Boogie Daddie
Posts: 20 +0
A month or so ago I got infected with some sort of malware that caused constant pop ups of "Your computer is infected click here to fix it". Most of these popups seemed to mimic the built in Windows Internet Security, but clicking on them would take you to a site to purchase some program. I also get a pop up at start up every time that says Microsoft Windows Malicious Software Removal Tool needs my permission to continue.At the same time most of my internet based programs stopped working. IE wouldn't connect at all, Windows Mail would download my mail, but wouldn't get any of the pictures embedded in the messages. When ripping CDs Media Player couldn't connect to get album information. Firefox worked but only after clicking "Run as administrator". A few weeks ago, the pop-ups stopped without my having done anything to effect them. I came across your site, and downloaded all of the programs listed and the logs will follow. The programs found several things and after running them, my IE and mail appear to be working and Media Player is gathering album information again. I am concerned however that something is still lurking in my computer. Any help is much appreciated,
Boogie Daddie
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6304
Windows 6.0.6000
Internet Explorer 7.0.6000.17037
4/7/2011 6:51:44 PM
mbam-log-2011-04-07 (18-51-44).txt
Scan type: Quick scan
Objects scanned: 162162
Time elapsed: 4 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\mdnkso81qq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Intern") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\windows\system32\drivers\orpokalx.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\Lilheath\local settings\application data\evf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-04-07 19:29:31
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Lilheath\AppData\Local\Temp\uwlcrkow.sys
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] orpokalx <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Group Boot Bus Extender
---- EOF - GMER 1.0.15 ----
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/6/2007 9:00:29 AM
System Uptime: 4/7/2011 6:53:06 PM (1 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Acacia
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2400/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 364 GiB total, 233.037 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.196 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
3ivx D4 4.5.1 Decoder (remove only)
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Ask Toolbar
AVS DVDMenu Editor 1.2.1.19
AVS Video Tools 5.6
CyberLink PowerDirector
Digital Photo Navigator 1.5
EA Download Manager
EA Download Manager UI
eMusic Download Manager 4.1.4
Enhanced Multimedia Keyboard Solution
Everio MediaBrowser
Facebook Plug-In
Final Media Player 2010
GameTap
Greeting Card Factory Deluxe 7.0
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Advisor
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Picasso Media Center Add-In
HP Update
Java(TM) SE Runtime Environment 6 Update 1
Lexmark 2300 Series
Lexmark Z700-P700 Series
LG USB Modem driver
LightScribe 1.6.45.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft FrontPage 2000
Microsoft Office 2000 Professional
Microsoft Office Home and Student 60 day trial
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.5.17)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
Napster Download Manager
NVIDIA Drivers
Opera 10.61
Oracle JInitiator 1.3.1.28
PSSWCORE
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Encoder (KB954156)
SimCity™ Societies
SmartSound Quicktracks Plugin
Snapfish Picture Mover
Spelling Dictionaries Support For Adobe Reader 9
SPORE™
System Requirements Lab
Ulead GIF Animator 5 TBYB
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VideoToolkit01
WeatherBug Gadget
Windows Media Encoder 9 Series
World of Warcraft
Yahoo! Search Protection
Yahoo! Toolbar
.
==== End Of File ===========================
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Lilheath at 19:30:11.60 on Thu 04/07/2011
Internet Explorer: 7.0.6000.17037
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1096 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxblcoms.exe
C:\Windows\system32\lxcgcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\jusched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k wdisvc
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Lilheath\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [mwptuym] rundll32.exe "c:\users\lilheath\appdata\roaming\chuygia.dll",pmcfiz
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [<NO NAME>]
mRun: [ReminderApp] c:\program files\nova development\greeting card factory deluxe 7.0\ReminderApp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mbcame~1.lnk - c:\program files\pixela\everio mediabrowser\MBCameraMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
Trusted Zone: mercerhrs.com\ibenefitcenter
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lilheath\appdata\roaming\mozilla\firefox\profiles\9q5nude7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\users\lilheath\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe -service --> c:\windows\system32\lxblcoms.exe -service [?]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384]
R3 uwlcrkow;uwlcrkow;C:\uwlcrkow.sys [2011-4-7 94848]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
.
=============== Created Last 30 ================
.
2011-04-07 22:56:57 94848 ----a-w- C:\uwlcrkow.sys
2011-04-07 22:44:33 -------- d-----w- c:\users\lilheath\appdata\roaming\Malwarebytes
2011-04-07 22:44:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 22:44:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 02:26:33 -------- d-----w- c:\program files\AVAST Software
2011-04-07 02:26:33 -------- d-----w- c:\progra~2\AVAST Software
2011-04-06 17:09:01 -------- d-----w- c:\users\lilheath\appdata\roaming\Unity
2011-03-29 20:45:17 -------- d-----w- c:\users\lilheath\appdata\roaming\Inspiration Software
2011-03-29 20:44:43 -------- d-----w- c:\program files\Inspiration 9
2011-03-29 20:40:40 -------- d-----w- c:\users\lilheath\appdata\roaming\Softland
2011-03-29 20:40:31 -------- d-----w- c:\program files\Softland
2011-03-29 20:40:13 -------- d-----w- c:\progra~2\Inspiration 9
.
==================== Find3M ====================
.
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 19:30:28.08 ===============
Boogie Daddie
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6304
Windows 6.0.6000
Internet Explorer 7.0.6000.17037
4/7/2011 6:51:44 PM
mbam-log-2011-04-07 (18-51-44).txt
Scan type: Quick scan
Objects scanned: 162162
Time elapsed: 4 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\mdnkso81qq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Lilheath\AppData\Local\evf.exe" -a "C:\Program Files\Intern") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\windows\system32\drivers\orpokalx.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\Users\Lilheath\local settings\application data\evf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-04-07 19:29:31
Windows 6.0.6000
Running: gmer.exe; Driver: C:\Users\Lilheath\AppData\Local\Temp\uwlcrkow.sys
---- Services - GMER 1.0.15 ----
Service (*** hidden *** ) [BOOT] orpokalx <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet006\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet007\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet008\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet009\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet010\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet011\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet012\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet013\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet014\Services\orpokalx@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Type 1
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Start 0
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet015\Services\orpokalx@Group Boot Bus Extender
---- EOF - GMER 1.0.15 ----
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/6/2007 9:00:29 AM
System Uptime: 4/7/2011 6:53:06 PM (1 hours ago)
.
Motherboard: ASUSTek Computer INC. | | Acacia
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2400/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 364 GiB total, 233.037 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.196 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
3ivx D4 4.5.1 Decoder (remove only)
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Ask Toolbar
AVS DVDMenu Editor 1.2.1.19
AVS Video Tools 5.6
CyberLink PowerDirector
Digital Photo Navigator 1.5
EA Download Manager
EA Download Manager UI
eMusic Download Manager 4.1.4
Enhanced Multimedia Keyboard Solution
Everio MediaBrowser
Facebook Plug-In
Final Media Player 2010
GameTap
Greeting Card Factory Deluxe 7.0
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Advisor
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Picasso Media Center Add-In
HP Update
Java(TM) SE Runtime Environment 6 Update 1
Lexmark 2300 Series
Lexmark Z700-P700 Series
LG USB Modem driver
LightScribe 1.6.45.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft FrontPage 2000
Microsoft Office 2000 Professional
Microsoft Office Home and Student 60 day trial
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.5.17)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
Napster Download Manager
NVIDIA Drivers
Opera 10.61
Oracle JInitiator 1.3.1.28
PSSWCORE
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Encoder (KB954156)
SimCity™ Societies
SmartSound Quicktracks Plugin
Snapfish Picture Mover
Spelling Dictionaries Support For Adobe Reader 9
SPORE™
System Requirements Lab
Ulead GIF Animator 5 TBYB
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VideoToolkit01
WeatherBug Gadget
Windows Media Encoder 9 Series
World of Warcraft
Yahoo! Search Protection
Yahoo! Toolbar
.
==== End Of File ===========================
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Lilheath at 19:30:11.60 on Thu 04/07/2011
Internet Explorer: 7.0.6000.17037
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1918.1096 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxblcoms.exe
C:\Windows\system32\lxcgcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Nova Development\Greeting Card Factory Deluxe 7.0\ReminderApp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\jusched.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k wdisvc
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Lilheath\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [mwptuym] rundll32.exe "c:\users\lilheath\appdata\roaming\chuygia.dll",pmcfiz
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [<NO NAME>]
mRun: [ReminderApp] c:\program files\nova development\greeting card factory deluxe 7.0\ReminderApp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [EzPrint] "c:\program files\lexmark 2300 series\ezprint.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mbcame~1.lnk - c:\program files\pixela\everio mediabrowser\MBCameraMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
Trusted Zone: mercerhrs.com\ibenefitcenter
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lilheath\appdata\roaming\mozilla\firefox\profiles\9q5nude7.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJinit13128.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\users\lilheath\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe -service --> c:\windows\system32\lxblcoms.exe -service [?]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2007-8-31 464384]
R3 uwlcrkow;uwlcrkow;C:\uwlcrkow.sys [2011-4-7 94848]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-9-7 156928]
.
=============== Created Last 30 ================
.
2011-04-07 22:56:57 94848 ----a-w- C:\uwlcrkow.sys
2011-04-07 22:44:33 -------- d-----w- c:\users\lilheath\appdata\roaming\Malwarebytes
2011-04-07 22:44:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 22:44:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-07 02:26:33 -------- d-----w- c:\program files\AVAST Software
2011-04-07 02:26:33 -------- d-----w- c:\progra~2\AVAST Software
2011-04-06 17:09:01 -------- d-----w- c:\users\lilheath\appdata\roaming\Unity
2011-03-29 20:45:17 -------- d-----w- c:\users\lilheath\appdata\roaming\Inspiration Software
2011-03-29 20:44:43 -------- d-----w- c:\program files\Inspiration 9
2011-03-29 20:40:40 -------- d-----w- c:\users\lilheath\appdata\roaming\Softland
2011-03-29 20:40:31 -------- d-----w- c:\program files\Softland
2011-03-29 20:40:13 -------- d-----w- c:\progra~2\Inspiration 9
.
==================== Find3M ====================
.
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 19:30:28.08 ===============