Camolot Posted July 22, 2011 Author ID:457259 Share Posted July 22, 2011 i just went to open the start menu as the browser was doing what i described and the start would not open up and stay open it would imediatly close. i am assuming this part of the same thing. I got MBAM running. Ill post the log as soon as i get home from work. itll be in about 6 hrs Link to post Share on other sites More sharing options...
LDTate Posted July 22, 2011 ID:457329 Share Posted July 22, 2011 We'll see wht MBAM finds but you might be having a Windows OS issue. Link to post Share on other sites More sharing options...
Camolot Posted July 23, 2011 Author ID:457365 Share Posted July 23, 2011 ComboFix 11-07-20.02 - Owner 07/21/2011 14:48:57.5.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.565 [GMT -4:00]Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exeCommand switches used :: c:\documents and settings\Owner\My Documents\CFScript.txt..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\program files\Fast Browser SearchP..((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))..2011-07-18 15:36 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll2011-07-18 06:36 . 2011-07-18 06:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe2011-07-18 01:54 . 2011-07-18 01:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE2011-07-18 01:53 . 2011-07-18 01:53 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache2011-07-18 01:50 . 2011-07-18 01:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2011-07-18 01:12 . 2011-07-18 01:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData2011-07-18 01:12 . 2011-07-18 01:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla2011-07-18 01:11 . 2011-07-18 01:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2011-07-17 02:08 . 2011-07-17 02:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache2011-07-16 22:46 . 2011-07-16 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache2011-07-16 18:05 . 2011-07-16 18:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Skinux2011-07-11 19:08 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL2011-07-11 19:08 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FCTB0000616492011-07-11 19:07 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData2011-07-11 19:06 . 2011-07-17 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB2011-07-08 17:21 . 2011-07-08 17:21 -------- d-----w- c:\program files\Apple Software Update2011-07-08 17:18 . 2011-07-08 17:18 -------- d-----w- c:\program files\iPod2011-07-08 17:18 . 2011-07-19 21:31 -------- d-----w- c:\program files\iTunes2011-07-01 17:05 . 2011-07-01 17:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-06-25 00:04 . 2011-06-25 00:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Belkin2011-06-25 00:01 . 2011-02-15 17:17 27072 ----a-w- c:\windows\system32\drivers\AFGSp50.sys2011-06-25 00:00 . 2011-06-25 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Affinegy2011-06-25 00:00 . 2011-06-25 00:00 -------- d-----w- c:\program files\Belkin...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-07-18 00:24 . 2005-04-13 18:50 45312 ----a-w- c:\windows\system32\drivers\ql12160.sys2011-07-06 23:52 . 2009-04-01 01:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys2011-07-06 23:52 . 2009-04-01 01:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-06-02 14:02 . 2005-04-13 16:56 1858944 ----a-w- c:\windows\system32\win32k.sys2011-05-26 10:44 . 2009-02-10 03:36 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys2011-05-26 10:44 . 2009-02-10 03:36 88 --sh--r- c:\documents and settings\All Users\Application Data\0170302121.sys2011-05-02 15:31 . 2005-04-13 17:16 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-04-29 17:25 . 2005-04-13 16:56 151552 ----a-w- c:\windows\system32\schannel.dll2011-04-29 16:19 . 2005-04-13 16:55 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2011-04-26 22:35 . 2011-04-26 22:35 1752543 ----a-w- C:\rgo_installer.exe2011-04-26 11:07 . 2005-04-13 16:56 293376 ----a-w- c:\windows\system32\winsrv.dll2011-04-26 11:07 . 2005-04-13 16:55 33280 ----a-w- c:\windows\system32\csrsrv.dll2011-04-25 16:11 . 2005-04-13 16:56 916480 ----a-w- c:\windows\system32\wininet.dll2011-04-25 16:11 . 2005-04-13 16:55 43520 ----a-w- c:\windows\system32\licmgr10.dll2011-04-25 16:11 . 2005-04-13 16:55 1469440 ----a-w- c:\windows\system32\inetcpl.cpl2011-04-25 12:01 . 2005-04-13 16:55 385024 ----a-w- c:\windows\system32\html.iec.<pre>c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exec:\program files\AOL 9.1\AOL .exec:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exec:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor .exec:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exec:\program files\Common Files\AOL\1123289240\EE\AOLSoftware .exec:\program files\Common Files\AOL\1123289240\EE\SSCRun .exec:\program files\Common Files\AOL\ACS\AOLDial .exec:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exec:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exec:\program files\Common Files\Java\Java Update\jusched .exec:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exec:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140 .exec:\program files\CyberLink\PowerDVD\PDVDServ .exec:\program files\Digital Media Reader\shwiconem .exec:\program files\HP\HP Software Update\HPWuSchd2 .exec:\program files\iTunes\iTunesHelper .exec:\windows\ehome\ehtray .exec:\windows\SMINST\RECGUARD .exe</pre>.((((((((((((((((((((((((((((( SnapShot_2011-07-20_18.21.10 ))))))))))))))))))))))))))))))))))))))))).+ 2011-07-21 19:01 . 2011-07-21 19:01 16384 c:\windows\temp\Perflib_Perfdata_74.dat+ 2005-04-13 16:56 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll+ 2005-04-13 16:56 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll+ 2005-08-06 00:43 . 2011-07-21 07:04 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe- 2005-08-06 00:43 . 2011-07-19 19:37 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe- 2005-08-06 00:43 . 2011-07-19 19:37 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe- 2005-08-06 00:43 . 2011-07-19 19:37 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe- 2005-08-06 00:43 . 2011-07-19 19:37 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe- 2005-08-06 00:43 . 2011-07-19 19:37 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe+ 2005-04-13 16:55 . 2010-09-18 06:53 953856 c:\windows\system32\mfc40u.dll+ 2005-04-13 16:55 . 2010-09-18 06:53 954368 c:\windows\system32\mfc40.dll- 2005-04-13 16:55 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll+ 2005-04-13 16:55 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll+ 2005-04-13 16:55 . 2010-09-18 06:53 953856 c:\windows\system32\dllcache\mfc40u.dll- 2005-04-13 16:55 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll+ 2005-04-13 16:55 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll+ 2010-09-24 01:02 . 2010-09-24 01:02 798208 c:\windows\Installer\26bb9ed.msp- 2005-08-06 00:43 . 2011-07-19 19:37 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe- 2005-08-06 00:43 . 2011-07-19 19:37 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe- 2005-08-06 00:43 . 2011-07-19 19:37 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe- 2005-08-06 00:43 . 2011-07-19 19:37 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe- 2005-08-06 00:43 . 2011-07-19 19:37 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe+ 2011-07-21 07:05 . 2011-07-21 07:05 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\4e3dd4d7f9aeda74a2fcefee036e5070\System.Web.Extensions.Design.ni.dll+ 2011-07-21 07:05 . 2011-07-21 07:05 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\4fb1c0c07f40248b463f2e33444b9477\System.Web.Entity.ni.dll+ 2011-07-21 07:05 . 2011-07-21 07:05 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\4dfcffc6e6d02bdcdc185d5527a8097e\System.Web.Entity.Design.ni.dll+ 2011-07-21 07:05 . 2011-07-21 07:05 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b921d1cffcd5e80ea14c51db967edd6\System.Web.DynamicData.ni.dll+ 2010-08-05 14:57 . 2010-08-05 14:57 4066304 c:\windows\Installer\26bba22.msp+ 2010-10-22 19:45 . 2010-10-22 19:45 8444928 c:\windows\Installer\26bba01.msp+ 2011-07-21 07:05 . 2011-07-21 07:05 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\647bfe6da40e8160b967c41424901dc8\System.Web.Extensions.ni.dll+ 2011-07-21 07:05 . 2011-07-21 07:05 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ead07662976fb7094811461c568643d5\System.ServiceModel.Web.ni.dll- 2009-08-09 07:10 . 2009-08-09 07:10 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll+ 2011-07-21 07:00 . 2011-07-21 07:01 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{8c49a3d1-585b-4eab-985d-6ad480b4f23d}"= "c:\program files\Kentucky Wildcats Toolbar\Helper.dll" [2010-02-06 242688].[HKEY_CLASSES_ROOT\clsid\{8c49a3d1-585b-4eab-985d-6ad480b4f23d}][HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1][HKEY_CLASSES_ROOT\TypeLib\{763C8C3E-9677-474E-B4BD-6ABC7DDDE090}][HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook].[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A118156-5307-4BFB-9548-B423FDF368A8}]2010-02-06 22:47 1445888 ----a-w- c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{7EF32AD9-C8AC-44E3-A39F-913E777ADEEE}"= "c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll" [2010-02-06 1445888].[HKEY_CLASSES_ROOT\clsid\{7ef32ad9-c8ac-44e3-a39f-913e777adeee}][HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar.3][HKEY_CLASSES_ROOT\TypeLib\{880EC4BB-9C31-4429-9452-D6F388B0C230}][HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{7EF32AD9-C8AC-44E3-A39F-913E777ADEEE}"= "c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll" [2010-02-06 1445888].[HKEY_CLASSES_ROOT\clsid\{7ef32ad9-c8ac-44e3-a39f-913e777adeee}][HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar.3][HKEY_CLASSES_ROOT\TypeLib\{880EC4BB-9C31-4429-9452-D6F388B0C230}][HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar].[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Aim6"="" [N/A]"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [N/A]"AOL Fast Start"="c:\progra~1\AOL9~1.1\AOL.EXE" [N/A].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [N/A]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]"CHotkey"="zHotkey.exe" [2005-05-03 543232]"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2011-07-16 37380]"HostManager"="c:\program files\Common Files\AOL\1123289240\ee\AOLSoftware.exe" [N/A]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-09 323216]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-06 26112]"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [N/A]"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [N/A]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [N/A]"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [N/A]"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [N/A]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [N/A]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [N/A].c:\documents and settings\Owner\Start Menu\Programs\Startup\KEYEXP.lnk - c:\documents and settings\Owner\My Documents\ben\KEYEXP.EXE [2003-11-7 838656]OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000].c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-6-27 122880].[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0).[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\Common Files\\AOL\\1123289240\\EE\\AOLServiceHost.exe"="c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\AOL 9.1\\waol.exe"="c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"="c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=.S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:14 PM 135664]S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 8:44 AM 580992]S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:14 PM 135664]S3 pelps2m;i8042 Keyboard & PS/2 Mouse Port Driver;c:\windows\system32\drivers\pelps2m.sys [2/24/2006 6:31 PM 19968].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder.2011-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57].2011-07-21 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-15 19:09].2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:14].2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:14].2011-07-21 c:\windows\Tasks\User_Feed_Synchronization-{D4193A7F-2282-4635-B799-C73E7C516306}.job- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]..------- Supplementary Scan -------.uStart Page = hxxp://facebook.com/uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZSzim029YYUS&fl=0&ptb=3cfl_pRGo3kTXXCMNJ9.8g&url=http://www.ask.com/web&q={searchTerms}&l=zs&o=sbmSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = localhost;*.localuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.comIE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.htmlIE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.htaIE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htmIE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htmIE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htmTrusted Zone: intuit.com\ttlcTrusted Zone: pogo.com\wwwTrusted Zone: turbotax.comTCP: DhcpNameServer = 192.168.2.1DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CABDPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cabFF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pxkpp7yw.default\FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtensionFF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ffFF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.comFF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3FF - user.js: browser.search.order.1 - SearchFF - user.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=..**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-07-21 15:02Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(604)c:\windows\system32\Ati2evxx.dll.- - - - - - - > 'explorer.exe'(3224)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\program files\Common Files\aolshare\aolshcpy.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\Ati2evxx.exec:\windows\system32\Ati2evxx.exec:\windows\zHotkey.exec:\windows\SOUNDMAN.EXEc:\program files\OpenOffice.org 3\program\soffice.exec:\program files\OpenOffice.org 3\program\soffice.binc:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exec:\program files\Belkin\Router Setup and Monitor\BelkinService.exec:\program files\Common Files\AOL\ACS\AOLAcsd.exec:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\eHome\ehRecvr.exec:\windows\eHome\ehSched.exec:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Common Files\Motive\McciCMService.exec:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYSc:\program files\Common Files\Protexis\License Service\PsiService_2.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exec:\windows\ehome\mcrdsvc.exec:\program files\Windows Media Player\wmpnetwk.exec:\windows\system32\dllhost.exec:\windows\system32\wscntfy.exec:\windows\eHome\ehmsas.exec:\program files\HP\Digital Imaging\bin\hpqSTE08.exec:\program files\HP\Digital Imaging\bin\hpqbam08.exec:\program files\HP\Digital Imaging\bin\hpqgpc01.exe.**************************************************************************.Completion time: 2011-07-21 15:08:35 - machine was rebootedComboFix-quarantined-files.txt 2011-07-21 19:08ComboFix2.txt 2011-07-21 17:44ComboFix3.txt 2011-07-20 20:40ComboFix4.txt 2011-07-20 18:30ComboFix5.txt 2011-07-21 18:41.Pre-Run: 155,434,274,816 bytes freePost-Run: 155,414,970,368 bytes free.WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect.- - End Of File - - 37F3341058A0F04ACBB6C2D9C114AC36 Link to post Share on other sites More sharing options...
Camolot Posted July 23, 2011 Author ID:457367 Share Posted July 23, 2011 Sorry didnt realize it didnt copy right. here is the MBAMMalwarebytes' Anti-Malware 1.51.1.1800www.malwarebytes.orgDatabase version: 7232Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187027/22/2011 6:01:02 PMmbam-log-2011-07-22 (18-01-01).txtScan type: Full scan (C:\|D:\|)Objects scanned: 354319Time elapsed: 2 hour(s), 56 minute(s), 7 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Camolot Posted July 23, 2011 Author ID:457386 Share Posted July 23, 2011 looking through my processes i got one im wondering about. as far as i can tell it only showed up on my first combofix run. It is running 5 times and almost all the time the number in the cpu colum equals 100. my cpu is staying at 100.2011-07-17 01:32:01 113152 ----a-w- c:\documents and settings\all users\application data\6QEoebUl.exe Link to post Share on other sites More sharing options...
LDTate Posted July 23, 2011 ID:457443 Share Posted July 23, 2011 Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:c:\documents and settings\all users\application data\6QEoebUl.exe Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.If virustotal is too busy you can try these.http://virusscan.jotti.orghttp://www.kaspersky.com/scanforvirus.html Link to post Share on other sites More sharing options...
Camolot Posted July 23, 2011 Author ID:457541 Share Posted July 23, 2011 virusscan.jotti.orgFilename: 6QEoebUl.exeStatus: Scan finished. 9 out of 20 scanners reported malware.Scan taken on: Sat 23 Jul 2011 15:47:23 (CET) PermalinkScanners[ArcaVir] 2011-07-23 Found nothing [F-Secure Anti-Virus] 2011-07-23 Gen:Variant.Kazy.25302[Avast! antivirus] 2011-07-23 Found nothing [G DATA] 2011-07-23 Gen:Variant.Kazy.25302[Grisoft AVG Anti-Virus] 2011-07-23 Found nothing [ikarus] 2011-07-23 Gen.Variant.Kates[Avira AntiVir] 2011-07-22 TR/Dropper.Gen [Kaspersky Anti-Virus] 2011-07-23 Found nothing[softwin BitDefender] 2011-07-23 Gen:Variant.Kazy.25302 [ESET NOD32] 2011-07-23 Win32/Kryptik.QLX[ClamAV] 2011-07-23 Found nothing [Panda Antivirus] 2011-07-23 Found nothing[CPsecure] 2011-07-23 Found nothing [Quick Heal] 2011-07-22 Found nothing[Dr.Web] 2011-07-23 Found nothing [sophos] 2011-07-23 Sus/UnkPack-C[Emsisoft Anti-Malware] 2011-07-23 Gen.Variant.Kates!IK [VirusBlokAda VBA32] 2011-07-22 Malware-Cryptor.Limpopo[Frisk F-Prot Antivirus] 2011-07-22 Found nothing [VirusBuster] 2011-07-22 Found nothing Link to post Share on other sites More sharing options...
LDTate Posted July 24, 2011 ID:457802 Share Posted July 24, 2011 First:You need to update Java.Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 26 and save it to your desktop.Scroll down to where it says JDK 6 Update 26 (JDK or JRE)Click the Download JRE button to the rightSelect the Windows platform from the dropdown menu.Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java 6) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel.Next:Copy/paste the text in the Codebox below into notepad:Here's how to do that:Click Start > Run type Notepad click OK.This will open an empty notepad file: Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. KillAll::File::c:\documents and settings\all users\application data\6QEoebUl.exe RenV::c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe c:\program files\AOL 9.1\AOL .exe c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor .exe c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe c:\program files\Common Files\AOL\1123289240\EE\AOLSoftware .exe c:\program files\Common Files\AOL\1123289240\EE\SSCRun .exe c:\program files\Common Files\AOL\ACS\AOLDial .exe c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe c:\program files\Common Files\Java\Java Update\jusched .exe c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140 .exe c:\program files\CyberLink\PowerDVD\PDVDServ .exe c:\program files\Digital Media Reader\shwiconem .exe c:\program files\HP\HP Software Update\HPWuSchd2 .exe c:\program files\iTunes\iTunesHelper .exe c:\windows\ehome\ehtray .exe c:\windows\SMINST\RECGUARD .exe Save this file to your desktop, Save this as "CFScript" Here's how to do that:1.Click File;2.Click Save As... Change the directory to your desktop;3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript5.Click Save ...Drag CFScript.txt into ComboFix.exeThen post the results log using Copy / PasteAlso please describe how your computer behaves at the moment. Link to post Share on other sites More sharing options...
Camolot Posted July 25, 2011 Author ID:458010 Share Posted July 25, 2011 when i was rebooting from deleteing the java stuff the hello4 showed up as nonresponsive again during the shut down.ComboFix 11-07-20.02 - Owner 07/24/2011 20:36:17.6.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.406 [GMT -4:00]Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exeCommand switches used :: c:\documents and settings\Owner\My Documents\CFScript.txt.FILE ::"c:\documents and settings\all users\application data\6QEoebUl.exe"..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\all users\application data\6QEoebUl.exec:\windows\Tasks\At1.jobc:\windows\Tasks\At12.jobc:\windows\Tasks\At18.jobc:\windows\Tasks\At2.job..((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))..2011-07-25 00:06 . 2011-07-25 00:05 73728 ----a-w- c:\windows\system32\javacpl.cpl2011-07-24 09:01 . 2011-07-24 09:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo2011-07-24 02:14 . 2011-07-24 02:14 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE2011-07-23 07:25 . 2011-07-23 07:25 -------- d-----w- c:\windows\system32\%APPDATA%2011-07-18 15:36 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll2011-07-18 06:36 . 2011-07-18 06:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe2011-07-18 01:54 . 2011-07-18 01:54 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE2011-07-18 01:53 . 2011-07-18 01:53 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache2011-07-18 01:50 . 2011-07-18 01:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2011-07-18 01:12 . 2011-07-18 01:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData2011-07-18 01:12 . 2011-07-18 01:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla2011-07-18 01:11 . 2011-07-18 01:11 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache2011-07-17 02:08 . 2011-07-17 02:08 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache2011-07-16 22:46 . 2011-07-16 22:46 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache2011-07-16 18:05 . 2011-07-16 18:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Skinux2011-07-11 19:08 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL2011-07-11 19:08 . 2011-07-11 19:08 -------- d-----w- c:\documents and settings\NetworkService\Application Data\FCTB0000616492011-07-11 19:07 . 2011-07-25 00:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\HPAppData2011-07-11 19:06 . 2011-07-17 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB2011-07-08 17:21 . 2011-07-08 17:21 -------- d-----w- c:\program files\Apple Software Update2011-07-08 17:18 . 2011-07-08 17:18 -------- d-----w- c:\program files\iPod2011-07-08 17:18 . 2011-07-25 00:36 -------- d-----w- c:\program files\iTunes2011-07-01 17:05 . 2011-07-01 17:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-07-25 00:05 . 2010-08-05 02:05 472808 ----a-w- c:\windows\system32\deployJava1.dll2011-07-18 00:24 . 2005-04-13 18:50 45312 ----a-w- c:\windows\system32\drivers\ql12160.sys2011-07-06 23:52 . 2009-04-01 01:10 22712 ----a-w- c:\windows\system32\drivers\mbam.sys2011-07-06 23:52 . 2009-04-01 01:10 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2011-06-02 14:02 . 2005-04-13 16:56 1858944 ----a-w- c:\windows\system32\win32k.sys2011-05-26 10:44 . 2009-02-10 03:36 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys2011-05-26 10:44 . 2009-02-10 03:36 88 --sh--r- c:\documents and settings\All Users\Application Data\0170302121.sys2011-05-02 15:31 . 2005-04-13 17:16 692736 ----a-w- c:\windows\system32\inetcomm.dll2011-04-29 17:25 . 2005-04-13 16:56 151552 ----a-w- c:\windows\system32\schannel.dll2011-04-29 16:19 . 2005-04-13 16:55 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys2011-04-26 22:35 . 2011-04-26 22:35 1752543 ----a-w- C:\rgo_installer.exe2011-04-26 11:07 . 2005-04-13 16:56 293376 ----a-w- c:\windows\system32\winsrv.dll2011-04-26 11:07 . 2005-04-13 16:55 33280 ----a-w- c:\windows\system32\csrsrv.dll..((((((((((((((((((((((((((((( SnapShot_2011-07-20_18.21.10 ))))))))))))))))))))))))))))))))))))))))).+ 2011-07-25 00:51 . 2011-07-25 00:51 16384 c:\windows\temp\Perflib_Perfdata_850.dat+ 2005-04-13 16:56 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll+ 2005-04-13 16:56 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll+ 2005-08-06 00:43 . 2011-07-21 07:04 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe- 2005-08-06 00:43 . 2011-07-19 19:37 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe- 2005-08-06 00:43 . 2011-07-19 19:37 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe- 2005-08-06 00:43 . 2011-07-19 19:37 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe- 2005-08-06 00:43 . 2011-07-19 19:37 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe- 2005-08-06 00:43 . 2011-07-19 19:37 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe+ 2005-04-13 16:55 . 2010-09-18 06:53 953856 c:\windows\system32\mfc40u.dll+ 2005-04-13 16:55 . 2010-09-18 06:53 954368 c:\windows\system32\mfc40.dll+ 2005-04-13 16:55 . 2010-12-22 12:34 301568 c:\windows\system32\kerberos.dll- 2005-04-13 16:55 . 2009-06-25 08:25 301568 c:\windows\system32\kerberos.dll- 2011-04-04 11:06 . 2011-02-03 01:40 157472 c:\windows\system32\javaws.exe+ 2011-07-25 00:06 . 2011-07-25 00:05 157472 c:\windows\system32\javaws.exe+ 2011-07-25 00:06 . 2011-07-25 00:05 145184 c:\windows\system32\javaw.exe- 2011-04-04 11:06 . 2011-02-03 01:40 145184 c:\windows\system32\javaw.exe+ 2011-07-25 00:06 . 2011-07-25 00:05 145184 c:\windows\system32\java.exe- 2011-04-04 11:06 . 2011-02-03 01:40 145184 c:\windows\system32\java.exe+ 2005-04-13 16:55 . 2010-09-18 06:53 953856 c:\windows\system32\dllcache\mfc40u.dll- 2005-04-13 16:55 . 2009-06-25 08:25 301568 c:\windows\system32\dllcache\kerberos.dll+ 2005-04-13 16:55 . 2010-12-22 12:34 301568 c:\windows\system32\dllcache\kerberos.dll+ 2002-09-14 06:42 . 2002-09-14 06:42 212992 c:\windows\SMINST\RECGUARD.exe+ 2011-07-25 00:05 . 2011-07-25 00:05 675840 c:\windows\Installer\c1278.msi+ 2010-09-24 01:02 . 2010-09-24 01:02 798208 c:\windows\Installer\26bb9ed.msp+ 2005-08-06 00:43 . 2011-07-21 07:04 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe- 2005-08-06 00:43 . 2011-07-19 19:37 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe- 2005-08-06 00:43 . 2011-07-19 19:37 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe- 2005-08-06 00:43 . 2011-07-19 19:37 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe- 2005-08-06 00:43 . 2011-07-19 19:37 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe- 2005-08-06 00:43 . 2011-07-19 19:37 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe+ 2005-08-06 00:43 . 2011-07-21 07:04 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe+ 2011-07-21 07:05 . 2011-07-21 07:05 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\4e3dd4d7f9aeda74a2fcefee036e5070\System.Web.Extensions.Design.ni.dll+ 2011-07-21 07:05 . 2011-07-21 07:05 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\4fb1c0c07f40248b463f2e33444b9477\System.Web.Entity.ni.dll+ 2011-07-21 07:05 . 2011-07-21 07:05 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\4dfcffc6e6d02bdcdc185d5527a8097e\System.Web.Entity.Design.ni.dll+ 2011-07-21 07:05 . 2011-07-21 07:05 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b921d1cffcd5e80ea14c51db967edd6\System.Web.DynamicData.ni.dll+ 2010-08-05 14:57 . 2010-08-05 14:57 4066304 c:\windows\Installer\26bba22.msp+ 2010-10-22 19:45 . 2010-10-22 19:45 8444928 c:\windows\Installer\26bba01.msp+ 2011-07-21 07:05 . 2011-07-21 07:05 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\647bfe6da40e8160b967c41424901dc8\System.Web.Extensions.ni.dll+ 2011-07-21 07:05 . 2011-07-21 07:05 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ead07662976fb7094811461c568643d5\System.ServiceModel.Web.ni.dll+ 2011-07-21 07:00 . 2011-07-21 07:01 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll- 2009-08-09 07:10 . 2009-08-09 07:10 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]"{8c49a3d1-585b-4eab-985d-6ad480b4f23d}"= "c:\program files\Kentucky Wildcats Toolbar\Helper.dll" [2010-02-06 242688].[HKEY_CLASSES_ROOT\clsid\{8c49a3d1-585b-4eab-985d-6ad480b4f23d}][HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1][HKEY_CLASSES_ROOT\TypeLib\{763C8C3E-9677-474E-B4BD-6ABC7DDDE090}][HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook].[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A118156-5307-4BFB-9548-B423FDF368A8}]2010-02-06 22:47 1445888 ----a-w- c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{7EF32AD9-C8AC-44E3-A39F-913E777ADEEE}"= "c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll" [2010-02-06 1445888].[HKEY_CLASSES_ROOT\clsid\{7ef32ad9-c8ac-44e3-a39f-913e777adeee}][HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar.3][HKEY_CLASSES_ROOT\TypeLib\{880EC4BB-9C31-4429-9452-D6F388B0C230}][HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar].[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]"{7EF32AD9-C8AC-44E3-A39F-913E777ADEEE}"= "c:\program files\Kentucky Wildcats Toolbar\Toolbar.dll" [2010-02-06 1445888].[HKEY_CLASSES_ROOT\clsid\{7ef32ad9-c8ac-44e3-a39f-913e777adeee}][HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar.3][HKEY_CLASSES_ROOT\TypeLib\{880EC4BB-9C31-4429-9452-D6F388B0C230}][HKEY_CLASSES_ROOT\FCTB000061649.IEToolbar].[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"AOL Fast Start"="c:\progra~1\AOL9~1.1\AOL.EXE" [2008-11-06 50472].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-18 339968]"CHotkey"="zHotkey.exe" [2005-05-03 543232]"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]"HostManager"="c:\program files\Common Files\AOL\1123289240\ee\AOLSoftware.exe" [2008-06-24 41824]"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]"NapsterShell"="c:\program files\Napster\napster.exe" [2008-05-09 323216]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-08-06 26112]"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2008-03-21 83232]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2011-02-25 1770400]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe" [2010-11-24 233936].c:\documents and settings\Owner\Start Menu\Programs\Startup\KEYEXP.lnk - c:\documents and settings\Owner\My Documents\ben\KEYEXP.EXE [2003-11-7 838656]OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000].c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2010-1-27 323584]WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-6-27 122880].[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0).[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\Common Files\\AOL\\1123289240\\EE\\AOLServiceHost.exe"="c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\AOL 9.1\\waol.exe"="c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"="c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=.S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:14 PM 135664]S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 8:44 AM 580992]S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 5:14 PM 135664]S3 pelps2m;i8042 Keyboard & PS/2 Mouse Port Driver;c:\windows\system32\drivers\pelps2m.sys [2/24/2006 6:31 PM 19968].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder.2011-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57].2011-07-25 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-15 19:09].2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:14].2011-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 21:14].2011-07-24 c:\windows\Tasks\User_Feed_Synchronization-{D4193A7F-2282-4635-B799-C73E7C516306}.job- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]..------- Supplementary Scan -------.uStart Page = hxxp://facebook.com/uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZSzim029YYUS&fl=0&ptb=3cfl_pRGo3kTXXCMNJ9.8g&url=http://www.ask.com/web&q={searchTerms}&l=zs&o=sbmSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = localhost;*.localuSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.comIE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.htmlIE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.htaIE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htmIE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htmIE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htmTrusted Zone: intuit.com\ttlcTrusted Zone: pogo.com\wwwTrusted Zone: turbotax.comTCP: DhcpNameServer = 192.168.2.1DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CABDPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://clubgames.pogo.com/online2/pogop/mahjong_escape_ancient/PTGameLauncher.cabFF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\pxkpp7yw.default\FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/FF - prefs.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtensionFF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ffFF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}FF - Ext: LogMeIn, Inc. Remote Access Plugin: LogMeInClient@logmein.com - %profile%\extensions\LogMeInClient@logmein.comFF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3FF - user.js: browser.search.order.1 - SearchFF - user.js: keyword.URL - hxxp://search.internet-search-results.com/?sid=10101138100&s=.- - - - ORPHANS REMOVED - - - -.HKCU-Run-Aim6 - (no file)HKCU-Run-WMPNSCFG - c:\program files\Windows Media Player\WMPNSCFG.exeHKLM-Run-Verizon_McciTrayApp - c:\program files\Verizon\McciTrayApp.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-07-24 20:52Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]@Denied: (2) (LocalSystem)"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,61,5a,af,58,61,f4,40,97,28,40,\"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,61,5a,af,58,61,f4,40,97,28,40,\.--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(604)c:\windows\system32\Ati2evxx.dll.- - - - - - - > 'explorer.exe'(2148)c:\windows\system32\WININET.dllc:\documents and settings\Owner\My Documents\ben\KYX95HK.DLLc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\program files\Common Files\aolshare\aolshcpy.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\Ati2evxx.exec:\windows\system32\Ati2evxx.exec:\windows\zHotkey.exec:\windows\SOUNDMAN.EXEc:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exec:\program files\Belkin\Router Setup and Monitor\BelkinService.exec:\program files\Common Files\AOL\ACS\AOLAcsd.exec:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\windows\eHome\ehRecvr.exec:\progra~1\AOL9~1.1\waol.exec:\windows\eHome\ehSched.exec:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exec:\program files\Java\jre6\bin\jqs.exec:\program files\OpenOffice.org 3\program\soffice.exec:\program files\OpenOffice.org 3\program\soffice.binc:\program files\Common Files\Motive\McciCMService.exec:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYSc:\program files\Common Files\Protexis\License Service\PsiService_2.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exec:\windows\ehome\mcrdsvc.exec:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exec:\program files\Windows Media Player\wmpnetwk.exec:\windows\system32\dllhost.exec:\program files\iPod\bin\iPodService.exec:\windows\eHome\ehmsas.exec:\windows\system32\wscntfy.exec:\program files\HP\Digital Imaging\bin\hpqSTE08.exec:\program files\HP\Digital Imaging\bin\hpqbam08.exec:\program files\HP\Digital Imaging\bin\hpqgpc01.exec:\progra~1\AOL9~1.1\shellmon.exe.**************************************************************************.Completion time: 2011-07-24 21:01:24 - machine was rebootedComboFix-quarantined-files.txt 2011-07-25 01:01ComboFix2.txt 2011-07-21 19:08ComboFix3.txt 2011-07-21 17:44ComboFix4.txt 2011-07-20 20:40ComboFix5.txt 2011-07-25 00:26.Pre-Run: 155,965,509,632 bytes freePost-Run: 155,972,915,200 bytes free.WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect.- - End Of File - - 14691DC6C689A96A48F852EBA91F3365 Link to post Share on other sites More sharing options...
LDTate Posted July 25, 2011 ID:458144 Share Posted July 25, 2011 Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review:Close any open programsTurn off the real time scanner of any existing antivirus program while performing the online scan3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take quite a long time to download. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply Link to post Share on other sites More sharing options...
Camolot Posted July 25, 2011 Author ID:458285 Share Posted July 25, 2011 im still getting this error when going to the website.404 - File or directory not found.The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable. Link to post Share on other sites More sharing options...
LDTate Posted July 25, 2011 ID:458289 Share Posted July 25, 2011 We shal try a different one.Please download Dr.Web CureIt . Save it to your desktop:Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, select Complete scan.Click the green arrow at the right, and the scan will start.Click Yes to all if it asks if you want to cure/move the file.When the scan has finished, in the menu, click File and choose Save report listSave the report to your desktop. The report will be called DrWeb.csvNote:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.Please post the Dr.Web.txt report in your next replyClose Dr.Web Cureit.Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner. Link to post Share on other sites More sharing options...
Camolot Posted July 26, 2011 Author ID:458717 Share Posted July 26, 2011 msmsgs.exe;c:\program files\messenger;Probably Trojan.Packed;Incurable.Deleted.;config.000;C:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_1.10.7.1;Probably BACKDOOR.Trojan;Incurable.Deleted.;inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4028;Probably BACKDOOR.Trojan;Incurable.Deleted.;ppctl.dll;C:\Program Files\Common Files\AOL\1123289240\EE\services\antispyware\ver2_4_9_1\resources;Probably DLOADER.Trojan;Incurable.Deleted.;GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Deleted.;ppctl.dll;C:\Program Files\Common Files\Scanner;Probably DLOADER.Trojan;Incurable.Deleted.;mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Probably Trojan.Packed;Incurable.Deleted.;mirc.exe;C:\Program Files\mIRC;Program.mIRC.621;Incurable.Deleted.;Launch.exe;C:\Program Files\Oberon Media\Lottso! Deluxe;Trojan.DownLoader1.5776;Incurable.Moved.;Launch.exe;C:\Program Files\Oberon Media\Tri Peaks 2 Quest For The Ruby Ring;Trojan.DownLoader1.5776;Incurable.Moved.;6QEoebUl.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data;Trojan.DownLoad2.31585;Deleted.;6QEoebUl.exe_.vir;C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data;Probably Trojan.Packed.116;Incurable.Deleted.;OctoshapeClient .exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Octoshape\Octoshape Streaming Services;Probably Trojan.Packed;Incurable.Deleted.;OctoshapeClient.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Octoshape\Octoshape Streaming Services;Probably Trojan.Packed;Incurable.Deleted.;Reader_sl.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Adobe\Reader 9.0\Reader;Probably Trojan.Packed;Incurable.Deleted.;atiptaxx.exe.vir;C:\Qoobox\Quarantine\C\Program Files\ATI Technologies\ATI Control Panel;Probably Trojan.Packed;Incurable.Deleted.;BelkinRouterMonitor.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Belkin\Router Setup and Monitor;Probably Trojan.Packed;Incurable.Deleted.;AdobeARM.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\Adobe\ARM\1.0;Probably Trojan.Packed;Incurable.Deleted.;AOLSoftware.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\1123289240\EE;Probably Trojan.Packed;Incurable.Deleted.;SSCRun.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\1123289240\EE;Probably Trojan.Packed;Incurable.Deleted.;AOLSP Scheduler.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\1123289240\EE\services\safetyCore\ver210_5_2_1;Probably Trojan.Packed;Incurable.Deleted.;AOLDial.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\AOL\ACS;Probably Trojan.Packed;Incurable.Deleted.;AppleSyncNotifier.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support;Probably Trojan.Packed;Incurable.Deleted.;ACDaemon.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\ArcSoft\Connection Service\Bin;Probably Trojan.Packed;Incurable.Deleted.;jusched.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Common Files\Java\Java Update;Probably Trojan.Packed;Incurable.Deleted.;QFSCHD140.EXE.vir;C:\Qoobox\Quarantine\C\Program Files\Corel\WordPerfect Office X4\Programs;Probably Trojan.Packed;Incurable.Deleted.;PDVDServ.exe.vir;C:\Qoobox\Quarantine\C\Program Files\CyberLink\PowerDVD;Probably Trojan.Packed;Incurable.Deleted.;shwiconem.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Digital Media Reader;Probably Trojan.Packed;Incurable.Deleted.;HPWuSchd2.exe.vir;C:\Qoobox\Quarantine\C\Program Files\HP\HP Software Update;Probably Trojan.Packed;Incurable.Deleted.;iTunesHelper.exe.vir;C:\Qoobox\Quarantine\C\Program Files\iTunes;Probably Trojan.Packed;Incurable.Deleted.;mcvsescn.exe.vir;C:\Qoobox\Quarantine\C\Program Files\McAfee.com\antivirus;Probably Trojan.Packed;Incurable.Deleted.;oasclnt.exe.vir;C:\Qoobox\Quarantine\C\Program Files\McAfee.com\antivirus;Probably Trojan.Packed;Incurable.Deleted.;MPfTray.exe.vir;C:\Qoobox\Quarantine\C\Program Files\McAfee.com\personal firewall;Probably Trojan.Packed;Incurable.Deleted.;QTTask .exe.vir;C:\Qoobox\Quarantine\C\Program Files\QuickTime;Probably Trojan.Packed;Incurable.Deleted.;QTTask.exe.vir;C:\Qoobox\Quarantine\C\Program Files\QuickTime;Probably Trojan.Packed;Incurable.Deleted.;McciTrayApp.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Verizon;Probably Trojan.Packed;Incurable.Deleted.;WMPNSCFG.exe.vir;C:\Qoobox\Quarantine\C\Program Files\Windows Media Player;Probably Trojan.Packed;Incurable.Deleted.;AOL.EXE.vir;C:\Qoobox\Quarantine\C\PROGRA~1\AOL9~1.1;Probably Trojan.Packed;Incurable.Deleted.;dwtrig20.exe.vir;C:\Qoobox\Quarantine\C\PROGRA~1\COMMON~1\MICROS~1\DW;Probably Trojan.Packed;Incurable.Deleted.;ICO.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Probably Trojan.Packed;Incurable.Deleted.;nAQATYM6.exe_.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Probably Trojan.Packed.116;Incurable.Deleted.;A0020854.EXE;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP15;Probably Trojan.Packed;Incurable.Deleted.;A0020861.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP15;Trojan.DownLoad2.31585;Deleted.;A0020992.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP18;Probably Trojan.Packed;Incurable.Deleted.;A0020993.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP19;Trojan.DownLoader1.5776;Incurable.Moved.;A0020994.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP19;Trojan.DownLoader1.5776;Incurable.Moved.;A0012092.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP2;Probably Trojan.Packed;Incurable.Deleted.;A0012093.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP2;Probably Trojan.Packed;Incurable.Deleted.;A0012131.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP3;Probably Trojan.Packed;Incurable.Deleted.;A0012132.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP3;Probably Trojan.Packed;Incurable.Deleted.;A0013139.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP3;Probably Trojan.Packed.116;Incurable.Deleted.;A0019334.exe;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP8;Probably BACKDOOR.Trojan;Incurable.Deleted.;A0019802.EXE;C:\System Volume Information\_restore{4653E8F8-6519-4964-B7BD-828D96FBCC0E}\RP9;Probably Trojan.Packed;Incurable.Deleted.;CouponPrinter.ocx;C:\WINDOWS;Adware.Coupons.34;Incurable.Deleted.;AOLicon.EXE;C:\WINDOWS\OPTIONS;Trojan.MulDrop2.17815;Incurable.Moved.;recovery_guide_em_eng_9532288.exe;D:\i386\Apps\App00398;Trojan.MulDrop2.14884;Incurable.Moved.; Link to post Share on other sites More sharing options...
LDTate Posted July 26, 2011 ID:458720 Share Posted July 26, 2011 How's it running? Link to post Share on other sites More sharing options...
Camolot Posted July 26, 2011 Author ID:458763 Share Posted July 26, 2011 it seems like everything is running right except the system idle thingie that pops up when you press alt,ctrl,delete. only thing that pops up is a window with the processes running. i dont have the tabs that let me switch to programs anymore. it doesnt tell me the cpu usage at the bottom like it did. and i have no menu bar at the top of it either anymore. started doing this saturday night. Link to post Share on other sites More sharing options...
LDTate Posted July 26, 2011 ID:458765 Share Posted July 26, 2011 1. download Process Explorer 2. extract it into a "known stable" location. I suggest "c:\program files\processexplorer" 3. Run procexp.exe4. On the Options menu, select Restore Task ManagerNow try running taskmgr.exe - it should be restored! Link to post Share on other sites More sharing options...
Camolot Posted July 26, 2011 Author ID:458767 Share Posted July 26, 2011 i see a replace task manager but not restore Link to post Share on other sites More sharing options...
LDTate Posted July 26, 2011 ID:458768 Share Posted July 26, 2011 Try replace then Link to post Share on other sites More sharing options...
Camolot Posted July 26, 2011 Author ID:458773 Share Posted July 26, 2011 replace makes process explorer come up when you hit alt,crtl,dlt. Link to post Share on other sites More sharing options...
LDTate Posted July 26, 2011 ID:458775 Share Posted July 26, 2011 Isn't that what it's suppose to do. Link to post Share on other sites More sharing options...
Camolot Posted July 26, 2011 Author ID:458776 Share Posted July 26, 2011 fine by me, i thought it was going to repair that file but that fine. ill get to where i understand the info its trying to tell me. i think everything is running right. thanks for all the help Link to post Share on other sites More sharing options...
LDTate Posted July 26, 2011 ID:458777 Share Posted July 26, 2011 Good job The following will implement some cleanup procedures as well as reset System Restore points:For XP: Click START run Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.For Vista / Windows 7 Click START Search Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.If you used DeFoggerTo re-enable your Emulation drivers, double click DeFogger to run the tool. The application window will appear Click the Re-enable button to re-enable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.Your Emulation drivers are now re-enabled.Here's my usual all clean postTo be on the safe side, I would also change all my passwords. This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.Log looks good Make your Internet Explorer more secure - This can be done by following these simple instructions:From within Internet Explorer click on the Tools menu and then click on Options.Click once on the Security tabClick once on the Internet icon so it becomes highlighted.Click once on the Custom Level button.Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialize and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.Next press the Apply button and then the OK to exit the Internet Properties page.[*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.Without a firewall your computer is succeptible to being hacked and taken over.I am very serious about this and see it happen almost every day with my clients.Simply using a Firewall in its default configuration can lower your risk greatly.[*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.•Free browser plug-in for Internet Explorer and Firefox•Real-time safety ratings•Ideal for Facebook, Twitter and LinkedIn[*] JAVA Click this link and click on the Free JAVA Download[*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.This will ensure your computer has always the latest security updates available installed on your computer.If there are new updates to install, install them immediately, reboot your computer, and revisit the siteuntil there are no more critical updates.Only run one Anti-Virus and Firewall program.I would suggest you read:PC Safety and Security--What Do I Need?.How to Prevent Malware:The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & ServersMalware Execution PreventionSave yourself the hassle and get protected. Link to post Share on other sites More sharing options...
LDTate Posted July 26, 2011 ID:458792 Share Posted July 26, 2011 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts