mwalimu

Members
  • Content count

    53
  • Joined

  • Last visited

About mwalimu

  • Rank
    Regular Member

Contact Methods

  • ICQ
    0
  1. I was afraid you were going to say that. The domain in question (not the original one the application tries to access, but the one it now gets redirected to) is areasnap(dot)com. Consider this a feature request - the ability to suppress notification of attempts to access a website (either at the site or the app level) while keeping the block in place.
  2. I am running the paid version of MBAM. I have one particular application that keeps triggering a site-block popup. The application is trying to access its home website, "phone home" if you will, except that it's orphan software and the website no longer exists. Recently that domain was cybersquatted by someone AMB blocks, and now whenever I use that application I am constantly seeing the popups from AMB warning me about the site. Is there a way to suppress the warning popups to that particular site? Mind you, I have no reason to access the site and still want to block it, so I don't want to exclude it. I just want to get rid of the popups. Is there a way to have MBAM block a site quietly?
  3. If I want to install MalwareBytes Anti-Malware PRO on two computers (and possibly a third that I may be purchasing in a few months), do I have to buy a separate copy for each? I've seen other software products that permit the buyer to install the paid version of their program on up to four computers in a single household.
  4. Yes, still checking in here from time to time. No new issues or any other evidence of malware. (I have to wonder if there's any known malware that does things like look in the trash folder of your e-mail client and runs executable e-mail attachments it finds there.)
  5. I returned the computer to him yesterday. I'll send him a link to this thread so he can review your final list of suggestions (as well as everything else we did). Would it be okay to keep this thread unlocked for a week or two, in case he has any questions or encounters any problems? (There were after all a number of key applications that I never once opened or tested (Outlook, for instance), and if any of them are now not working...) He may even register and post here himself. Until the memory in the computer gets upgraded, any additional applications that are memory resident represent a trade-off of security vs. performance. Where SpywareBalster lands in this regard may depend on how big its "memory footprint" is. I added the HOSTS file from MVPS to his computer (also added it to my own) before I returned it. That, like other anti-malware measures, appears to need updated periodically. I have WOT on my computer and am quick to concur with the recommendation. The computer was current with Windows updates when I returned it. I personally don't recommend having automatic updates set to the "Automatic (recommended)" setting; I don't trust MS 100% and I don't like anything that reboots my computer when it's running unattended, but I absolutely do recommend getting most updates installed in a timely fashion. Have a happy Easter!
  6. It looks like it found quite a bit, but all of it is in mail folders. Would I be correct in thinking I should empty trash, compact folders, and rerun the scan? (The ones with Eudora in the path, all of which are marked merely 'Suspicious', are essentially archived mail. But I do want to make certain that all of the 'Infected:' entries have been cleared once I empty trash/compact (and I should do that more often). -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, April 1, 2010 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Thursday, April 01, 2010 12:47:01 Records in database: 3912635 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ Scan statistics: Objects scanned: 409884 Threats found: 52 Infected objects found: 94 Suspicious objects found: 13 Scan duration: 05:34:31 File name / Threat / Threats count C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\Local Folders\Eudora Mail.sbd\Business Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\Local Folders\Eudora Mail.sbd\Furry.sbd\TLK-L Suspicious: Exploit.HTML.Iframe.FileDownload 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\Local Folders\Eudora Mail.sbd\Out Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Agent2.kri 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.dq 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.eh 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.fg 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.xb 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredolab.aug 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Bredavi.ak 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Downloader.Win32.Murlo.cba 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.ihd 3 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.ijw 3 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.ikw 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.ilx 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.imq 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.iop 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Vilsel.itv 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.Inject.akjn 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Packed.Win32.Krap.x 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan.Win32.FraudPack.xek 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Packed.Win32.Krap.ae 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Suspicious: Password-protected-EXE 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Small.zs 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Backdoor.Win32.Small.ioa 3 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Spy.Win32.Zbot.xcg 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Downloader.Win32.Genome.ajjn 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Downloader.Win32.Genome.ajld 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Inbox Infected: Trojan-Downloader.Win32.Genome.ajrm 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.di 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.hl 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.ic 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.oo 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.pp 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.ql 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.os 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.aue 5 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.ws 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.aug 3 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredavi.id 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredavi.iu 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredavi.jr 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredavi.kt 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.ijw 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.ikw 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.imq 3 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.iop 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Inject.akjn 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Vilsel.itv 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Packed.Win32.Krap.ah 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Packed.Win32.Krap.x 3 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan-Downloader.Win32.FraudLoad.wuis 4 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.FraudPack.xek 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.azc 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.apa 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Small.zo 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Bredolab.asd 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Small.zs 2 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Trojan.Win32.Sasfis.tub 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Email-Worm.Win32.Iksmas.frg 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.Small.ioa 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Packed.Win32.TDSS.aa 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Packed.Win32.Krap.aj 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Spam Infected: Backdoor.Win32.EggDrop.afz 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\TLK-L Infected: Trojan-Downloader.Win32.Genome.ajld 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Backdoor.Win32.EggDrop.afz 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Trojan-Downloader.Win32.Genome.ajjn 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Trojan-Downloader.Win32.Genome.ajld 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Packed.Win32.Krap.x 1 C:\Documents and Settings\Joe\Application Data\Thunderbird\Profiles\gd11c75q.default\Mail\mail.lionking.org\Trash Infected: Trojan-Downloader.Win32.Genome.ajrm 1 C:\Program Files\Qualcomm\Eudora\Business.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Program Files\Qualcomm\Eudora\Embedded\bill.zip Suspicious: Password-protected-EXE 1 C:\Program Files\Qualcomm\Eudora\Embedded\bill1.zip Suspicious: Password-protected-EXE 1 C:\Program Files\Qualcomm\Eudora\In.mbx.002 Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Program Files\Qualcomm\Eudora\Out.mbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Program Files\Qualcomm\Eudora\Out.mbx.001 Suspicious: Trojan-Spy.HTML.Fraud.gen 1 C:\Program Files\Qualcomm\Eudora\Out.mbx.002 Suspicious: Trojan-Spy.HTML.Fraud.gen 1 Selected area has been scanned.
  7. More followup... Something kept knocking out Winsock resulting in 10107 errors. I kept resetting it. Eventually I figured out that the culprit was CyberSitter. At some point while installing Avast or SuperAntiSpyware and running checks it removed a file used by CyberSitter, which it interpreted as tampering, and locked down all internet access; its method of locking down caused other applications to get the 10107 errors. Once I realized what was going on I updated its files (which apparently restored the one it was missing), changed a couple of other settings, and it hasn't gotten in the way since. Upon subsequently rerunning the SuperAntiSpyware scan, it again flagged the same 29 files as having Rogue.Agent/Gen-Nullo[DLL]. I surmised that these were the ones CyberSitter had complained about being missing and had restored (the filenames more or less corresponded to a list of exclusions I found within CA) so I marked them as trusted. I'll be saying something to my brother about these.
  8. As far as I can tell, everything seems to be running okay at the moment. Since some of the problems I reported earlier were intermittent, I'll be sure and mention any problems I notice in a follow-up post. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3939 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 3/31/2010 7:23:37 PM mbam-log-2010-03-31 (19-23-37).txt Scan type: Quick scan Objects scanned: 124680 Time elapsed: 5 minute(s), 16 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  9. A couple of Google searches, a couple of netsh commands later, and the computer is recovered from the 10107 errors, and MBAM and Firefox now work as before. Unless you have any last minute dire warnings about the infections that SuperAntiSpyware found and fixed, I'll be returning the computer to my brother shortly (tomorrow at the earliest).
  10. Just a few comments off the top of my head... STEP 01 - Those were files (not directories), and the date/time stamps closely match when the XP Security Tool 2010 infection occurred. I believe they are likely to be random-named counterparts corresponding to the files identified as QJyrk5wvCU1 in this post. I could just delete them, unless you think it would be safer to drop them into a CFScript.txt and run ComboFix. STEP 05 - That's the same primary DNS I have under my TCP settings, and appears to be valid (Comcast is my ISP). STEP 06 - Already!? Didn't they just release update 18 less than two weeks ago? (Of course I'll go ahead and update it.) I shall follow those steps when I get home from work in a couple of hours.
  11. Okay. maybe I'm not quite done yet after all. After uninstalling AVG and installing Avast and SuperAntiSpyware, now all of a sudden I'm getting "MBAM_ERROR_UPDATING (10107, 0, WinHttpResponse) A system call that should never fail has failed." Additionally I am now unable to access the web in Firefox. SASW found and quarantined some things no previous scan had detected. Among them are two registry keys that it flagged under Trojan.Agent/Gen-Alureon, and 29 .DLL files from c:\windows\system32 that it flagged as Rogue.Agent/Gen-Nullo[DLL] I'm tempted to Restore the files, and see if it resolves the MBAM error and the web access problem, but neither do I want to ignore the possibility that it found a previously undetected infection of some sort.
  12. The computer is back running again. Apparently it was a problem with the memory modules. After a bit of finaggling with them I've got it running again with 2G (vs. 4G it had before) and I'm going to see if I can get if not all 4G at least 3G of it working again. But it does not appear there was any problem with ComboFix or my c: drive.
  13. Arrgh! My computer was suddenly getting very laggy performance doing certain things, so I decided to close everything and reboot. And now all of a sudden won't boot up. When I power it on, it just keeps beeping at me five times, over and over. I can't get it to safe mode or even a setup screen. I have no idea whether it's something that happened as a result of running ComboFix, or is a hardware or HD problem that happened to choose this moment to rear its head. I do, however, have a backup computer and have the ability to pull the boot drive from the main computer and plug it into that one.
  14. Done... That ran faster than I expected (and it didn't even reboot). Three files that are not mentioned anywhere in the log that I had somewhat expected are these: C:\Documents and Settings\All Users\Application Data\VH56DJI7u87yo C:\Documents and Settings\Joe\Local Settings\Application Data\VH56DJI7u87yo C:\Documents and Settings\Joe\Templates\VH56DJI7u87yo A fourth file that was present a couple of days ago was no longer present. I'm guessing ComboFix removed it, but it's possible I did and didn't realize it: C:\Documents and Settings\Joe\Local Settings\temp\VH56DJI7u87yo A few other files in these directories that look suspicious to me: C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini C:\Documents and Settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT C:\Documents and Settings\Joe\Local Settings\Application Data\fusioncache.dat C:\Documents and Settings\Joe\Local Settings\temp\c98e020c-aebc-46d7-a491-7d91bd2b7e60.mht One other symptom I hadn't mentioned previously - my default broswer was changed to MSIE a few days ago (this was well after I had cleaned up the initial infection and changed it back to Firefox). Just now after running ComboFix I noticed it had been changed to MSIE again. This time I know it had bee Firefox as recently as a couple of hours ago and I don't think I did anything to change it. Would ComboFix do that? Without further ado, here is the log... ComboFix.txt: ComboFix 10-03-29.04 - Joe 03/30/2010 22:04:02.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3584.2770 [GMT -5:00] Running from: c:\documents and settings\Joe\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\CPQDIAG.EXE c:\windows\system32\CMMGR32.EXE c:\windows\YOURAPP.EXE . ((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 ))))))))))))))))))))))))))))))) . 2010-03-30 13:57 . 2010-03-30 13:57 516480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerAddin.dll 2010-03-26 04:19 . 2010-01-22 18:11 62800 ----a-w- c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\ls0u18xg.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll 2010-03-26 04:19 . 2010-03-26 04:19 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\AVG Security Toolbar 2010-03-26 04:15 . 2010-03-26 04:15 -------- d-sh--w- c:\documents and settings\Me\IETldCache 2010-03-25 05:23 . 2010-03-25 05:23 -------- d-----w- c:\documents and settings\Joe\Application Data\Auslogics 2010-03-25 05:23 . 2010-03-25 05:23 -------- d-----w- c:\program files\Auslogics 2010-03-25 05:17 . 2010-03-25 05:17 503808 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2de80eef-n\msvcp71.dll 2010-03-25 05:17 . 2010-03-25 05:17 499712 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2de80eef-n\jmc.dll 2010-03-25 05:17 . 2010-03-25 05:17 348160 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2de80eef-n\msvcr71.dll 2010-03-25 05:17 . 2010-03-25 05:17 61440 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-64a700e1-n\decora-sse.dll 2010-03-25 05:17 . 2010-03-25 05:17 12800 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-64a700e1-n\decora-d3d.dll 2010-03-24 23:36 . 2010-03-24 23:36 -------- d-----w- c:\documents and settings\Joe\Application Data\AVG9 2010-03-24 17:05 . 2010-03-24 17:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp 2010-03-22 05:32 . 2010-03-22 05:32 152576 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2010-03-22 05:30 . 2010-03-22 05:31 79488 ----a-w- c:\documents and settings\Joe\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2010-03-21 21:37 . 2010-03-21 21:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2010-03-21 20:16 . 2010-03-21 20:26 -------- d-----w- c:\documents and settings\Joe\dwhelper 2010-03-15 05:09 . 2010-03-15 05:09 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll 2010-03-15 05:09 . 2010-03-15 05:09 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll 2010-03-15 05:06 . 2010-03-15 05:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-03-15 05:06 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe 2010-03-14 13:44 . 2010-03-14 13:44 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys 2010-03-14 13:44 . 2010-03-14 13:44 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys 2010-03-14 13:44 . 2010-03-14 13:44 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys 2010-03-14 13:44 . 2010-03-14 13:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-03-14 07:12 . 2010-03-14 07:12 766 ----a-r- c:\documents and settings\Joe\Application Data\Microsoft\Installer\{9362ED08-0D76-4C8B-B039-614D45B0C786}\_4ae13d6c.exe 2010-03-14 07:12 . 2010-03-14 07:12 -------- d-----w- c:\program files\Ruud 2010-03-12 02:33 . 2010-03-12 02:33 -------- d-----w- c:\program files\FFmpeg for Audacity 2010-03-12 00:17 . 2010-03-31 02:56 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\ApexDC++ 2010-03-12 00:17 . 2010-03-31 02:56 -------- d-----w- c:\documents and settings\Joe\Application Data\ApexDC++ 2010-03-11 01:48 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-31 03:00 . 2009-01-25 08:21 -------- d-----w- c:\program files\Trillian 2010-03-30 23:25 . 2009-01-25 06:38 -------- d-----w- c:\program files\Mozilla Thunderbird 2010-03-30 05:50 . 2009-02-01 04:20 -------- d-----w- c:\documents and settings\Joe\Application Data\Simple Sudoku 2010-03-30 03:14 . 2009-01-25 20:52 -------- d-----w- c:\documents and settings\Joe\Application Data\Winamp 2010-03-30 03:13 . 2009-01-28 05:43 -------- d-----w- c:\program files\AQScript 2010-03-30 03:13 . 2009-01-30 00:45 -------- d-----w- c:\documents and settings\Joe\Application Data\foobar2000 2010-03-30 00:54 . 2010-01-09 07:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-30 00:54 . 2010-01-09 18:55 5918720 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-29 20:24 . 2010-01-09 11:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-29 20:24 . 2010-01-09 11:10 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-25 05:22 . 2010-01-11 14:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-03-25 05:17 . 2009-02-15 20:36 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-03-22 05:33 . 2009-01-19 05:56 -------- d-----w- c:\program files\Java 2010-03-21 20:32 . 2009-05-26 02:17 -------- d-----w- c:\program files\Mp3tag 2010-03-21 04:42 . 2010-01-09 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-03-20 04:10 . 2010-02-23 00:03 -------- d-----w- c:\program files\Links 2003 2010-03-15 05:09 . 2009-11-26 18:15 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-03-15 05:09 . 2009-11-26 18:14 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys 2010-03-15 05:09 . 2009-11-26 18:14 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll 2010-03-15 05:09 . 2009-05-31 06:50 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2010-03-15 05:09 . 2009-01-25 08:05 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-03-15 05:09 . 2009-11-26 18:14 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll 2010-03-15 05:09 . 2009-11-26 18:14 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll 2010-03-15 05:09 . 2009-06-21 06:50 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2010-03-15 05:06 . 2009-01-25 07:49 -------- d-----w- c:\program files\Lavasoft 2010-03-14 13:44 . 2009-01-19 06:07 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-03-14 13:44 . 2009-01-19 06:07 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-03-14 13:44 . 2009-01-19 06:07 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-03-14 09:19 . 2009-01-25 04:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2010-03-12 02:36 . 2009-06-07 06:34 -------- d-----w- c:\documents and settings\Joe\Application Data\Audacity 2010-03-12 00:30 . 2009-12-05 02:16 -------- d-----w- c:\program files\ApexDC++ 2010-03-11 14:59 . 2009-11-26 18:15 482288 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-03-11 14:57 . 2009-01-19 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-03-01 12:15 . 2009-09-27 06:50 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2010-02-26 00:48 . 2010-02-26 00:47 -------- d-----w- c:\program files\VS60 2010-02-23 00:08 . 2010-02-23 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Links 2003 2010-02-08 14:52 . 2010-01-19 05:42 -------- d-----w- c:\program files\SpywareGuard 2010-02-08 14:51 . 2010-01-19 05:37 -------- d-----w- c:\program files\SpywareBlaster 2010-02-06 06:57 . 2009-07-22 02:31 -------- d-----w- c:\program files\Google 2010-02-04 16:01 . 2010-02-18 02:13 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll 2010-02-04 16:01 . 2010-02-18 02:13 528216 ----a-w- c:\windows\system32\XAudio2_6.dll 2010-02-04 16:01 . 2010-02-18 02:13 238936 ----a-w- c:\windows\system32\xactengine3_6.dll 2010-02-04 16:01 . 2010-02-18 02:13 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll 2010-02-04 15:53 . 2009-01-25 07:50 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-01-30 22:38 . 2009-02-04 03:35 -------- d-----w- c:\program files\Paint Shop Pro 7 2010-01-27 12:15 . 2009-06-21 06:50 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll 2010-01-09 11:14 . 2009-02-01 00:50 91840 ----a-w- c:\documents and settings\Joe\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay] @="{80E008A4-EAE7-4867-AEB0-1A245F070F25}" [HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}] 2009-05-13 21:38 679936 ----a-w- c:\program files\Perforce\p4exp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay] @="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}" [HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}] 2009-05-13 21:38 679936 ----a-w- c:\program files\Perforce\p4exp.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay] @="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}" [HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}] 2009-05-13 21:38 679936 ----a-w- c:\program files\Perforce\p4exp.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-30 818256] "P17Helper"="P17.dll" [2005-05-04 64512] "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792] "ISUSScheduler"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [2004-07-27 81920] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "DefaultP17MIDI"="MIDIDEF.EXE" [2002-12-03 49152] "DefaultP17"="P17Def.Exe" [2005-05-03 20480] c:\documents and settings\Joe\Start Menu\Programs\Startup\ Webshots.lnk - c:\program files\Webshots\Launcher.exe [2009-1-27 63064] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-03-14 13:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] 2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] 2004-08-04 12:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A] 2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync] 2004-08-04 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "eabconfg.cpl"=c:\program files\HPQ\Quick Launch Buttons\EabServr.exe /Start "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" "WinampAgent"="c:\program files\Winamp\winampa.exe" "SynTPLpr"=c:\program files\Synaptics\SynTP\SynTPLpr.exe "SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe "Smapp"=c:\program files\Analog Devices\SoundMAX\SMTray.exe "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" "DrvLsnr"=c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe "ChkAdmin"=c:\progra~1\Compaq\COMPAQ~1\CHKADMIN.EXE "ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-] "CPQDFWAG"=c:\windows\Cpqdiag\CpqDfwAg.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.4.1.8125-to-2.4.2.8278-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Sid Meier's Civilization 4 Gold\\Civilization4.exe"= "c:\\Program Files\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe"= "c:\\Program Files\\Trebuchet Tk\\tclkit\\tcl-kit.exe"= "c:\\Program Files\\LeechFTP\\Leechftp.exe"= "c:\\Program Files\\