Author Topic: Generic12 Clicker Advertisement Service Backdoor Trojan (Read 18493 times)

jsranchmn22 · « **on:** May 03, 2010, 10:40:43 PM »

I accepted a gift on an application on facebook and boy would I like to return it!

I meticulously followed the forums directions "Read this before requesting Malware Help" I do understand that this is a critical step. That wasn't working. The Superanyispyware page would not load and I tried to get there independently, No luck.

AVG identified a Trojan virus and kicked in, firefox went on the blitz. Microsoft reporting popped up for all my executable programs because none of them can be executed. MS stating they were going to upload the name of different txt file associated with each program. These are located in my temp folder in the local settings. (Deleted them b4 I found your site but they are back) My browser redirects to junk sites. I keep doing workarounds. Internet Explorer is letting some stuff through but not Superantispyware. Fortunately, you have posted alternative links that may work. That is how I got Malabytes. I downloaded Malabytes and glanced at 28 infected files but it closed down as soon as it stated it was done and I clicked okay. Tried that twice.

There was a new program added: Advertisement Service. It had the Internet Explorer icon in front of it and I use firefox. I just removed that because nothing else was working.

AVG did say it vaulted some stuff; a couple:

Trojan horse backdoor.Generic12.BIES and Clicker.AFJE

If I can't get these malware downloads and when I do download them they can't do anything, what can I do?

jsranchmn22 · « **Reply #1 on:** May 04, 2010, 11:05:34 AM »

Running XP Service Pack 3

I ran Malabytes again and clicked rapidly and here is log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4063

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/4/2010 11:08:13 AM
mbam-log-2010-05-04 (11-08-13).txt

Scan type: Quick scan
Objects scanned: 115629
Time elapsed: 9 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmadcdivnyrbc (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jbjdleuq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jbjdleuq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.163,93.188.161.179 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{98b00566-12f1-445c-a83d-399bf19a8306}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.163,93.188.161.179 -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\PRAGMAdcdivnyrbc (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\PRAGMAdcdivnyrbc\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAdcdivnyrbc\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAdcdivnyrbc\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\TEMP\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\SUSAN TXX\Local Settings\Application Data\vvxhxatin\yrgxabwtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Each time I start my computer, I get error messages on all executable programs including utility, AVG, hpcmpmgr. My browser continues to redirect ; firefox and now IE. I downloaded GOogle Chrome and that won't load pages. I can get to facebook and yahoo with firefox and IE. The trojan seems happy there. I am on another computer.

harry 48 · « **Reply #2 on:** May 04, 2010, 01:27:39 PM »

re-name hijack this to snipper.exe and run also post the log

jsranchmn22 · « **Reply #3 on:** May 04, 2010, 02:34:28 PM »

I did mange to make it through Step 3 Superantivirus Spyware

Here is log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/04/2010 at 02:15 PM

Application Version : 4.36.1006

Core Rules Database Version : 4888
Trace Rules Database Version: 2700

Scan type : Complete Scan
Total Scan Time : 01:38:34

Memory items scanned : 409
Memory threats detected : 0
Registry items scanned : 6001
Registry threats detected : 16
File items scanned : 60837
File threats detected : 32

Trojan.Agent/Gen
   [BisonMnt] C:\WINDOWS\BISONC07\BISONM07.EXE
   C:\WINDOWS\BISONC07\BISONM07.EXE
   [EnergyUtility] C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\UTILITY.EXE
   C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\UTILITY.EXE
   [Energy Management] C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\ENERGY MANAGEMENT.EXE
   C:\PROGRAM FILES\LENOVO\ENERGY MANAGEMENT\ENERGY MANAGEMENT.EXE
   [HP Component Manager] C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
   C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
   [HP Software Update] C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
   C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
   [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZTSB09.EXE
   C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZTSB09.EXE
   [iTunesHelper] C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
   C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
   [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\AVGTRAY.EXE
   C:\PROGRA~1\AVG\AVG9\AVGTRAY.EXE
   [QuickTime Task] C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
   C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
   [DivXUpdate] C:\PROGRAM FILES\DIVX\DIVX UPDATE\DIVXUPDATE.EXE
   C:\PROGRAM FILES\DIVX\DIVX UPDATE\DIVXUPDATE.EXE
   [swg] C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE
   C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBARNOTIFIER\GOOGLETOOLBARNOTIFIER.EXE
   [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
   C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
   [H/PC Connection Agent] C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
   C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
   HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\WCESCOMM.EXE
   C:\PROGRAM FILES\AVG\AVG9\AVGTRAY.EXE
   C:\WINDOWS\Prefetch\AVGTRAY.EXE-0F97EFEF.pf
   C:\WINDOWS\Prefetch\AVGTRAY.EXE-3209AA20.pf
   C:\WINDOWS\Prefetch\BISONM07.EXE-0190AC3B.pf
   C:\WINDOWS\Prefetch\DIVXUPDATE.EXE-24EAF9C6.pf
   C:\WINDOWS\Prefetch\ENERGY MANAGEMENT.EXE-35BAAFC9.pf
   C:\WINDOWS\Prefetch\GOOGLETOOLBARNOTIFIER.EXE-3629C61D.pf
   C:\WINDOWS\Prefetch\HPCMPMGR.EXE-0D8BF169.pf
   C:\WINDOWS\Prefetch\HPWUSCHD.EXE-1AC4276F.pf
   C:\WINDOWS\Prefetch\HPZTSB09.EXE-17B97A12.pf
   C:\WINDOWS\Prefetch\ITUNESHELPER.EXE-15823303.pf
   C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf
   C:\WINDOWS\Prefetch\TEATIMER.EXE-1F57E47A.pf
   C:\WINDOWS\Prefetch\UTILITY.EXE-1B84E6D5.pf
   C:\WINDOWS\Prefetch\WCESCOMM.EXE-062FDF7F.pf

Adware.Tracking Cookie
   C:\Documents and Settings\SUSAN TXX\Cookies\susan_tXX@serving-sys[2].txt
   C:\Documents and Settings\SUSAN TXX\Cookies\[email protected][2].txt

Rootkit.Agent/Gen-TDS[Pragma]
   HKU\.DEFAULT\Software\Pragma
   HKU\S-1-5-18\Software\Pragma

Trojan.RootKit/Gen
   C:\DOCUMENTS AND SETTINGS\SUSAN TORK\DESKTOP\TEMP\PRAGMA4E70.TMP

Adware.Vundo/Variant-LockDown
   C:\WINDOWS\SYSTEM32\PRAGMASERF.DLL

Now off to fulfill next request; running Hijack and posting log. Thank you very much!

jsranchmn22 · « **Reply #4 on:** May 04, 2010, 02:56:25 PM »

I first did step 5 and updated my java then downloaded hijack per your instructions. Just an FYI: I goggled Java add-ons to tweak the add-ons. When I went into the Java website, I was still being redirected.

I did this on firefox. I switched back from IE on this request because I thought it might be safe now ~ guess not

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:54 PM, on 5/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\Program Files\DDNI\DIBS\DDNIService.exe
C:\QSTART.SYS\config\DVMExportService.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\SUSAN TXX\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\SUSAN TXX\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://lenovo.live.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: GuardId.MSIEBrowser.BHO - {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\SUSAN TXX\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: LENOVO - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: PicNotify - C:\WINDOWS\SYSTEM32\PicNotify.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DDNIMSGService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
O23 - Service: DDNIService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\DIBS\DDNIService.exe
O23 - Service: DeviceVM Meta Data Export Service (DvmMDES) - DeviceVM - C:\QSTART.SYS\config\DVMExportService.exe
O23 - Service: Google Update Service (gupdate1ca1a13d4570dfa) (gupdate1ca1a13d4570dfa) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SUSANT~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: System Repair Windows Update Monitor (System_Repair_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe

--
End of file - 7581 bytes

jsranchmn22 · « **Reply #5 on:** May 04, 2010, 03:58:10 PM »

Oh thought I should report this. Not sure if it would have affected outcome of antimalware scans.

Another trick(stupid?) I tried was relocating the temp file from local settings. I did this because none of my programs would execute and Microsoft reporting was asking for me to upload problems for their general reporting.

When I looked closer at what they were asking for it was a bunch of txt files in the temp folder. There was a different one associated with each executable program.. Even though I deleted them (which was probably also wrong but I couldn't connect to the internet to ask for help) they would reappear when I rebooted.

I relocated the temp folder to the desktop and created a new blank one. May or may not make a difference to report this.

harry 48 · « **Reply #6 on:** May 04, 2010, 04:04:29 PM »

ok , you will have to wait for a malware expert to help you

evilfantasy · « **Reply #7 on:** May 04, 2010, 07:12:32 PM »

Hello jsranchmn22.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: GuardId.MSIEBrowser.BHO - {5b0a01d2-b8a0-4e56-9e6b-cba0ef4b4eb5} - mscoree.dll (file missing)
O20 - Winlogon Notify: PicNotify - C:\WINDOWS\SYSTEM32\PicNotify.dll
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\SUSANT~1\LOCALS~1\Temp\hpdj.exe (file missing)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Do not restart the computer if HijackThis asks you to.

Next in HijackThis select Main Menu

Click on the Open the MISC tools section button.

Copy this red text -> hpdj

In HijackThis select Delete an NT Service
Paste the text into the box that opens and then click OK
If you receive any error messages just ignore them and continue.

.
Now exit HijackThis and reboot when it tells you it needs to.

----------

Clearing Temp Folder

Click on Start and then Run.
In the text box in the Run window, type %Temp% and click OK. A folder full of files and other folders will appear.
Remove everything inside the Temp folder, choose Edit and then Select All from the menu.
- Note: If you're prompted that there are hidden files in this folder, just click on OK to bypass the message.
Now that all of the files and folders are selected, hit your Delete key or choose File and then Delete from the menu.
Confirm that you want to delete the files by clicking Yes on the Confirm Multiple File Delete window that opens.
After all of the files have been deleted close the window and empty your Recycle Bin.

.
----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

jsranchmn22 · « **Reply #8 on:** May 04, 2010, 09:02:06 PM »

Thank u Mr Evilfantasy

Instructions followed verbatim (I assume they are in order and specific for a reason)

Combofix stopped and rebooted in middle siting the presence of root activity and resumed. I didn't expect it to log off and reboot just b4 "Preparing Log Report" but maybe that is normal.

AVG was removed from tray and other things moved around through this ordeal

Combofix log:

ComboFix 10-05-04.04 - SUSAN TORK 05/04/2010 21:36:56.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.601 [GMT -5:00]
Running from: c:\documents and settings\SUSAN TORK\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\WindowsUpdate
c:\recycler\S-1-5-21-522090433-925392414-3357670280-1003
c:\windows\system32\avgrsstx.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\drivers\xakcj.sys
c:\windows\system32\pragmabbr.dll
c:\windows\system32\PRAGMAsrcr.dat
c:\windows\system32\sqlite3.dll

----- BITS: Possible infected sites -----

hxxp://dibs.ddni.net
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ocskb
-------\Service_ocskb

((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-04 20:46 . 2010-05-04 20:46   --------   d-----w-   c:\program files\Trend Micro
2010-05-04 20:43 . 2010-05-04 20:43   --------   d-----w-   c:\program files\Common Files\Java
2010-05-04 20:42 . 2010-05-04 20:42   503808   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\msvcp71.dll
2010-05-04 20:42 . 2010-05-04 20:42   499712   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\jmc.dll
2010-05-04 20:42 . 2010-05-04 20:42   348160   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\msvcr71.dll
2010-05-04 20:42 . 2010-05-04 20:42   12800   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-529f682a-n\decora-d3d.dll
2010-05-04 20:42 . 2010-05-04 20:42   61440   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-529f682a-n\decora-sse.dll
2010-05-04 20:42 . 2010-04-12 22:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-04 17:25 . 2010-05-04 17:25   63488   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 17:25 . 2010-05-04 17:25   52224   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 17:25 . 2010-05-04 17:25   117760   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 17:24 . 2010-05-04 17:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-04 17:24 . 2010-05-04 17:24   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-04 17:24 . 2010-05-04 17:24   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com
2010-05-04 17:22 . 2010-05-04 17:22   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-05-04 03:45 . 2010-05-04 03:45   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\Malwarebytes
2010-05-04 03:45 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 03:45 . 2010-05-04 03:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-04 03:45 . 2010-05-04 03:45   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-04 03:45 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-03 17:46 . 2010-05-04 16:08   --------   d-----w-   c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin
2010-05-03 17:45 . 2010-05-03 17:46   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\0E6F04692F7986568160CFC22A3747AF
2010-05-03 17:45 . 2010-05-03 17:45   107008   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll
2010-04-24 15:49 . 2010-04-24 15:49   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\MSNInstaller
2010-04-24 03:50 . 2010-04-24 03:50   360584   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-24 03:50 . 2010-04-24 03:50   333192   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-24 03:50 . 2010-04-24 03:50   28424   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-21 23:29 . 2010-04-21 23:29   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\DivX
2010-04-21 23:17 . 2010-04-21 23:17   57344   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-21 23:14 . 2010-04-21 23:10   754984   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-04-21 23:14 . 2010-04-21 23:09   1180952   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-04-21 23:10 . 2010-04-21 23:10   144696   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-21 23:10 . 2010-04-21 23:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-04-15 00:07 . 2010-04-15 00:07   --------   d-----w-   c:\documents and settings\SUSAN TORK\Local Settings\Application Data\WMTools Downloaded Files
2010-04-10 15:35 . 2010-04-10 15:35   --------   d--h--w-   c:\documents and settings\All Users\Application Data\CanonBJ
2010-04-10 15:18 . 2007-04-02 10:00   69632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8U.DLL
2010-04-10 15:18 . 2007-04-02 10:00   27136   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8U.DLL
2010-04-10 15:18 . 2008-02-06 10:00   216064   ----a-w-   c:\windows\system32\CNMLM8U.DLL
2010-04-10 15:18 . 2010-04-10 15:18   --------   d--h--w-   c:\windows\system32\CanonIJ Uninstaller Information
2010-04-10 15:18 . 2007-03-15 19:12   188416   ----a-w-   c:\windows\system32\CNC470O.DLL
2010-04-10 15:18 . 2007-03-23 21:30   1400832   ----a-w-   c:\windows\system32\CNC470C.DLL
2010-04-10 15:18 . 2007-03-23 21:29   98304   ----a-w-   c:\windows\system32\CNC470I.DLL
2010-04-10 15:18 . 2007-03-19 15:21   200704   ----a-w-   c:\windows\system32\CNC470L.DLL
2010-04-10 15:17 . 2010-04-10 15:17   --------   d--h--w-   c:\program files\CanonBJ
2010-04-09 16:40 . 2010-05-04 20:14   --------   d-----w-   c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 22:50 . 2010-03-13 05:50   0   ----a-w-   c:\documents and settings\SUSAN TORK\Local Settings\Application Data\prvlcl.dat
2010-05-04 20:41 . 2009-08-27 00:07   --------   d-----w-   c:\program files\Java
2010-05-04 20:14 . 2010-03-12 07:02   --------   d-----w-   c:\program files\Microsoft ActiveSync
2010-05-04 20:14 . 2010-02-07 19:00   --------   d-----w-   c:\program files\iTunes
2010-05-04 20:14 . 2009-09-26 05:34   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-05-04 05:56 . 2009-06-18 20:32   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-05-04 02:21 . 2009-12-08 04:44   --------   d-----w-   c:\program files\CCleaner
2010-04-24 03:50 . 2010-03-06 23:11   242896   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-04-24 03:50 . 2009-09-01 14:57   29512   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-04-24 03:48 . 2009-09-01 14:57   216200   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-04-24 03:02 . 2010-04-24 03:23   244142   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-04-21 23:14 . 2010-04-21 23:14   56766   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   57054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   53600   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:12   --------   d-----w-   c:\program files\DivX
2010-04-21 23:14 . 2010-04-21 23:14   54166   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   57532   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   56458   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   54174   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   57409   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   52963   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-21 23:13 . 2010-04-21 23:13   54073   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-21 23:13 . 2010-04-21 23:13   --------   d-----w-   c:\program files\Common Files\DivX Shared
2010-04-21 23:13 . 2010-04-21 23:13   56969   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-21 23:00 . 2010-02-07 19:01   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\Apple Computer
2010-04-17 20:29 . 2009-08-10 23:36   --------   d-----w-   c:\program files\Google
2010-04-15 00:45 . 2009-05-04 11:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 05:13 . 2010-04-03 00:13   165312   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-02 23:09 . 2009-06-18 20:31   72040   ----a-w-   c:\documents and settings\SUSAN TORK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2004-08-04 20:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 20:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 20:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 20:00   430080   ------w-   c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59   94208   ----a-w-   c:\windows\system32\dpl100.dll
2010-03-06 23:11 . 2010-03-06 23:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-03-06 23:11 . 2009-09-01 14:57   --------   d-----w-   c:\program files\AVG
2010-02-24 13:11 . 2004-08-04 20:00   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27   720384   ----a-w-   c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27   856064   ----a-w-   c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27   856064   ----a-w-   c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27   847872   ----a-w-   c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27   843776   ----a-w-   c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27   839680   ----a-w-   c:\windows\system32\divx_xx11.dll
2010-02-16 14:08 . 2004-08-04 20:00   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 06:59   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 20:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 20:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
.

Code: [Select]

<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\HP Software Update\hpwuschd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lenovo\Energy Management\energy management .exe
c:\program files\Lenovo\Energy Management\utility .exe
c:\program files\Microsoft ActiveSync\wcescomm .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\BisonC07\bisonm07 .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb09 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-06-06 14:52   241752   ----a-w-   c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ID Vault.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ID Vault.lnk
backup=c:\windows\pss\ID Vault.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-12-02 18:34   35184   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 07:00   166424   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IdeaNotesUser]
2009-08-24 14:15   221872   ----a-w-   c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 07:00   141848   ----a-w-   c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
c:\program files\Messenger\msmsgs.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-28 07:00   137752   ----a-w-   c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-24 11:10   17567744   ----a-w-   c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-04-09 13:13   1512744   ----a-w-   c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeriFaceManager]
2009-06-06 14:52   323584   ----a-w-   c:\program files\Lenovo\VeriFaceIII\PManage.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/1/2009 9:57 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/6/2010 6:11 PM 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/23/2010 10:50 PM 308064]
R2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [1/17/2009 1:59 AM 172720]
R2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [5/4/2009 6:52 AM 160432]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [3/25/2009 9:20 PM 315392]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [5/4/2009 6:17 AM 430080]
R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/4/2009 6:17 AM 48192]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [6/6/2009 9:56 AM 9472]
S2 gupdate1ca1a13d4570dfa;Google Update Service (gupdate1ca1a13d4570dfa);c:\program files\Google\Update\GoogleUpdate.exe [8/10/2009 6:39 PM 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/4/2009 6:10 AM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [5/4/2009 6:17 AM 81192]
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 07:54]

2010-05-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-10 23:36]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-409764278-1039016446-177758585-1008Core.job
- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-04 15:08]

2010-05-05 c:\windows\Tasks\User_Feed_Synchronization-{E0937533-BB98-490D-955D-A0280C0E943C}.job
- c:\windows\system32\msfeedssync.exe [2009-05-04 10:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\SUSAN TORK\Application Data\Mozilla\Firefox\Profiles\s3wyq629.default\
FF - prefs.js: browser.search.selectedEngine - Google (Language: EN)
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Notify-AutorunsDisabled - avgrsstx.dll
Notify-avgrsstarter - avgrsstx.dll
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 21:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
@DACL=(02 0000)
"AVG8_TRAY"="c:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3324)
c:\windows\system32\WININET.dll
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-05-04 21:51:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 02:51

Pre-Run: 78,300,327,936 bytes free
Post-Run: 78,216,916,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 285D74C3179E177ACF42BB9D282EADC5

evilfantasy · « **Reply #9 on:** May 04, 2010, 09:41:14 PM »

Quote

AVG was removed from tray and other things moved around through this ordeal

Let me know how the computer is running and if AVG comes back after this next set of instructions.

Quote

c:\documents and settings\SUSAN TORK\My Documents\Downloads\ComboFix.exe

ComboFix needs to be on the desktop. Go to your Downloads folder and right click on ComboFix then choose Cut. Go to the desktop and right click then choose Paste.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin
c:\documents and settings\SUSAN TORK\Application Data\0E6F04692F7986568160CFC22A3747AF

File::
c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll

RenV::
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\DivX\DivX Update\divxupdate .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Hewlett-Packard\HP Software Update\hpwuschd .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lenovo\Energy Management\energy management .exe
c:\program files\Lenovo\Energy Management\utility .exe
c:\program files\Microsoft ActiveSync\wcescomm .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\windows\BisonC07\bisonm07 .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb09 .exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

jsranchmn22 · « **Reply #10 on:** May 04, 2010, 09:59:39 PM »

Caught me on that one. So much for verbatim

I wasn't given an option on saving. That doesn't normally happen. Will do

jsranchmn22 · « **Reply #11 on:** May 05, 2010, 10:59:38 AM »

Followed your instructions on Reply #9

Cut and paste Combofix to desktop.
Executed Notepad through run.
Cut and paste code you posted.
Saved txt file to desktop and named CFScript.txt.
Drug text file into Combofix

Combo ran and went through stages but hung all night on preparing log report & screen froze.

Turned off computer this morning. Started back up. Combofix did not resume

Note: After 1st Combofix run (one not saved on desktop) Icons
on desktop are all highlighted.

AVG not in tray. Internet slow. Not sure on redirecting.

jsranchmn22 · « **Reply #12 on:** May 05, 2010, 11:07:43 AM »

Found log: (Meant to check b4 last post)

ComboFix 10-05-04.04 - SUSAN TORK 05/05/2010 0:04:44.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.546 [GMT -5:00]
Running from: C:\Documents and Settings\SUSAN TORK\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SUSAN TORK\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\SUSAN TORK\Application Data\0E6F04692F7986568160CFC22A3747AF
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin\yrgxabwtssd .exe
c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

evilfantasy · « **Reply #13 on:** May 05, 2010, 04:06:32 PM »

That didn't work right.

Try it again please. Restart the computer just before dragging the CFScript into the CF icon.

jsranchmn22 · « **Reply #14 on:** May 05, 2010, 09:26:51 PM »

Log results:

ComboFix 10-05-05.04 - SUSAN TORK 05/05/2010 22:09:57.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.592 [GMT -5:00]
Running from: c:\documents and settings\SUSAN TORK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\SUSAN TORK\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\vvxhxatin\yrgxabwtssd .exe
c:\windows\system32\Spool\prtprocs\w32x86\b00001b44.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-04 20:46 . 2010-05-04 20:46   --------   d-----w-   c:\program files\Trend Micro
2010-05-04 20:43 . 2010-05-04 20:43   --------   d-----w-   c:\program files\Common Files\Java
2010-05-04 20:42 . 2010-05-04 20:42   503808   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\msvcp71.dll
2010-05-04 20:42 . 2010-05-04 20:42   499712   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\jmc.dll
2010-05-04 20:42 . 2010-05-04 20:42   348160   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5e3fe64e-n\msvcr71.dll
2010-05-04 20:42 . 2010-05-04 20:42   12800   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-529f682a-n\decora-d3d.dll
2010-05-04 20:42 . 2010-05-04 20:42   61440   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-529f682a-n\decora-sse.dll
2010-05-04 20:42 . 2010-04-12 22:29   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-05-04 17:25 . 2010-05-04 17:25   63488   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-04 17:25 . 2010-05-04 17:25   52224   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-04 17:25 . 2010-05-04 17:25   117760   ----a-w-   c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-04 17:24 . 2010-05-04 17:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-04 17:24 . 2010-05-04 17:24   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-05-04 17:24 . 2010-05-04 17:24   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\SUPERAntiSpyware.com
2010-05-04 17:22 . 2010-05-04 17:22   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-05-04 03:45 . 2010-05-04 03:45   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\Malwarebytes
2010-05-04 03:45 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-04 03:45 . 2010-05-04 03:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-04 03:45 . 2010-05-04 03:45   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-04 03:45 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-24 15:49 . 2010-04-24 15:49   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\MSNInstaller
2010-04-24 03:50 . 2010-04-24 03:50   360584   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-04-24 03:50 . 2010-04-24 03:50   333192   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-04-24 03:50 . 2010-04-24 03:50   28424   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-04-21 23:29 . 2010-04-21 23:29   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\DivX
2010-04-21 23:17 . 2010-04-21 23:17   57344   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-04-21 23:14 . 2010-04-21 23:10   754984   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-04-21 23:14 . 2010-04-21 23:09   1180952   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-04-21 23:10 . 2010-04-21 23:10   144696   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-21 23:10 . 2010-04-21 23:14   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-04-15 00:07 . 2010-04-15 00:07   --------   d-----w-   c:\documents and settings\SUSAN TORK\Local Settings\Application Data\WMTools Downloaded Files
2010-04-10 15:35 . 2010-04-10 15:35   --------   d--h--w-   c:\documents and settings\All Users\Application Data\CanonBJ
2010-04-10 15:18 . 2007-04-02 10:00   69632   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\CNMPP8U.DLL
2010-04-10 15:18 . 2007-04-02 10:00   27136   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\CNMPD8U.DLL
2010-04-10 15:18 . 2008-02-06 10:00   216064   ----a-w-   c:\windows\system32\CNMLM8U.DLL
2010-04-10 15:18 . 2010-04-10 15:18   --------   d--h--w-   c:\windows\system32\CanonIJ Uninstaller Information
2010-04-10 15:18 . 2007-03-15 19:12   188416   ----a-w-   c:\windows\system32\CNC470O.DLL
2010-04-10 15:18 . 2007-03-23 21:30   1400832   ----a-w-   c:\windows\system32\CNC470C.DLL
2010-04-10 15:18 . 2007-03-23 21:29   98304   ----a-w-   c:\windows\system32\CNC470I.DLL
2010-04-10 15:18 . 2007-03-19 15:21   200704   ----a-w-   c:\windows\system32\CNC470L.DLL
2010-04-10 15:17 . 2010-04-10 15:17   --------   d--h--w-   c:\program files\CanonBJ
2010-04-09 16:40 . 2010-05-05 05:12   --------   d-----w-   c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 21:50 . 2010-03-13 05:50   0   ----a-w-   c:\documents and settings\SUSAN TORK\Local Settings\Application Data\prvlcl.dat
2010-05-05 05:12 . 2010-03-12 07:02   --------   d-----w-   c:\program files\Microsoft ActiveSync
2010-05-05 05:12 . 2010-02-07 19:00   --------   d-----w-   c:\program files\iTunes
2010-05-05 05:12 . 2009-09-26 05:34   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-05-04 20:41 . 2009-08-27 00:07   --------   d-----w-   c:\program files\Java
2010-05-04 05:56 . 2009-06-18 20:32   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-05-04 02:21 . 2009-12-08 04:44   --------   d-----w-   c:\program files\CCleaner
2010-04-24 03:50 . 2010-03-06 23:11   242896   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-04-24 03:50 . 2009-09-01 14:57   29512   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-04-24 03:48 . 2009-09-01 14:57   216200   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-04-24 03:02 . 2010-04-24 03:23   244142   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-04-21 23:14 . 2010-04-21 23:14   56766   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   57054   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   53600   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:12   --------   d-----w-   c:\program files\DivX
2010-04-21 23:14 . 2010-04-21 23:14   54166   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   57532   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   56458   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   54174   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   57409   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-04-21 23:14 . 2010-04-21 23:14   52963   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-21 23:13 . 2010-04-21 23:13   54073   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-04-21 23:13 . 2010-04-21 23:13   --------   d-----w-   c:\program files\Common Files\DivX Shared
2010-04-21 23:13 . 2010-04-21 23:13   56969   ----a-w-   c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-21 23:00 . 2010-02-07 19:01   --------   d-----w-   c:\documents and settings\SUSAN TORK\Application Data\Apple Computer
2010-04-17 20:29 . 2009-08-10 23:36   --------   d-----w-   c:\program files\Google
2010-04-15 00:45 . 2009-05-04 11:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 05:13 . 2010-04-03 00:13   165312   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-02 23:09 . 2009-06-18 20:31   72040   ----a-w-   c:\documents and settings\SUSAN TORK\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-11 12:38 . 2004-08-04 20:00   832512   ----a-w-   c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 20:00   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 20:00   17408   ----a-w-   c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 20:00   430080   ------w-   c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59   94208   ----a-w-   c:\windows\system32\dpl100.dll
2010-02-24 13:11 . 2004-08-04 20:00   455680   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27   720384   ----a-w-   c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27   856064   ----a-w-   c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27   856064   ----a-w-   c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27   847872   ----a-w-   c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27   843776   ----a-w-   c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27   839680   ----a-w-   c:\windows\system32\divx_xx11.dll
2010-02-16 14:08 . 2004-08-04 20:00   2146304   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 06:59   2024448   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-04 20:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 20:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-05-05_02.46.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-06 03:17 . 2010-05-06 03:17   16384 c:\windows\temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-06-06 14:52   241752   ----a-w-   c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ID Vault.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ID Vault.lnk
backup=c:\windows\pss\ID Vault.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-12-02 18:34   35184   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 07:00   166424   ----a-w-   c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IdeaNotesUser]
2009-08-24 14:15   221872   ----a-w-   c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGUser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 07:00   141848   ----a-w-   c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-28 07:00   137752   ----a-w-   c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-03-24 11:10   17567744   ----a-w-   c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-04-09 13:13   1512744   ----a-w-   c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeriFaceManager]
2009-06-06 14:52   323584   ----a-w-   c:\program files\Lenovo\VeriFaceIII\PManage.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/1/2009 9:57 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/6/2010 6:11 PM 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/23/2010 10:50 PM 308064]
R2 DDNIMSGService;DDNIMSGService;c:\program files\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [1/17/2009 1:59 AM 172720]
R2 DDNIService;DDNIService;c:\program files\DDNI\DIBS\DDNIService.exe [5/4/2009 6:52 AM 160432]
R2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [3/25/2009 9:20 PM 315392]
R2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe [5/4/2009 6:17 AM 430080]
R2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/4/2009 6:17 AM 48192]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [6/6/2009 9:56 AM 9472]
S2 gupdate1ca1a13d4570dfa;Google Update Service (gupdate1ca1a13d4570dfa);c:\program files\Google\Update\GoogleUpdate.exe [8/10/2009 6:39 PM 133104]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/4/2009 6:10 AM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys --> c:\windows\system32\Drivers\RtsUStor.sys [?]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [5/4/2009 6:17 AM 81192]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 07:54]

2010-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-10 23:36]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-10 23:39]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-409764278-1039016446-177758585-1008Core.job
- c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-04 15:08]

2010-05-06 c:\windows\Tasks\User_Feed_Synchronization-{E0937533-BB98-490D-955D-A0280C0E943C}.job
- c:\windows\system32\msfeedssync.exe [2009-05-04 10:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://lenovo.live.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\SUSAN TORK\Application Data\Mozilla\Firefox\Profiles\s3wyq629.default\
FF - prefs.js: browser.search.selectedEngine - Google (Language: EN)
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 22:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
@DACL=(02 0000)
"AVG8_TRAY"="c:\\PROGRA~1\\AVG\\AVG8\\avgtray.exe"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3704)
c:\windows\system32\WININET.dll
c:\windows\system32\IcnOvrly.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\documents and settings\SUSAN TORK\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2010-05-05 22:23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 03:23
ComboFix2.txt 2010-05-05 02:51

Pre-Run: 78,175,629,312 bytes free
Post-Run: 78,145,376,256 bytes free

- - End Of File - - 45FDEF245E014C74F520869ACADD4897

Computer Hope Forum

News:

Author Topic: Generic12 Clicker Advertisement Service Backdoor Trojan (Read 18493 times)

jsranchmn22

Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: browser redirects programs won't execute trojan malabytes

harry 48

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

harry 48

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

evilfantasy

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

evilfantasy

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

evilfantasy

Re: Generic12 Clicker Advertisement Service Backdoor Trojan

jsranchmn22

Re: Generic12 Clicker Advertisement Service Backdoor Trojan