Welcome. Thank you for using Dell Community Forums.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
When you get to the Startup tab, UNcheck the entry for (Spybot)TeaTimer until this is over... 1. Open Spybot 2. Click Mode -> Advanced Mode 3. Click Yes 4. Click Tools (located in the bottom left corner) -> Resident 5. Uncheck 'Resident "TeaTimer" (Protection of over-all system settings) active' 6. Then close Spybot. Reboot. Verify that Teatimer is not running. After ALL cleaning of your system has been completed and we have confirmed that your computer is clean, reverse these steps and re-enable the protection applets for TeaTimer
I look forward to your reply so we can begin cleaning.
No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
I have cannot find the Teatimer in Spybot to deactivate it.
Did you click on
Advanced Mode in Spybot? If you cannot deactivate Teatimer per instructions above, please uninstall Spybot. From Safe Mode, try removing Spybot from Add/Remove Programs in Control Panel... One way or the other we need to get TeaTimer turned off or we will not be able to permanently fix this thing... DO NOT try to just delete Spybot as that can make things worse....
Once you get Spybot deactivated, or removed, please do the following:
Download DDS by sUBs from one of the following links. Save it to your desktop.
A small box will open, with an explanation about the tool.
Click Yes at the prompt for Optional Scan.
When done, DDS will open two (2) logs
1. DDS.txt 2. Attach.txt
Save both reports to your desktop.
Copy/paste both logs to your reply on the forum. Do not attach them.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
Download Security Check by screen317 and save it to your Desktop: here or here
Run Security Check
Follow the onscreen instructions inside of the command window.
A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!
If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
DDS (Ver_10-03-17.01) - NTFSx86 Run by James at 9:35:41.31 on Sun 07/25/2010 Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_20 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.115 [GMT -5:00]
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Basic Boot Device: \Device\HarddiskVolume3 Install Date: 11/21/2009 9:32:23 PM System Uptime: 7/25/2010 9:19:14 AM (0 hours ago)
Motherboard: Dell Inc. | | 0UW744 Processor: Mobile AMD Sempron(tm) Processor 3500+ | Socket M2/S1G1 |
1800/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 64 GiB total, 1.642 GiB free. D: is FIXED (NTFS) - 8 GiB total, 2.735 GiB free. E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: Description: Base System Device Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F51028&REV_01\4&B216F0A&0&09A4 Manufacturer: Name: Base System Device PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F51028&REV_01
\4&B216F0A&0&09A4 Service:
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f} Description: Officejet J6400 series Device ID: ROOT\IMAGE\0000 Manufacturer: HP Name: Officejet J6400 series PNP Device ID: ROOT\IMAGE\0000 Service: StillCam
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318} Description: Deskjet 6980 series Device ID: ROOT\MULTIFUNCTION\0000 Manufacturer: HP Name: Deskjet 6980 series PNP Device ID: ROOT\MULTIFUNCTION\0000 Service:
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318} Description: Officejet J6400 series Device ID: ROOT\MULTIFUNCTION\0001 Manufacturer: HP Name: Officejet J6400 series PNP Device ID: ROOT\MULTIFUNCTION\0001 Service:
Class GUID: {4d36e979-e325-11ce-bfc1-08002be10318} Description: Officejet J6400 series Device ID: ROOT\PRINTER\0000 Manufacturer: HP Name: Officejet J6400 series PNP Device ID: ROOT\PRINTER\0000 Service:
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
µTorrent 32 Bit HP CIO Components Installer 6400_Help ABBYY FineReader 5.0 Sprint Ad-Aware Ad-Aware Email Scanner for Outlook Adobe Acrobat 9 Pro Extended - English, Français, Deutsch Adobe Acrobat 9.3.1 - CPSID_50570 Adobe AIR Adobe Anchor Service CS4 Adobe Bridge CS4 Adobe CMaps CS4 Adobe Color - Photoshop Specific CS4 Adobe Color EU Extra Settings CS4 Adobe Color JA Extra Settings CS4 Adobe Color NA Recommended Settings CS4 Adobe Color Video Profiles CS CS4 Adobe CSI CS4 Adobe Default Language CS4 Adobe Device Central CS4 Adobe Dreamweaver CS4 Adobe Drive CS4 Adobe ExtendScript Toolkit CS4 Adobe Extension Manager CS4 Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Fonts All Adobe Linguistics CS4 Adobe Media Player Adobe Output Module Adobe PDF Library Files CS4 Adobe Photoshop CS4 Adobe Photoshop CS4 Support Adobe Search for Help Adobe Service Manager Extension Adobe Setup Adobe Type Support CS4 Adobe Update Manager CS4 Adobe WinSoft Linguistics Plugin Adobe XMP Panels CS4 AdobeColorCommonSetCMYK AdobeColorCommonSetRGB Adventure Tools AIM 7 AIM Toolbar Apple Application Support Apple Mobile Device Support Apple Software Update avast! Antivirus Avatar - Path of Zuko Bonjour bpd_scan BPDSoftware BPDSoftware_Ini BufferChm Card Vault V1.5a CDisplay 1.8 Character Builder Connect CustomerResearchQFolder Dell Resource CD Destination Component DeviceDiscovery DeviceManagementQFolder DFOLauncher DocProc DocProcQFolder Download Updater (AOL LLC) Dundjinni Supplimental Objects Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.10.00.805 DVD Shrink 3.2 DVDFab 6.2.0.5 (11/11/2009) eSupportQFolder Fax GameSpy Arcade GetDiz 4.5 Google Chrome Google Toolbar for Internet Explorer Google Update Helper GPBaseService GPBaseService2 HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Customer Participation Program 10.0 HP Imaging Device Functions 10.0 HP Officejet J6400 Series HP Photosmart Essential 2.5 HP Smart Web Printing 4.60 HP Solution Center 13.0 HP Update HPProductAssistant HPSSupply iTunes J6400 Java 2 Runtime Environment, SE v1.4.2_02 Java Auto Updater Java(TM) 6 Update 20 kuler LEGO® Harry Potter™: Years 1-4 Lexmark 1200 Series MagicDisc 2.7.106 Malwarebytes' Anti-Malware MarketResearch Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Choice Guard Microsoft Games for Windows - LIVE Microsoft Games for Windows - LIVE Redistributable Microsoft Office Access MUI (English) 2010 Microsoft Office Access Setup Metadata MUI (English) 2010 Microsoft Office Excel MUI (English) 2010 Microsoft Office Groove MUI (English) 2010 Microsoft Office InfoPath MUI (English) 2010 Microsoft Office OneNote MUI (English) 2010 Microsoft Office Outlook MUI (English) 2010 Microsoft Office PowerPoint MUI (English) 2010 Microsoft Office Professional Plus 2010 Microsoft Office Proof (English) 2010 Microsoft Office Proof (French) 2010 Microsoft Office Proof (Spanish) 2010 Microsoft Office Proofing (English) 2010 Microsoft Office Publisher MUI (English) 2010 Microsoft Office Shared MUI (English) 2010 Microsoft Office Shared Setup Metadata MUI (English) 2010 Microsoft Office Word MUI (English) 2010 Microsoft Reader Microsoft Silverlight Microsoft VC9 runtime libraries Microsoft Virtual PC 2007 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Mozilla Firefox (3.6.8) MSVCRT MSVCSetup MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Nero 8 neroxml NetDeviceManager NVIDIA PhysX OCR Software by I.R.I.S. 10.0 OGA Notifier 2.0.0048.0 Open R-Community Tools 3.9.1 Pando Media Booster PDF Settings CS4 Photoshop Camera Raw PowerDVD PowerISO ProductContext PSSWCORE Quicken 2010 QuickSet QuickTime Real Alternative 2.0.1 Scan Shop for HP Supplies SigmaTel Audio Skype™ 4.2 SmartWebPrinting SolutionCenter Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM) Status Suite Shared Configuration CS4 Synaptics Pointing Device Driver Toolbox Total Video Converter 3.20 090104 TrayApp Ultra Video Converter 4.4.0328 UnloadSupport Update for Microsoft .NET Framework 3.5 SP1 (KB963707) VASSAL (3.1.13) VCDEasy VCRedistSetup VideoToolkit01 Visual C++ 2008 x86 Runtime - (v9.0.30729) Visual C++ 2008 x86 Runtime - v9.0.30729.01 VLC media player 1.0.5 WebReg Winamp WinAVI Video Converter Windows Live Call Windows Live Communications Platform Windows Live Essentials Windows Live Messenger Windows Live Sign-in Assistant Windows Live Upload Tool WinRAR archiver Wizards Event Reporter World Mosaics 3 - Fairy Tales Yahoo! BrowserPlus 2.9.2 Yahoo! Messenger Yahoo! Software Update Yahoo! Toolbar Zeus & Poseidon
==== Event Viewer Messages From Past Week ========
7/25/2010 9:36:28 AM, Error: Service Control Manager [7011] - A timeout
(30000 milliseconds) was reached while waiting for a transaction response
from the avast! Antivirus service. 7/25/2010 9:24:51 AM, Error: Service Control Manager [7000] - The HP
Network Devices Support service failed to start due to the following error:
The service did not respond to the start or control request in a timely
DCOM got error "1053" attempting to start the service HPSLPSVC with
arguments "" in order to run the server: {10DA4F3C-CC99-4190-BE4D-
58330754E882} 7/25/2010 9:24:46 AM, Error: Service Control Manager [7009] - A timeout
was reached (30000 milliseconds) while waiting for the HP Network Devices
Support service to connect. 7/25/2010 9:24:15 AM, Error: Service Control Manager [7009] - A timeout
was reached (30000 milliseconds) while waiting for the avast! Web Scanner
service to connect. 7/25/2010 9:24:15 AM, Error: Service Control Manager [7000] - The avast!
Web Scanner service failed to start due to the following error: The
service did not respond to the start or control request in a timely
fashion. 7/25/2010 9:23:38 AM, Error: Service Control Manager [7022] - The HP CUE
DeviceDiscovery Service service hung on starting. 7/25/2010 9:23:37 AM, Error: Microsoft-Windows-DistributedCOM [10016] -
The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {C97FCC79-E628-407D-
AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from
address LocalHost (Using LRPC). This security permission can be modified
using the Component Services administrative tool.
==== End Of File ===========================
Security Check Checkup
Results of screen317's Security Check version 0.99.4 Windows Vista Service Pack 2 (UAC is enabled) Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! avast! Antivirus Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Ad-Aware Malwarebytes' Anti-Malware Java(TM) 6 Update 20 Java 2 Runtime Environment, SE v1.4.2_02 Adobe Flash Player 10.1.53.64 Mozilla Firefox (3.6.8) ```````````````````````````````` Process Check: objlist.exe by Laurent Windows Defender MSASCui.exe Ad-Aware AAWService.exe Ad-Aware AAWTray.exe Alwil Software Avast4 aswUpdSv.exe Alwil Software Avast4 ashServ.exe Alwil Software Avast4 ashDisp.exe Alwil Software Avast4 ashMaiSv.exe Alwil Software Avast4 ashWebSv.exe Windows Defender MSASCui.exe Alwil Software Avast4 ashSimpl.exe ```````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning)
Please remove DVD Shrink 3.2, DVDFab 6.2.0.5, and uTorrent. If you want to be responsible for legalities involved in the use of the software, you can install them on your own after we are finished.
Please visit this webpage for download links, and instructions for running ComboFix (If you have a prior copy of Combofix, delete it now!) :
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe & follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Vista systems usually have this included. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If not already installed, follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected Restored copy from - Kitty had a snack :p . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) .
-------\Service_osppsvc
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 ))))))))))))))))))))))))))))))) .
- - End Of File - - AB3982E0AC40B0C9E4BF58CED61EEFE9
HiJack This Log
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 2:46:23 PM, on 7/25/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18928) Boot mode: Normal
Please disable Avast before running this next procedure with ComboFix:
Right-click "Avast Antivirus" icon on the task bar. The task bar is located on the bottom of your screen. Click "Access Protection Control." Enter the same password that you used when you first installed the program. Click "OK." This will bring you to the scanner window. Click "Terminate" to disable Avast Anti-virus protection and email scanning. Click "OK" to confirm and save changes.
Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.
Otherwise, they may interfere with running ComboFix.
Open Notepad and copy/paste the following text between the lines below.
Do not copy the dotted lines.
** Make sure you copy/paste ALL the text at once.Do not try to edit extra spaces.
It will copy correctly to Notepad if you highlight and copy as is.
Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again.
Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
When finished, a log is produced here: C:\ComboFix.txt
Following that, please run an online virus scan by Kaspersky from HERE.
1. At the main page. Press on " Accept". After reading the contents. 2. At the next window Select Update. Allow the Database to update. Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run. 3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete. 4. Select Scan Report. 5. If any threats were found they will appear in the report 6. Select "Save error report as" Then in the file name just type in kaspersky Under "save as type" select text .txt Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan, along with your ComboFix log. If no threats were found then report that as well. Let me know how things are running.
- - End Of File - - 813C5C4A25AD36C797FB6759094F0A89
Kaspersky Scan Log
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, July 26, 2010 Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 2 (build 6002) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, July 26, 2010 08:16:21 Records in database: 4201914 --------------------------------------------------------------------------------
Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes
- - End Of File - - 538E3DD0936E235BC8707AC46FAED4C8
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 9:16:12 AM, on 7/27/2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18928) Boot mode: Normal
It appears that ComboFix was able to delete what it was trying to do the first time, but I see that Avast was still enabled. If you have a problem with your Adobe Reader or any of the programs that had corrupt files that CF fixed, you may have to reinstall them.
Let me know how things are running now. If everything is back to normal we'll clean up Java, and remove our tools.
I disabled Avast to run the ComboFix but ComboFix didn't recognize that Avast was disabled. So far everything seems to be running correctly, my search engines are no longer being redirected to other sites and no windows are opening mysteriously without me clicking anything. Windows Update has the following error codes when attempting to install 3 new important updates: 643 and 646.
** Because CCleaner removes everything in temp folders, if you have anything saved in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.
** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save. If you do not want to delete cookies, simply uncheck that option.
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up. In the Windows Tab:
Clean all entries in the "Internet Explorer" section.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose. In the Applications Tab:
Clean all in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.
3. Click the "Analyze" button. When the list of files comes up, click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done. REBOOT.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.
Scroll down to where it says JDK 6 Update 21 (JDK or JRE) .
Click the "Download JRE" button to the right.
Use the dropdown menu to select your platform.
Check the box to: "Accept License Agreement".
NOTE: As always during installations, beware of any pre-checked option to install a toolbar. If you do not want it, UNcheck it.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each of the Java versions. Close Add/Remove.
* In Windows Explorer, navigate to C:\Program Files\Java =this folder. Delete any subfolders.
* Do NOT delete C:\Program Files\
JavaVM =this folder, if found!
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:
* Go to Start-->Control Panel-->Java-->Advanced-->Miscellaneous and uncheck the box for Java Quick Starter.
Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
If you have used Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.
The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:
1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system, Office, and IE. The first defense against infection is a properly patched OS from Microsoft Update at update.microsoft.com. More info HERE.
2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.. Run a complete system scan with your anti-virus at least once a week...preferably in Safe mode. If your anti-virus program is a paid/licensed version that is about to expire, you can consider using a free one such as: Microsoft Security Essentials AntiVir Personal Edition Classic Avast! 4 Home Edition
If you prefer not to use the Windows Firewall, there are several of the freeware Firewalls available on the public domain.
3. Using an alternate browser can reduce your chance of certain infections installing themselves. You might consider installing Mozilla / Firefox. http://www.mozilla.com/en-US/
4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.
5. Keep your software updated...make it easier on yourself and install the free security tool Secunia PSI .
6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.
7. Web Of Trust , uses colored alerts to warn about risky websites warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Red for Warning = STOP
Yellow for Use Caution
Green for Safe
Grey for Unknown
There is a Web Of Trust version for Firefox as well.
8. If you still wish to use Internet Explorer, please make sure you install SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html It will: Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox. Restrict the actions of potentially unwanted sites in Internet Explorer. Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html Periodically check for updates.
9. You might want to install Winpatrol. Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can download a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems.
10. Many of us in the online security community have tried and tested programs to determine their abilities. Please remember that there is no guarantee regarding computer security. However, the available software, combined with the rest of these recommendations will contribute to helping your system running safely.
Here are some helpful articles: How did I get infected? HERE
I'm not pulling your leg, honest? by Sandi Hardmeier HERE
Let us know if we have not resolved your problem. Otherwise, you are good to go. Happy and Safe Surfing!
Bugbatter
3 Apprentice
•
20.5K Posts
0
July 24th, 2010 11:00
Welcome. Thank you for using Dell Community Forums.
I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
Please disable Spybot's Teatimer via MSCONFIG:
http://www.netsquirrel.com/msconfig/msconfig_vista.html
When you get to the Startup tab, UNcheck the entry for (Spybot)TeaTimer until this is over...
1. Open Spybot
2. Click Mode -> Advanced Mode
3. Click Yes
4. Click Tools (located in the bottom left corner) -> Resident
5. Uncheck 'Resident "TeaTimer" (Protection of over-all system settings) active'
6. Then close Spybot.
Reboot.
Verify that Teatimer is not running.
After ALL cleaning of your system has been completed and we have confirmed that your computer is clean, reverse these steps and re-enable the protection applets for TeaTimer
I look forward to your reply so we can begin cleaning.
No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
JamesRJ3
8 Posts
0
July 24th, 2010 20:00
I have not posted this problem in any other forums.
As far as I know my System Restore is Active.
There is no Cracked software on my computer and I do not use any P2P software.
This computer belongs to me and I am the only person that uses it.
I have cannot find the Teatimer in SPybot to deactivate it.
Bugbatter
3 Apprentice
•
20.5K Posts
0
July 25th, 2010 05:00
Once you get Spybot deactivated, or removed, please do the following:
1. DDS.txt
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
Download Security Check by screen317 and save it to your Desktop: here or here
JamesRJ3
8 Posts
0
July 25th, 2010 09:00
DDS Report
DDS (Ver_10-03-17.01) - NTFSx86
Run by James at 9:35:41.31 on Sun 07/25/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.115 [GMT -5:00]
AV: avast! antivirus 4.8.1356 [VPS 091123-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1356 [VPS 091123-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\sttray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\lxczcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\notepad.exe
C:\Users\James\Desktop\dds.scr
C:\Windows\system32\taskeng.exe
C:\Windows\system32\RacAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [wlcomp] c:\users\james\wlcomp.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ ]
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [hpqSRMon]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
StartupFolder: c:\users\james\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}
\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward &Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: Si&milar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: acaptuser32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\users\james\appdata\roaming\mozilla\firefox\profiles\eh65ncc4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\james\appdata\roaming\mozilla\firefox\profiles\eh65ncc4.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}
\components\FFExternalAlert.dll
FF - component: c:\users\james\appdata\roaming\mozilla\firefox\profiles\eh65ncc4.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}
\components\RadioWMPCore.dll
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\james\appdata\local\yahoo!\browserplus\2.9.2\plugins\npybrowserplus_2.9.2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows
presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-
handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-6 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-21 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-21 53328]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-11-22 16896]
=============== Created Last 30 ================
2010-07-20 06:26:55 0 d-----w- c:\windows\system32\catroot2
2010-07-16 17:48:49 0 d-----w- c:\program files\Trend Micro
2010-07-13 15:02:04 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-07-13 15:00:35 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-13 14:20:37 0 d-----w- c:\program files\Microsoft Analysis Services
2010-07-11 06:07:30 0 d-----w- c:\users\james\appdata\roaming\NeopleLauncherDFO
2010-07-09 11:51:17 0 d-----w- C:\Nexon
2010-07-09 11:47:55 0 d-----w- c:\programdata\NexonUS
2010-07-09 02:51:33 1189757472 ----a-w- c:\program files\DFOSetup22.exe
2010-07-05 14:25:53 0 d-----w- c:\users\james\appdata\roaming\Malwarebytes
2010-07-05 14:23:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 14:22:55 0 d-----w- c:\programdata\Malwarebytes
2010-07-05 14:22:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 14:22:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 15:56:02 0 d-----w- c:\program files\ABBYY FineReader 6.0
2010-07-04 15:56:01 0 d-----w- c:\program files\ABBYY FineReader 5.0 Sprint
2010-06-29 21:53:58 112 ----a-w- c:\programdata\7Bk038Cv.dat
2010-06-29 01:46:27 0 d-----w- c:\users\james\appdata\roaming\WB Games
2010-06-29 01:24:27 0 d-----w- c:\program files\WB Games
==================== Find3M ====================
2010-06-19 14:53:13 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-19 14:53:13 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-19 14:53:13 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-17 03:20:45 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-06 08:19:38 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-30 19:01:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 12:05:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 19:45:56 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 19:45:56 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2009-12-07 09:25:06 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-23 14:19:28 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-09 14:00:20 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-11-25 03:15:15 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2006-11-22 14:55:54 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 9:40:19.97 ===============
DDS Attach
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-03-17.01)
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume3
Install Date: 11/21/2009 9:32:23 PM
System Uptime: 7/25/2010 9:19:14 AM (0 hours ago)
Motherboard: Dell Inc. | | 0UW744
Processor: Mobile AMD Sempron(tm) Processor 3500+ | Socket M2/S1G1 |
1800/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 64 GiB total, 1.642 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 2.735 GiB free.
E: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F51028&REV_01\4&B216F0A&0&09A4
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01F51028&REV_01
\4&B216F0A&0&09A4
Service:
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Officejet J6400 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Officejet J6400 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Deskjet 6980 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Deskjet 6980 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet J6400 series
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: HP
Name: Officejet J6400 series
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
Class GUID: {4d36e979-e325-11ce-bfc1-08002be10318}
Description: Officejet J6400 series
Device ID: ROOT\PRINTER\0000
Manufacturer: HP
Name: Officejet J6400 series
PNP Device ID: ROOT\PRINTER\0000
Service:
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
µTorrent
32 Bit HP CIO Components Installer
6400_Help
ABBYY FineReader 5.0 Sprint
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
Adobe Acrobat 9.3.1 - CPSID_50570
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Adventure Tools
AIM 7
AIM Toolbar
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Antivirus
Avatar - Path of Zuko
Bonjour
bpd_scan
BPDSoftware
BPDSoftware_Ini
BufferChm
Card Vault V1.5a
CDisplay 1.8
Character Builder
Connect
CustomerResearchQFolder
Dell Resource CD
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DFOLauncher
DocProc
DocProcQFolder
Download Updater (AOL LLC)
Dundjinni Supplimental Objects
Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.10.00.805
DVD Shrink 3.2
DVDFab 6.2.0.5 (11/11/2009)
eSupportQFolder
Fax
GameSpy Arcade
GetDiz 4.5
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GPBaseService
GPBaseService2
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Officejet J6400 Series
HP Photosmart Essential 2.5
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPProductAssistant
HPSSupply
iTunes
J6400
Java 2 Runtime Environment, SE v1.4.2_02
Java Auto Updater
Java(TM) 6 Update 20
kuler
LEGO® Harry Potter™: Years 1-4
Lexmark 1200 Series
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Reader
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Virtual PC 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.8)
MSVCRT
MSVCSetup
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 8
neroxml
NetDeviceManager
NVIDIA PhysX
OCR Software by I.R.I.S. 10.0
OGA Notifier 2.0.0048.0
Open R-Community Tools 3.9.1
Pando Media Booster
PDF Settings CS4
Photoshop Camera Raw
PowerDVD
PowerISO
ProductContext
PSSWCORE
Quicken 2010
QuickSet
QuickTime
Real Alternative 2.0.1
Scan
Shop for HP Supplies
SigmaTel Audio
Skype™ 4.2
SmartWebPrinting
SolutionCenter
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Status
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
Toolbox
Total Video Converter 3.20 090104
TrayApp
Ultra Video Converter 4.4.0328
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VASSAL (3.1.13)
VCDEasy
VCRedistSetup
VideoToolkit01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.5
WebReg
Winamp
WinAVI Video Converter
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinRAR archiver
Wizards Event Reporter
World Mosaics 3 - Fairy Tales
Yahoo! BrowserPlus 2.9.2
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
Zeus & Poseidon
==== Event Viewer Messages From Past Week ========
7/25/2010 9:36:28 AM, Error: Service Control Manager [7011] - A timeout
(30000 milliseconds) was reached while waiting for a transaction response
from the avast! Antivirus service.
7/25/2010 9:24:51 AM, Error: Service Control Manager [7000] - The HP
Network Devices Support service failed to start due to the following error:
The service did not respond to the start or control request in a timely
fashion.
7/25/2010 9:24:51 AM, Error: Microsoft-Windows-DistributedCOM [10005] -
DCOM got error "1053" attempting to start the service HPSLPSVC with
arguments "" in order to run the server: {10DA4F3C-CC99-4190-BE4D-
58330754E882}
7/25/2010 9:24:46 AM, Error: Service Control Manager [7009] - A timeout
was reached (30000 milliseconds) while waiting for the HP Network Devices
Support service to connect.
7/25/2010 9:24:15 AM, Error: Service Control Manager [7009] - A timeout
was reached (30000 milliseconds) while waiting for the avast! Web Scanner
service to connect.
7/25/2010 9:24:15 AM, Error: Service Control Manager [7000] - The avast!
Web Scanner service failed to start due to the following error: The
service did not respond to the start or control request in a timely
fashion.
7/25/2010 9:23:38 AM, Error: Service Control Manager [7022] - The HP CUE
DeviceDiscovery Service service hung on starting.
7/25/2010 9:23:37 AM, Error: Microsoft-Windows-DistributedCOM [10016] -
The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {C97FCC79-E628-407D-
AE68-A06AD6D8B4D1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from
address LocalHost (Using LRPC). This security permission can be modified
using the Component Services administrative tool.
==== End Of File ===========================
Security Check Checkup
Results of screen317's Security Check version 0.99.4
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
Java(TM) 6 Update 20
Java 2 Runtime Environment, SE v1.4.2_02
Adobe Flash Player 10.1.53.64
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
Windows Defender MSASCui.exe
Alwil Software Avast4 ashSimpl.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
Bugbatter
3 Apprentice
•
20.5K Posts
0
July 25th, 2010 11:00
Please remove DVD Shrink 3.2, DVDFab 6.2.0.5, and uTorrent. If you want to be responsible for legalities involved in the use of the software, you can install them on your own after we are finished.
Please visit this webpage for download links, and instructions for running ComboFix (If you have a prior copy of Combofix, delete it now!) :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Double click on ComboFix.exe & follow the prompts.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.
JamesRJ3
8 Posts
0
July 25th, 2010 13:00
Combofix Log
ComboFix 10-07-24.03 - James 07/25/2010 13:53:51.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.306 [GMT -5:00]
Running from: c:\users\James\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091123-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1356 [VPS 091123-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\James\AppData\Roaming\inst.exe
c:\windows\system32\%appdata%
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_osppsvc
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.
2010-07-25 19:19 . 2010-07-25 19:27 -------- d-----w- c:\users\James\AppData\Local\temp
2010-07-25 19:19 . 2010-07-25 19:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-20 06:26 . 2010-07-20 06:29 -------- d-----w- c:\windows\system32\catroot2
2010-07-19 00:49 . 2010-07-23 00:30 -------- d-----w- c:\users\James\AppData\Roaming\vlc
2010-07-16 17:48 . 2010-07-16 17:48 -------- d-----w- c:\program files\Trend Micro
2010-07-13 15:02 . 2010-07-13 15:02 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft.NET
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-13 14:20 . 2010-07-13 14:20 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-07-11 06:07 . 2010-07-25 16:20 -------- d-----w- c:\users\James\AppData\Roaming\NeopleLauncherDFO
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- C:\Nexon
2010-07-09 11:47 . 2010-07-09 11:47 -------- d-----w- c:\programdata\NexonUS
2010-07-09 02:51 . 2010-07-09 03:13 1189757472 ----a-w- c:\program files\DFOSetup22.exe
2010-07-05 14:25 . 2010-07-05 14:25 -------- d-----w- c:\users\James\AppData\Roaming\Malwarebytes
2010-07-05 14:23 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 14:22 . 2010-07-05 14:22 -------- d-----w- c:\programdata\Malwarebytes
2010-07-05 14:22 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 14:22 . 2010-07-05 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 15:56 . 2010-07-04 15:56 -------- d-----w- c:\program files\ABBYY FineReader 6.0
2010-07-04 15:56 . 2010-07-04 15:57 -------- d-----w- c:\program files\ABBYY FineReader 5.0 Sprint
2010-06-29 21:52 . 2010-06-29 21:52 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\PowerDVD DX
2010-06-29 01:46 . 2010-06-29 01:46 -------- d-----w- c:\users\James\AppData\Roaming\WB Games
2010-06-29 01:24 . 2010-06-29 01:24 -------- d-----w- c:\program files\WB Games
2010-06-27 03:20 . 2010-06-27 03:20 -------- d-----w- c:\windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 18:24 . 2009-11-22 04:31 -------- d-----w- c:\users\James\AppData\Roaming\uTorrent
2010-07-25 18:20 . 2009-11-28 15:53 -------- d-----w- c:\users\James\AppData\Roaming\Vso
2010-07-25 18:20 . 2009-11-28 15:53 47360 ----a-w- c:\users\James\AppData\Roaming\pcouffin.sys
2010-07-25 18:20 . 2009-11-28 15:57 -------- d-----w- c:\program files\DVD Shrink
2010-07-25 14:19 . 2009-11-26 04:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-25 14:16 . 2009-11-26 04:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-23 14:18 . 2009-11-28 20:58 -------- d-----w- c:\programdata\FLEXnet
2010-07-13 20:22 . 2009-11-22 01:40 820488 ----a-w- c:\users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-13 15:38 . 2009-11-22 17:22 -------- d-----w- c:\programdata\Microsoft Help
2010-07-13 15:03 . 2006-11-02 12:35 -------- d-----w- c:\program files\MSBuild
2010-07-13 14:03 . 2010-02-06 15:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SoftGrid Client
2010-07-13 14:02 . 2010-02-06 15:27 -------- d-----w- c:\users\James\AppData\Roaming\SoftGrid Client
2010-07-12 14:50 . 2009-11-22 16:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-12 14:37 . 2010-01-27 17:16 -------- d-----w- c:\program files\DivX
2010-07-09 20:31 . 2010-06-19 15:18 -------- d-----w- c:\program files\iTunes
2010-07-09 02:51 . 2009-11-22 04:24 -------- d-----w- c:\programdata\PMB Files
2010-07-05 18:29 . 2010-05-09 13:35 -------- d-----w- c:\users\James\AppData\Roaming\dvdcss
2010-07-03 04:21 . 2010-04-03 15:07 -------- d-----w- c:\program files\QuickTime
2010-07-03 04:21 . 2009-11-30 21:12 -------- d-----w- c:\program files\Winamp
2010-07-03 04:20 . 2009-11-26 15:17 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-07-03 04:20 . 2009-11-23 05:37 -------- d-----w- c:\program files\PowerISO
2010-06-29 21:53 . 2010-06-29 21:53 112 ----a-w- c:\programdata\7Bk038Cv.dat
2010-06-25 21:25 . 2010-01-11 04:59 680 ----a-w- c:\users\James\AppData\Local\d3d9caps.dat
2010-06-23 20:17 . 2010-06-23 20:17 -------- d-----w- c:\program files\Real
2010-06-23 19:45 . 2010-06-23 19:45 -------- d-----w- c:\users\James\AppData\Roaming\Fugazo
2010-06-23 19:41 . 2010-06-23 19:41 -------- d-----w- c:\program files\LeeGTs Games
2010-06-19 15:18 . 2010-06-19 15:18 -------- d-----w- c:\program files\iPod
2010-06-19 15:18 . 2009-11-22 04:27 -------- d-----w- c:\program files\Common Files\Apple
2010-06-19 15:18 . 2009-11-22 04:34 -------- d-----w- c:\programdata\Apple Computer
2010-06-19 14:48 . 2010-06-19 14:48 -------- d-----w- c:\program files\Bonjour
2010-06-17 03:20 . 2009-11-28 19:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-11 08:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-06 15:54 . 2009-11-22 14:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-06 08:19 . 2010-06-06 08:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-03 13:42 . 2009-11-23 22:41 -------- d-----w- c:\users\James\AppData\Roaming\Skype
2010-06-03 13:25 . 2009-11-23 22:43 -------- d-----w- c:\users\James\AppData\Roaming\skypePM
2010-05-30 19:01 . 2010-05-30 19:01 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-26 17:06 . 2010-06-10 18:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 18:24 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14 . 2009-11-22 05:17 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 12:05 . 2010-05-21 12:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59 . 2010-06-10 18:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 18:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-10 18:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-10 18:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 18:22 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 19:45 . 2010-04-27 19:45 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 19:45 . 2010-04-27 19:45 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2006-11-22 14:55 . 2006-11-22 14:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-01-16 13:59 561552 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"wlcomp"="c:\users\James\wlcomp.exe" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]
"hpqSRMon"="" [N/A]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-11-21 576000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2009-11-22 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):04,8f,fc,67,c1,75,ca,01
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-06 64288]
S1 aswSP;avast! Self Protection;
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-03 1352832]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2010-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:20]
2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 13:20]
2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 13:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\FFExternalAlert.dll
FF - component: c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\RadioWMPCore.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\James\AppData\Local\Yahoo!\BrowserPlus\2.9.2\Plugins\npybrowserplus_2.9.2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 14:26
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3108)
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-07-25 14:43:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 19:42
Pre-Run: 1,667,170,304 bytes free
Post-Run: 11,493,408,768 bytes free
- - End Of File - - AB3982E0AC40B0C9E4BF58CED61EEFE9
HiJack This Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:46:23 PM, on 7/25/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [wlcomp] C:\Users\James\wlcomp.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\Windows\System32\acaptuser32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 10002 bytes
Bugbatter
3 Apprentice
•
20.5K Posts
0
July 25th, 2010 14:00
Avast should have been disabled per instructions.
QUOTE:
AV: avast! antivirus 4.8.1356 [VPS 091123-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1356 [VPS 091123-0] *enabled*
Please disable Avast before running this next procedure with ComboFix:
Right-click "Avast Antivirus" icon on the task bar. The task bar is located on the bottom of your screen.
Click "Access Protection Control." Enter the same password that you used when you first installed the program. Click "OK." This will bring you to the scanner window.
Click "Terminate" to disable Avast Anti-virus protection and email scanning.
Click "OK" to confirm and save changes.
Disconnect from the internet....pull the plug!
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.
Otherwise, they may interfere with running ComboFix.
Open Notepad and copy/paste the following text between the lines below.
Do not copy the dotted lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces.
It will copy correctly to Notepad if you highlight and copy as is.
-----------------------------------------------------------------------------------
RenV::
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl .exe
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Common Files\Nero\Lib\NeroCheck .exe
c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Lexmark 1200 Series\lxczbmgr .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan .exe
c:\program files\PowerISO\PWRISOVM .exe
c:\program files\QuickTime\QTTask .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Winamp\winampa .exe
----------------------------------------------------------------------------
Save this as CFScript.txt
Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again.
Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
When finished, a log is produced here: C:\ComboFix.txt
Following that, please run an online virus scan by Kaspersky from HERE.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.
Copy and post the results of the Kaspersky Online scan, along with your ComboFix log. If no threats were found then report that as well.
Let me know how things are running.
JamesRJ3
8 Posts
0
July 26th, 2010 13:00
Combofix Log
ComboFix 10-07-24.03 - James 07/25/2010 17:07:56.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.280 [GMT -5:00]
Running from: c:\users\James\Desktop\ComboFix.exe
Command switches used :: c:\users\James\Documents\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091123-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1356 [VPS 091123-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-06-25 to 2010-07-25 )))))))))))))))))))))))))))))))
.
2010-07-25 22:27 . 2010-07-25 22:36 -------- d-----w- c:\users\James\AppData\Local\temp
2010-07-25 22:27 . 2010-07-25 22:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-25 22:27 . 2010-07-25 22:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-25 22:27 . 2010-07-25 22:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-20 06:26 . 2010-07-20 06:29 -------- d-----w- c:\windows\system32\catroot2
2010-07-19 00:49 . 2010-07-23 00:30 -------- d-----w- c:\users\James\AppData\Roaming\vlc
2010-07-16 17:48 . 2010-07-16 17:48 -------- d-----w- c:\program files\Trend Micro
2010-07-13 15:02 . 2010-07-13 15:02 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft.NET
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-13 14:20 . 2010-07-13 14:20 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-07-11 06:07 . 2010-07-25 20:46 -------- d-----w- c:\users\James\AppData\Roaming\NeopleLauncherDFO
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- C:\Nexon
2010-07-09 11:47 . 2010-07-09 11:47 -------- d-----w- c:\programdata\NexonUS
2010-07-09 02:51 . 2010-07-09 03:13 1189757472 ----a-w- c:\program files\DFOSetup22.exe
2010-07-05 14:25 . 2010-07-05 14:25 -------- d-----w- c:\users\James\AppData\Roaming\Malwarebytes
2010-07-05 14:23 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 14:22 . 2010-07-05 14:22 -------- d-----w- c:\programdata\Malwarebytes
2010-07-05 14:22 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 14:22 . 2010-07-05 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 15:56 . 2010-07-04 15:56 -------- d-----w- c:\program files\ABBYY FineReader 6.0
2010-07-04 15:56 . 2010-07-04 15:57 -------- d-----w- c:\program files\ABBYY FineReader 5.0 Sprint
2010-06-29 21:52 . 2010-06-29 21:52 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\PowerDVD DX
2010-06-29 01:46 . 2010-06-29 01:46 -------- d-----w- c:\users\James\AppData\Roaming\WB Games
2010-06-29 01:24 . 2010-06-29 01:24 -------- d-----w- c:\program files\WB Games
2010-06-27 03:20 . 2010-06-27 03:20 -------- d-----w- c:\windows\Sun
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 22:07 . 2009-11-30 21:12 -------- d-----w- c:\program files\Winamp
2010-07-25 22:07 . 2010-04-03 15:07 -------- d-----w- c:\program files\QuickTime
2010-07-25 22:07 . 2009-11-26 15:17 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-07-25 22:07 . 2009-11-23 05:37 -------- d-----w- c:\program files\PowerISO
2010-07-25 18:24 . 2009-11-22 04:31 -------- d-----w- c:\users\James\AppData\Roaming\uTorrent
2010-07-25 18:20 . 2009-11-28 15:53 -------- d-----w- c:\users\James\AppData\Roaming\Vso
2010-07-25 18:20 . 2009-11-28 15:53 47360 ----a-w- c:\users\James\AppData\Roaming\pcouffin.sys
2010-07-25 18:20 . 2009-11-28 15:57 -------- d-----w- c:\program files\DVD Shrink
2010-07-25 14:19 . 2009-11-26 04:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-25 14:16 . 2009-11-26 04:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-23 14:18 . 2009-11-28 20:58 -------- d-----w- c:\programdata\FLEXnet
2010-07-13 20:22 . 2009-11-22 01:40 820488 ----a-w- c:\users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-13 15:38 . 2009-11-22 17:22 -------- d-----w- c:\programdata\Microsoft Help
2010-07-13 15:03 . 2006-11-02 12:35 -------- d-----w- c:\program files\MSBuild
2010-07-13 14:03 . 2010-02-06 15:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SoftGrid Client
2010-07-13 14:02 . 2010-02-06 15:27 -------- d-----w- c:\users\James\AppData\Roaming\SoftGrid Client
2010-07-12 14:50 . 2009-11-22 16:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-12 14:37 . 2010-01-27 17:16 -------- d-----w- c:\program files\DivX
2010-07-09 20:31 . 2010-06-19 15:18 -------- d-----w- c:\program files\iTunes
2010-07-09 02:51 . 2009-11-22 04:24 -------- d-----w- c:\programdata\PMB Files
2010-07-05 18:29 . 2010-05-09 13:35 -------- d-----w- c:\users\James\AppData\Roaming\dvdcss
2010-06-29 21:53 . 2010-06-29 21:53 112 ----a-w- c:\programdata\7Bk038Cv.dat
2010-06-25 21:25 . 2010-01-11 04:59 680 ----a-w- c:\users\James\AppData\Local\d3d9caps.dat
2010-06-23 20:17 . 2010-06-23 20:17 -------- d-----w- c:\program files\Real
2010-06-23 19:45 . 2010-06-23 19:45 -------- d-----w- c:\users\James\AppData\Roaming\Fugazo
2010-06-23 19:41 . 2010-06-23 19:41 -------- d-----w- c:\program files\LeeGTs Games
2010-06-19 15:18 . 2010-06-19 15:18 -------- d-----w- c:\program files\iPod
2010-06-19 15:18 . 2009-11-22 04:27 -------- d-----w- c:\program files\Common Files\Apple
2010-06-19 15:18 . 2009-11-22 04:34 -------- d-----w- c:\programdata\Apple Computer
2010-06-19 14:48 . 2010-06-19 14:48 -------- d-----w- c:\program files\Bonjour
2010-06-17 03:20 . 2009-11-28 19:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-11 08:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-06 15:54 . 2009-11-22 14:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-06 08:19 . 2010-06-06 08:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-03 13:42 . 2009-11-23 22:41 -------- d-----w- c:\users\James\AppData\Roaming\Skype
2010-06-03 13:25 . 2009-11-23 22:43 -------- d-----w- c:\users\James\AppData\Roaming\skypePM
2010-05-30 19:01 . 2010-05-30 19:01 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-26 17:06 . 2010-06-10 18:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 18:24 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14 . 2009-11-22 05:17 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 12:05 . 2010-05-21 12:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59 . 2010-06-10 18:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 18:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-10 18:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-10 18:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 18:22 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-27 19:45 . 2010-04-27 19:45 72856 ----a-w- c:\windows\system32\xliveinstallhost.exe
2010-04-27 19:45 . 2010-04-27 19:45 187544 ----a-w- c:\windows\system32\xliveinstall.dll
2006-11-22 14:55 . 2006-11-22 14:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-01-16 13:59 561552 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"wlcomp"="c:\users\James\wlcomp.exe" [N/A]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]
"hpqSRMon"="" [N/A]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-11-21 576000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2009-11-22 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):04,8f,fc,67,c1,75,ca,01
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-06 64288]
S1 aswSP;avast! Self Protection;
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-03 1352832]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2010-07-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:20]
2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 13:20]
2010-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 13:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\FFExternalAlert.dll
FF - component: c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\RadioWMPCore.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\James\AppData\Local\Yahoo!\BrowserPlus\2.9.2\Plugins\npybrowserplus_2.9.2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-25 17:35
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\Mystify.scr
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-07-25 17:50:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-25 22:50
ComboFix2.txt 2010-07-25 19:43
Pre-Run: 11,173,924,864 bytes free
Post-Run: 11,080,609,792 bytes free
- - End Of File - - 813C5C4A25AD36C797FB6759094F0A89
Kaspersky Scan Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, July 26, 2010
Operating system: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, July 26, 2010 08:16:21
Records in database: 4201914
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Objects scanned: 239191
Threats found: 8
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 06:44:36
File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\afd.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\2121b370-64a0864f Infected: Trojan-Downloader.Java.Agent.fl 1
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\2121b370-64a0864f Infected: Trojan-Downloader.Java.Agent.fk 1
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\2121b370-64a0864f Infected: Trojan-Downloader.Java.Agent.fj 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\d5b9dc1-274a6650 Infected: Trojan-Downloader.Java.Agent.ff 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\73bbfa48-4cee6378 Infected: Trojan-Downloader.Java.Agent.ft 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\73bbfa48-4cee6378 Infected: Trojan-Downloader.Java.Agent.fu 1
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\73bbfa48-4cee6378 Infected: Trojan-Downloader.Java.Agent.fv 1
C:\Windows\winsxs\x86_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_d9d3bb9e5b8eea9c\afd.sys Infected: Rootkit.Win32.TDSS.ap 1
Selected area has been scanned.
Bugbatter
3 Apprentice
•
20.5K Posts
0
July 26th, 2010 14:00
We're getting there, but Avast has not been disabled so that ComboFix can run correctly.
AV: avast! antivirus 4.8.1356 [VPS 091123-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1356 [VPS 091123-0] *enabled*
We need to repeat the procedure with ComboFix.
Disconnect from the internet.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.
Otherwise, they may interfere with running ComboFix.
Open Notepad and copy/paste the following text between the lines below.
Do not copy the dotted lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces.
It will copy correctly to Notepad if you highlight and copy as is.
-----------------------------------------------------------------------------------
File::
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\iTunes\iTunesHelper .exe
----------------------------------------------------------------------------
Save this as CFScript.txt
Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again.
Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.
When finished, a log is produced here: C:\ComboFix.txt
In your next reply, please post that log along with a new HijackThis log.
JamesRJ3
8 Posts
0
July 27th, 2010 08:00
ComboFix Log
ComboFix 10-07-24.03 - James 07/27/2010 8:24.3.1 - x86
Running from: c:\users\James\Desktop\ComboFix.exe
Command switches used :: c:\users\James\Documents\CFScript1.txt
AV: avast! antivirus 4.8.1356 [VPS 091123-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1356 [VPS 091123-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
FILE ::
"c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray .exe"
"c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe"
"c:\program files\iTunes\iTunesHelper .exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\iTunes\iTunesHelper .exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_osppsvc
((((((((((((((((((((((((( Files Created from 2010-06-27 to 2010-07-27 )))))))))))))))))))))))))))))))
.
2010-07-27 13:44 . 2010-07-27 13:53 -------- d-----w- c:\users\James\AppData\Local\temp
2010-07-27 13:44 . 2010-07-27 13:44 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-27 13:44 . 2010-07-27 13:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-27 13:44 . 2010-07-27 13:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-20 06:26 . 2010-07-20 06:29 -------- d-----w- c:\windows\system32\catroot2
2010-07-19 00:49 . 2010-07-26 02:11 -------- d-----w- c:\users\James\AppData\Roaming\vlc
2010-07-16 17:48 . 2010-07-16 17:48 -------- d-----w- c:\program files\Trend Micro
2010-07-13 15:02 . 2010-07-13 15:02 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft.NET
2010-07-13 15:00 . 2010-07-13 15:00 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-13 14:20 . 2010-07-13 14:20 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-07-11 06:07 . 2010-07-27 01:52 -------- d-----w- c:\users\James\AppData\Roaming\NeopleLauncherDFO
2010-07-09 11:51 . 2010-07-09 11:51 -------- d-----w- C:\Nexon
2010-07-09 11:47 . 2010-07-09 11:47 -------- d-----w- c:\programdata\NexonUS
2010-07-09 02:51 . 2010-07-09 03:13 1189757472 ----a-w- c:\program files\DFOSetup22.exe
2010-07-05 14:25 . 2010-07-05 14:25 -------- d-----w- c:\users\James\AppData\Roaming\Malwarebytes
2010-07-05 14:23 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 14:22 . 2010-07-05 14:22 -------- d-----w- c:\programdata\Malwarebytes
2010-07-05 14:22 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 14:22 . 2010-07-05 14:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 15:56 . 2010-07-04 15:56 -------- d-----w- c:\program files\ABBYY FineReader 6.0
2010-07-04 15:56 . 2010-07-04 15:57 -------- d-----w- c:\program files\ABBYY FineReader 5.0 Sprint
2010-06-29 21:52 . 2010-06-29 21:52 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\PowerDVD DX
2010-06-29 01:46 . 2010-06-29 01:46 -------- d-----w- c:\users\James\AppData\Roaming\WB Games
2010-06-29 01:24 . 2010-06-29 01:24 -------- d-----w- c:\program files\WB Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-27 13:43 . 2010-06-19 15:18 -------- d-----w- c:\program files\iTunes
2010-07-26 19:42 . 2009-11-22 17:22 -------- d-----w- c:\programdata\Microsoft Help
2010-07-26 08:21 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-25 23:36 . 2010-01-28 02:22 -------- d-----w- c:\program files\Common Files\Java
2010-07-25 23:34 . 2010-01-14 13:28 -------- d-----w- c:\program files\Java
2010-07-25 22:07 . 2009-11-30 21:12 -------- d-----w- c:\program files\Winamp
2010-07-25 22:07 . 2010-04-03 15:07 -------- d-----w- c:\program files\QuickTime
2010-07-25 22:07 . 2009-11-26 15:17 -------- d-----w- c:\program files\Lexmark 1200 Series
2010-07-25 22:07 . 2009-11-23 05:37 -------- d-----w- c:\program files\PowerISO
2010-07-25 18:24 . 2009-11-22 04:31 -------- d-----w- c:\users\James\AppData\Roaming\uTorrent
2010-07-25 18:20 . 2009-11-28 15:53 -------- d-----w- c:\users\James\AppData\Roaming\Vso
2010-07-25 18:20 . 2009-11-28 15:53 47360 ----a-w- c:\users\James\AppData\Roaming\pcouffin.sys
2010-07-25 18:20 . 2009-11-28 15:57 -------- d-----w- c:\program files\DVD Shrink
2010-07-25 14:19 . 2009-11-26 04:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-25 14:16 . 2009-11-26 04:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-23 14:18 . 2009-11-28 20:58 -------- d-----w- c:\programdata\FLEXnet
2010-07-13 20:22 . 2009-11-22 01:40 820488 ----a-w- c:\users\James\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-13 15:03 . 2006-11-02 12:35 -------- d-----w- c:\program files\MSBuild
2010-07-13 14:03 . 2010-02-06 15:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\SoftGrid Client
2010-07-13 14:02 . 2010-02-06 15:27 -------- d-----w- c:\users\James\AppData\Roaming\SoftGrid Client
2010-07-12 14:50 . 2009-11-22 16:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-12 14:37 . 2010-01-27 17:16 -------- d-----w- c:\program files\DivX
2010-07-09 02:51 . 2009-11-22 04:24 -------- d-----w- c:\programdata\PMB Files
2010-07-05 18:29 . 2010-05-09 13:35 -------- d-----w- c:\users\James\AppData\Roaming\dvdcss
2010-06-29 21:53 . 2010-06-29 21:53 112 ----a-w- c:\programdata\7Bk038Cv.dat
2010-06-25 21:25 . 2010-01-11 04:59 680 ----a-w- c:\users\James\AppData\Local\d3d9caps.dat
2010-06-23 20:17 . 2010-06-23 20:17 -------- d-----w- c:\program files\Real
2010-06-23 19:45 . 2010-06-23 19:45 -------- d-----w- c:\users\James\AppData\Roaming\Fugazo
2010-06-23 19:41 . 2010-06-23 19:41 -------- d-----w- c:\program files\LeeGTs Games
2010-06-22 09:36 . 2010-05-21 12:06 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-19 15:18 . 2010-06-19 15:18 -------- d-----w- c:\program files\iPod
2010-06-19 15:18 . 2009-11-22 04:27 -------- d-----w- c:\program files\Common Files\Apple
2010-06-19 15:18 . 2009-11-22 04:34 -------- d-----w- c:\programdata\Apple Computer
2010-06-19 14:48 . 2010-06-19 14:48 -------- d-----w- c:\program files\Bonjour
2010-06-17 03:20 . 2009-11-28 19:42 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-06 15:54 . 2009-11-22 14:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-06 08:19 . 2010-06-06 08:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-03 13:42 . 2009-11-23 22:41 -------- d-----w- c:\users\James\AppData\Roaming\Skype
2010-06-03 13:25 . 2009-11-23 22:43 -------- d-----w- c:\users\James\AppData\Roaming\skypePM
2010-05-30 19:01 . 2010-05-30 19:01 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-05-26 17:06 . 2010-06-10 18:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 18:24 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 19:14 . 2009-11-22 05:17 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59 . 2010-06-10 18:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 18:22 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-10 18:22 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-10 18:22 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-10 18:22 2037248 ----a-w- c:\windows\system32\win32k.sys
2006-11-22 14:55 . 2006-11-22 14:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}]
2010-01-16 13:59 561552 ----a-w- c:\progra~1\MICROS~4\Office14\URLREDIR.DLL
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SigmatelSysTrayApp"="sttray.exe" [2007-01-12 303104]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-12-22 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-12-21 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\users\James\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-11-21 576000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2009-11-22 45056]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):04,8f,fc,67,c1,75,ca,01
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-19 16896]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-06-06 64288]
S1 aswSP;avast! Self Protection;
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-03 1352832]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
2010-07-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:20]
2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 13:20]
2010-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-19 13:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\FFExternalAlert.dll
FF - component: c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\eh65ncc4.default\extensions\{35b675b9-7f34-40df-8f49-5fab6b7e4aef}\components\RadioWMPCore.dll
FF - plugin: c:\progra~1\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-wlcomp - c:\users\James\wlcomp.exe
HKLM-Run-hpqSRMon - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-27 08:52
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(3476)
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\lxczcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-07-27 09:06:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-27 14:06
ComboFix2.txt 2010-07-25 22:50
ComboFix3.txt 2010-07-25 19:43
Pre-Run: 10,989,236,224 bytes free
Post-Run: 10,942,910,464 bytes free
- - End Of File - - 538E3DD0936E235BC8707AC46FAED4C8
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:16:12 AM, on 7/27/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\sttray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} (DellSystemLite.Scanner) - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\Windows\System32\acaptuser32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 10285 bytes
Bugbatter
3 Apprentice
•
20.5K Posts
0
July 27th, 2010 08:00
It appears that ComboFix was able to delete what it was trying to do the first time, but I see that Avast was still enabled. If you have a problem with your Adobe Reader or any of the programs that had corrupt files that CF fixed, you may have to reinstall them.
Let me know how things are running now. If everything is back to normal we'll clean up Java, and remove our tools.
JamesRJ3
8 Posts
0
July 27th, 2010 10:00
I disabled Avast to run the ComboFix but ComboFix didn't recognize that Avast was disabled. So far everything seems to be running correctly, my search engines are no longer being redirected to other sites and no windows are opening mysteriously without me clicking anything. Windows Update has the following error codes when attempting to install 3 new important updates: 643 and 646.
Bugbatter
3 Apprentice
•
20.5K Posts
0
July 27th, 2010 14:00
You probably have an Avast file running someplace that ComboFix is seeing. Sometimes we have to totally uninstall a program to stop all of it.
Please delete SecurityCheck, DDS, and their logs from your desktop if you have not done so.
Download and scan each user profile with CCleaner (a good utility to keep and use regularly.):
http://www.piriform.com/ccleaner/builds
** Select to download the SLIM version.
** Because CCleaner removes everything in temp folders, if you have anything saved in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.
** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save. If you do not want to delete cookies, simply uncheck that option.
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up. In the Windows Tab:
3. Click the "Analyze" button. When the list of files comes up, click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done. REBOOT.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.
- Download the latest version of Java Runtime Environment (JRE) 6.
- Scroll down to where it says JDK 6 Update 21 (JDK or JRE) .
- Click the "Download JRE" button to the right.
- Use the dropdown menu to select your platform.
- Check the box to: "Accept License Agreement".
NOTE: As always during installations, beware of any pre-checked option to install a toolbar. If you do not want it, UNcheck it.Close Add/Remove.
* In Windows Explorer, navigate to C:\Program Files\Java =this folder. Delete any subfolders.
* Do NOT delete C:\Program Files\ JavaVM =this folder, if found!
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:
* Go to Start-->Control Panel-->Java-->Advanced-->Miscellaneous and uncheck the box for Java Quick Starter.
* Click Ok and reboot your computer.
Additional details if you have problems with the uninstall: http://www.java.com/en/download/help/uninstall_java.xml
* Click Start then Run
Copy and paste next command in the field:
ComboFix /Uninstall
Make sure there's a space between Combofix and / Then hit enter.
This will remove ComboFix, run some cleanup procedures, and flush System Restore, thus creating a clean Restore Point.
REBOOT. Open System Restore and make sure there is a new restore point. If not, let me know.
It appears that your windows update problem is no longer due to suppression by active malware. Most likely you will need to reset Windows Update components. Try this suggestion: http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/a0428bfd-820b-4dea-9bdb-70103dace426
If that does not work check the kb articles at Microsoft Support: http://support.microsoft.com/ or post over at Microsoft Answers Forums: http://social.answers.microsoft.com/Forums/en-US/vistawu/threads
Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
If you have used Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.
The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:
1. Visit Microsoft Update: Make sure that you have all the Critical Updates recommended for your operating system, Office, and IE. The first defense against infection is a properly patched OS from Microsoft Update at update.microsoft.com. More info HERE.
2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.. Run a complete system scan with your anti-virus at least once a week...preferably in Safe mode.
If your anti-virus program is a paid/licensed version that is about to expire, you can consider using a free one such as:
Microsoft Security Essentials
AntiVir Personal Edition Classic
Avast! 4 Home Edition
If you prefer not to use the Windows Firewall, there are several of the freeware Firewalls available on the public domain.
Please see this list for anti-virus, firewalls, and other FREE SECURITY SOFTWARE.
3. Using an alternate browser can reduce your chance of certain infections installing themselves. You might consider installing Mozilla / Firefox.
http://www.mozilla.com/en-US/
4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.
5. Keep your software updated...make it easier on yourself and install the free security tool Secunia PSI .
6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/ ** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.
7. Web Of Trust , uses colored alerts to warn about risky websites warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
There is a Web Of Trust version for Firefox as well.
8. If you still wish to use Internet Explorer, please make sure you install SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here:http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates.
9. You might want to install Winpatrol. Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can download a free copy of Winpatrol or use the Plus version for more features.
You can read Winpatrol's FAQ if you run into problems.
10. Many of us in the online security community have tried and tested programs to determine their abilities. Please remember that there is no guarantee regarding computer security. However, the available software, combined with the rest of these recommendations will contribute to helping your system running safely.
Here are some helpful articles:
How did I get infected? HERE
I'm not pulling your leg, honest?
by Sandi Hardmeier HERE
Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!