . 2011-09-11 00:25 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\Conduit
2011-09-05 20:24 . 2011-09-05 20:25 -------- d-----w- c:\documents and settings\LT BABY\Application Data\GetRightToGo
2011-09-05 01:37 . 2011-09-05 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
2011-09-03 13:59 . 2011-09-03 13:59 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Unity
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-03 04:55 . 2011-09-03 04:55 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2011-09-03 04:51 . 2011-09-03 04:51 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\Unity
2011-09-03 04:38 . 2011-09-03 04:38 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc5AC.tmp
2011-08-26 22:21 . 2011-08-26 22:21 42392 ----a-w- c:\windows\system32\xfcodec.dll
2011-08-18 14:46 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 14:46 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-11 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-19 06:40 . 2008-11-02 04:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2004-08-11 21:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2004-08-11 21:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2004-08-11 21:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-11 21:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-11 21:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-11 21:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-11 21:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-03 06:01 . 2011-09-15 13:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-16_05.31.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-16 15:08 . 2011-09-16 15:08 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzIyNDAyMDA5LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1796&mid=5188a9f4d2a647d1a4bad153e62412d6-f43308e76f07837a7ea13e9f5929462580b6ee3d" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 02:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2004-02-19 09:23 61440 ----a-w- c:\dell\bldbubg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-21 20:48 98304 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-09-11 08:40 218032 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 08:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 05:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 12:07 843776 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 5:00 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
IE: &AIM Toolbar Search
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://www.intranet.farmingdale.edu:8080/av/symantec/xp/webinst.cab
FF - ProfilePath - c:\documents and settings\LT BABY\Application Data\Mozilla\Firefox\Profiles\jgxkomdb.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-16 11:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-16 11:26:37
ComboFix-quarantined-files.txt 2011-09-16 15:26
ComboFix2.txt 2011-09-16 05:34
.
Pre-Run: 29,371,850,752 bytes free
Post-Run: 29,359,345,664 bytes free
.
- - End Of File - - 07ED3CEAB329DFC30CC24B6AC14DB852
I ran Malwarebytes, sypbot, adware, nod32, AVG, hijackthis and Combofix. Also scanned with RKUnhooker but got to afraid to touch anything. Unfortunately time is not with me, I have logs of Hijackthis and Combofix, I forgot to take logs of the others. With Combofix it stated AVG scanner is present even though I uninstalled it and used AppRemover but still shows the alert; however it seemed like it ran fine. I will be heading off to work but will be back in 9 hours. Thank you tremendously in advance for your time and patience.
[HJT log removed by Broni]
**************************
COMBOFIX***********
**************************
ComboFix 11-09-15.05 - LT BABY 09/16/2011 11:15:39.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1635 [GMT -4:00]
Running from: c:\documents and settings\LT BABY\Desktop\lobster.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))
.
.
2011-09-16 05:09 . 2011-09-16 05:09 388096 ----a-r- c:\documents and settings\LT BABY\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-16 05:09 . 2011-09-16 05:09 -------- d-----w- c:\program files\Trend Micro
2011-09-15 15:16 . 2011-07-19 09:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-15 05:44 . 2011-09-15 05:44 -------- d-----r- c:\program files\Skype
2011-09-15 05:15 . 2011-09-15 05:15 -------- d-----w- c:\program files\iPod
2011-09-15 05:12 . 2011-09-15 05:12 -------- d-----w- c:\program files\Bonjour
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-09-15 05:12 . 2011-09-15 05:12 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-09-15 05:11 . 2011-09-15 05:12 -------- d-----w- c:\program files\QuickTime
2011-09-15 05:07 . 2011-09-15 05:07 -------- d-----w- c:\program files\Lavasoft
2011-09-14 14:28 . 2011-09-14 14:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-14 14:26 . 2011-09-15 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-09-11 22:46 . 2011-09-14 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-09-11 22:06 . 2011-09-14 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-09-11 21:55 . 2011-09-11 21:55 -------- d-----w- c:\windows\system32\winrm
2011-09-11 21:55 . 2011-09-11 21:55 -------- d-----w- c:\windows\system32\GroupPolicy
2011-09-11 21:55 . 2011-09-11 21:55 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-09-11 17:32 . 2011-09-11 17:32 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-09-11 17:32 . 2011-09-11 17:32 -------- d-----w- c:\documents and settings\LT BABY\Application Data\AVG2012
2011-09-11 17:30 . 2011-09-11 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-09-11 17:28 . 2011-09-11 20:40 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-09-11 05:51 . 2011-09-11 05:51 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Sakura
2011-09-11 04:45 . 2011-09-11 04:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-11 04:10 . 2011-09-11 04:10 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\ESET
2011-09-11 03:59 . 2011-09-11 03:59 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2011-09-11 03:04 . 2011-09-11 03:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-11 01:33 . 2011-09-11 05:55 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Malwarebytes
2011-09-11 01:32 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-11 01:32 . 2011-09-11 01:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 01:32 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 01:04 . 2011-09-11 01:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-08 21:57 . 2011-09-11 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\mJ21101PpGeC21101
2011-09-05 20:24 . 2011-09-11 00:25 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\Conduit
2011-09-05 20:24 . 2011-09-05 20:25 -------- d-----w- c:\documents and settings\LT BABY\Application Data\GetRightToGo
2011-09-05 01:37 . 2011-09-05 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
2011-09-03 13:59 . 2011-09-03 13:59 -------- d-----w- c:\documents and settings\LT BABY\Application Data\Unity
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-03 04:55 . 2011-09-03 04:55 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2011-09-03 04:51 . 2011-09-03 04:51 -------- d-----w- c:\documents and settings\LT BABY\Local Settings\Application Data\Unity
2011-09-03 04:38 . 2011-09-03 04:38 83249512 ----a-w- c:\program files\Common Files\Windows Live\.cache\wlc5AC.tmp
2011-08-26 22:21 . 2011-08-26 22:21 42392 ----a-w- c:\windows\system32\xfcodec.dll
2011-08-18 14:46 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-18 14:46 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-08-11 21:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-19 06:40 . 2008-11-02 04:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-15 13:29 . 2004-08-11 21:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2004-08-11 21:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37 . 2011-07-05 22:37 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37 . 2011-07-05 22:37 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-06-24 14:10 . 2004-08-11 21:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-11 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-11 21:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-11 21:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-11 21:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-11 21:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-03 06:01 . 2011-09-15 13:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-16_05.31.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-16 15:08 . 2011-09-16 15:08 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzIyNDAyMDA5LVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1796&mid=5188a9f4d2a647d1a4bad153e62412d6-f43308e76f07837a7ea13e9f5929462580b6ee3d" [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 02:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2004-02-19 09:23 61440 ----a-w- c:\dell\bldbubg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2006-07-21 20:48 98304 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2006-09-11 08:40 218032 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 08:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-08-19 05:07 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 21:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 22:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-05-01 12:07 843776 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 5:00 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
IE: &AIM Toolbar Search
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://www.intranet.farmingdale.edu:8080/av/symantec/xp/webinst.cab
FF - ProfilePath - c:\documents and settings\LT BABY\Application Data\Mozilla\Firefox\Profiles\jgxkomdb.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-16 11:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-16 11:26:37
ComboFix-quarantined-files.txt 2011-09-16 15:26
ComboFix2.txt 2011-09-16 05:34
.
Pre-Run: 29,371,850,752 bytes free
Post-Run: 29,359,345,664 bytes free
.
- - End Of File - - 07ED3CEAB329DFC30CC24B6AC14DB852