Author Topic: Lost access to router (Read 17595 times)

ronymaxwell · « **on:** September 03, 2010, 02:31:50 PM »

I can usually access details and settings for my Netgear router by entering the IP address. When I try it now, I get a heading 'Settings' but otherwise a blank page. I've also found that a mysterious extra subscription to my McAfee security software has been taken out; I know nothing of it. It appears to be registered to an IP address similar to my router, but ending .0.2 instead of .0.1 which I cannot access. Have I got a problem here?

SuperDave · « **Reply #1 on:** September 05, 2010, 07:01:02 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

The first thing I will need you to do is to go to this link and follow the directions precisely. If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. If you can't run any step, just jump to the next one. Please let me know how you are doing or have any questions. Initially, I will need the SuperAntiSpyware, MBAM and HJT logs. Please post any logs that you can generate.

ronymaxwell · « **Reply #2 on:** September 17, 2010, 05:46:34 AM »

Sorry I've been so long - work commitments kept me busy. I've now started following your instructions and will post when its done.

ronymaxwell · « **Reply #3 on:** September 17, 2010, 03:23:37 PM »

I used ccleaner as instructed. Now the rersulting log of SUPERantispyware.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/17/2010 at 07:28 PM

Application Version : 4.43.1000

Core Rules Database Version : 5523
Trace Rules Database Version: 3335

Scan type : Complete Scan
Total Scan Time : 08:37:21

Memory items scanned : 607
Memory threats detected : 0
Registry items scanned : 9182
Registry threats detected : 0
File items scanned : 734460
File threats detected : 11

Adware.Tracking Cookie
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\[email protected][1].txt
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\ronald_maxwell@imrworldwide[2].txt
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\[email protected][2].txt
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\[email protected][1].txt
   C:\My Backup -- 06-12-30 0837PM\Documents and Settings\Ronald Maxwell\Cookies\[email protected][2].txt
   C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt

Browser Hijacker.Favorites
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC32.URL
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC33.URL
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC34.URL
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC35.URL
   C:\MY BACKUP -- 07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\DC36.URL
I will continue the next stage tomorrow.

ronymaxwell · « **Reply #4 on:** September 17, 2010, 03:41:11 PM »

result of MBAM
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4640

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

17/09/2010 23:03:50
mbam-log-2010-09-17 (23-03-50).txt

Scan type: Quick scan
Objects scanned: 141834
Time elapsed: 9 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ronymaxwell · « **Reply #5 on:** September 17, 2010, 03:45:10 PM »

Congratulations!
You have the recommended Java installed (Version 6 Update 21).

ronymaxwell · « **Reply #6 on:** September 17, 2010, 03:55:38 PM »

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:20:54, on 17/09/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\aol\1247602731\ee\aolsoftware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voover.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AppRanger IE Sandbox - {1ec7abb1-e555-404b-901c-6d24af4ce44d} - C:\Program Files\AppRanger\TSBoxIE.dll (file missing)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: MFS BHO - {3CD63CF3-CE57-44FC-92A1-96E928676C37} - C:\Program Files\MyFaveShop\MyFaveShop Toolbar\ToolBar.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: MFS Toolbar - {FEE0CAF5-403B-480D-B7DF-71EE63E4F166} - C:\Program Files\MyFaveShop\MyFaveShop Toolbar\ToolBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1247602731\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AppRanger Service (apprngr_svc) - Unknown owner - C:\Program Files\AppRanger\SWSvc.exe (file missing)
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10659 bytes

ronymaxwell · « **Reply #7 on:** September 18, 2010, 04:19:22 AM »

Should I use the HJT process tool?

The HJT log suggests I have no active firewall, yet my McAfee security centre shows the firewall as working.

SuperDave · « **Reply #8 on:** September 18, 2010, 01:27:52 PM »

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: AppRanger IE Sandbox - {1ec7abb1-e555-404b-901c-6d24af4ce44d} - C:\Program Files\AppRanger\TSBoxIE.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.
O15 - Trusted Zone: http://*.mcafee.com

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
************************************

Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix
*******************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

ronymaxwell · « **Reply #9 on:** September 19, 2010, 03:00:55 PM »

System scan completed.
ComboFix log:-
ComboFix 10-09-17.04 - Ron 19/09/2010 21:39:32.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3069.1931 [GMT 1:00]
Running from: c:\users\Ron\Desktop\commy.exe
Command switches used :: /stepdel
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-19 20:49 . 2010-09-19 20:49   --------   d-----w-   c:\users\Ron\AppData\Local\temp
2010-09-19 20:49 . 2010-09-19 20:49   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-09-19 20:49 . 2010-09-19 20:49   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\users\Ron\AppData\Roaming\Malwarebytes
2010-09-17 21:53 . 2010-04-29 14:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\programdata\Malwarebytes
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-17 21:53 . 2010-04-29 14:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-17 09:43 . 2010-09-17 09:43   --------   d-----w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 09:43   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 21:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\users\Ron\AppData\Roaming\Yahoo!
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\programdata\Yahoo! Companion
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\program files\Yahoo!
2010-09-17 09:29 . 2010-09-17 09:30   --------   d-----w-   c:\program files\CCleaner
2010-09-17 07:47 . 2010-04-16 16:46   502272   ----a-w-   c:\windows\system32\usp10.dll
2010-09-17 07:47 . 2010-08-17 14:11   128000   ----a-w-   c:\windows\system32\spoolsv.exe
2010-09-17 07:47 . 2010-04-05 17:02   317952   ----a-w-   c:\windows\system32\MP4SDECD.DLL
2010-09-17 07:47 . 2010-05-27 20:08   739328   ----a-w-   c:\windows\system32\inetcomm.dll
2010-09-09 21:00 . 2010-09-09 21:00   --------   d-sh--w-   c:\windows\system32\%APPDATA%
2010-09-06 11:17 . 2010-09-06 11:17   --------   d-----w-   c:\program files\Common Files\Java
2010-09-04 09:48 . 2010-09-04 09:48   --------   d-----w-   c:\program files\iPod
2010-09-04 09:48 . 2010-09-04 09:49   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-04 09:48 . 2010-09-04 09:49   --------   d-----w-   c:\program files\iTunes
2010-09-04 09:46 . 2010-09-04 09:46   --------   d-----w-   c:\program files\QuickTime
2010-09-04 09:42 . 2010-09-04 09:42   --------   d-----w-   c:\program files\Bonjour
2010-08-27 14:15 . 2010-08-27 14:15   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-08-27 14:11 . 2010-06-01 17:37   221568   ------w-   c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-19 20:18 . 2010-06-24 06:29   34709   ----a-w-   c:\programdata\nvModes.dat
2010-09-18 08:50 . 2009-07-15 13:51   12   ----a-w-   c:\windows\bthservsdp.dat
2010-09-17 22:32 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-09-17 22:15 . 2010-09-17 22:15   388096   ----a-r-   c:\users\Ron\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-17 21:42 . 2010-09-17 09:43   63488   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 21:42 . 2010-09-17 09:43   117760   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 09:43 . 2010-09-17 09:43   52224   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-13 09:42 . 2009-05-17 18:30   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-09-09 19:36 . 2009-11-06 11:28   1   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-06 11:17 . 2009-07-06 10:58   --------   d-----w-   c:\program files\Java
2010-09-06 11:16 . 2010-09-06 11:14   10787840   ----a-w-   c:\users\Ron\AppData\Roaming\Adobe\Acrobat\7.0\Updater\AcroProUpd710_all_cum.exe
2010-09-04 09:48 . 2009-11-13 18:45   --------   d-----w-   c:\program files\Common Files\Apple
2010-09-04 09:39 . 2010-09-04 09:39   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-14 21:06 . 2009-07-19 15:39   300384   ----a-w-   c:\users\Ron\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-08-13 14:06 . 2010-08-13 06:10   --------   d-----w-   c:\program files\Common Files\ParetoLogic
2010-08-13 12:16 . 2009-05-03 04:20   176200   ----a-w-   c:\users\Ron\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-13 06:33 . 2010-08-13 06:33   --------   d-----w-   c:\users\Ron\AppData\Roaming\AdobeUM
2010-08-13 06:33 . 2010-08-13 06:33   --------   d-----w-   c:\program files\Common Files\Java(0)
2010-08-13 06:30 . 2009-05-05 21:40   --------   d-----w-   c:\program files\Common Files\Adobe
2010-08-13 06:17 . 2009-05-05 21:42   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-13 06:17 . 2009-09-27 21:39   38784   ----a-w-   c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-13 06:17 . 2009-09-27 20:41   38784   ----a-w-   c:\users\Ron\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-13 06:10 . 2010-08-13 06:10   --------   d-----w-   c:\programdata\FileCure
2010-08-08 18:48 . 2010-08-08 18:48   568832   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-08 18:48 . 2010-08-08 18:48   686080   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-08 18:48 . 2010-08-08 18:48   655872   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-08 18:48 . 2010-08-08 18:48   583168   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-08 18:48 . 2010-08-08 18:48   224768   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcm90.dll
2010-08-08 18:42 . 2009-11-06 11:24   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-07-27 17:44 . 2010-07-27 17:44   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44   75040   ----a-w-   c:\windows\system32\jdns_sd.dll
2010-07-27 17:44 . 2010-07-27 17:44   197920   ----a-w-   c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-07-17 04:00 . 2010-05-17 12:09   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-06-26 06:05 . 2010-08-11 12:06   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-11 12:06   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-11 12:06   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-11 12:06   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CD63CF3-CE57-44FC-92A1-96E928676C37}]
2008-08-19 16:19   110592   ----a-w-   c:\program files\MyFaveShop\MyFaveShop Toolbar\ToolBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{FEE0CAF5-403B-480D-B7DF-71EE63E4F166}"= "c:\program files\MyFaveShop\MyFaveShop Toolbar\ToolBar.dll" [2008-08-19 110592]

[HKEY_CLASSES_ROOT\clsid\{fee0caf5-403b-480d-b7df-71ee63e4f166}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-29 303104]
"HostManager"="c:\program files\Common Files\AOL\1247602731\ee\AOLSoftware.exe" [2006-11-14 50736]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2010-8-13 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 apprngr;AppRanger Scan Driver;c:\windows\system32\Drivers\apprngr.sys

R2 apprngr_svc;AppRanger Service;c:\program files\AppRanger\SWSvc.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 133104]
R3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-02-21 151552]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S0 npf;npf Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 12:13]

2010-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 12:13]

2010-09-17 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]

2010-08-13 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-04 18:19]

2010-09-19 c:\windows\Tasks\User_Feed_Synchronization-{AAD29C0A-613E-42B8-9812-D1A798192E3F}.job
- c:\windows\system32\msfeedssync.exe [2010-08-11 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.voover.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-19 21:49
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-19 21:56:25
ComboFix-quarantined-files.txt 2010-09-19 20:56
ComboFix2.txt 2010-08-27 13:47

Pre-Run: 61,592,264,704 bytes free
Post-Run: 61,036,335,104 bytes free

- - End Of File - - 8DB0100A34BAFFC4334C448BA95E1272

ronymaxwell · « **Reply #10 on:** September 19, 2010, 03:05:02 PM »

checkup.txt:-
Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
Microsoft Security Essentials successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.0.22.87
Adobe Reader 9.1.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

SuperDave · « **Reply #11 on:** September 19, 2010, 05:35:02 PM »

Have you tried resetting your router?

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.
**************************************
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DDS::
Trusted Zone: internet
Trusted Zone: mcafee.com
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
I don't need to see the log from this script.

********************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

ronymaxwell · « **Reply #12 on:** September 22, 2010, 06:54:52 AM »

I was able to reset my router, but when I had re-entered the username and password to connect to my ISP, the router info and settings became inaccessible again.

ronymaxwell · « **Reply #13 on:** September 22, 2010, 07:17:35 AM »

Adobe Acrobat Reader downloaded, other versions removed.

ronymaxwell · « **Reply #14 on:** September 22, 2010, 08:00:05 AM »

ComboFix run as instructed.

ronymaxwell · « **Reply #15 on:** September 22, 2010, 03:02:09 PM »

ESET Log
C:\System Volume Information\_restore{C5F4720D-C49C-4992-B306-4B61FC2D2738}\RP13\A0001264.dll probably a variant of Win32/Adware.Agent.HKHEDNL application cleaned by deleting - quarantined
C:\Users\Ron\Downloads\install_7z903.exe VBS/StartPage.NCM.Gen trojan deleted - quarantined

SuperDave · « **Reply #16 on:** September 22, 2010, 04:23:20 PM »

How's your computer running now?

ronymaxwell · « **Reply #17 on:** September 23, 2010, 05:42:57 AM »

It seems to be running well now, and noticeably quicker. I can now access my router page. I'm still slightly concerned about the other IP address though. I've copied this from the router info.
Attached Devices

# 1
IP Address 192.168.0.2
Device Name UNKNOWN
MAC Address 00:16:76:AE:78:37

# 2
IP Address 192.168.0.3
Device Name RON-PC
MAC Address 00:22:FB:8F:8C:BC

ronymaxwell · « **Reply #18 on:** September 23, 2010, 06:08:12 AM »

I've looked through the info on the router pages and it seems this may just be the IP addresses of my own computer and the laptop I have recently connected wirelessly while I have been going through this process. I've used the laptop to keep your instructions in view while I've followed them. It seems all is okay now, and I thank you SuperDave for your help. It is very much appreciated.

SuperDave · « **Reply #19 on:** September 23, 2010, 01:01:18 PM »

Let's do some clean-up.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

**********************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

***************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
*******************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

ronymaxwell · « **Reply #20 on:** September 26, 2010, 08:48:53 AM »

I have another problem here. When I enter 'commy /uninstall' in the Run box and press Enter, it treats the whole thing as a filename. The search screen comes up with File Not Found. Just putting 'commy' in the box brings up the correct file.

ronymaxwell · « **Reply #21 on:** September 26, 2010, 01:41:03 PM »

I don't know if it due to an error I have made myself, but installing Comodo has left me with no internet access. Also sniper and superantispyware will not run. I get an error message: the pipe state is invalid.

SuperDave · « **Reply #22 on:** September 26, 2010, 06:35:42 PM »

Quote

but installing Comodo has left me with no internet access

You ran the ESET scan so it must have stopped working after that.

Ok. Please try this. If it doesn't work, go to Plan B

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

Plan B

Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt

To set a new Restore Point.

Click Start button , click Control Panel, click System and Maintenance, and then clicking System. In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK. Reboot to Normal Mode.
Click the Start button , click Control Panel, click System and Maintenance, and then click System.
In the left pane, click System Protection. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
To turn on System Protection for a hard disk, select the check box next to the disk, and then click OK.

*****************************************
Please run Notepad (start > All Programs > Accessories >
Notepad) and copy and paste the text in the code box into a new file:

Code: [Select]

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

•Go to the File menu at the top of the Notepad and select Save as.

•Select save in: desktop

•Fill in File name: test.bat

•Save as type: All file types (*.*)

•Click save.

•Close the Notepad.

•Locate and double-click test.bat on the desktop.

•A notepad opens, copy and paste the content it (log1.txt) to your reply.

ronymaxwell · « **Reply #23 on:** September 27, 2010, 07:47:54 AM »

I managed to solve the problem by using safe mode and using system restore. Thankfully, even though I couldn't uninstall commy, I made a manual restore point then. I downloaded Online Armor instead of Comodo, and have had no further problems. I am currently in the (long!) process of updating or uninstalling programs identified by Secunia PSI.

ronymaxwell · « **Reply #24 on:** September 27, 2010, 09:47:18 AM »

I have successfully concluded the Secunia PSI search except for one program. It lists 'mcagent.exe' as Insecure, but the link to open the folder doesn't work. When I looked for the folder myself I couldn't find it. It is listed as 'C:\My Backup -- 07 -06 -15 0746PM\RECYCLER\S- 1- 5- 21- 1644647770-490980070-3551582110-1007\Dc10.COM\Agent\mcagent.exe' - is this something to do with the Internet? I did a search and it seems it may be related to McAfee security updates. I uninstalled McAfee from my computer as it was after an update that things started behaving strangely. I hadn't made the connection until I saw this listing, but in retrospect, I think it was then that I lost access to my router. It seems strange that a well known security application might be compromised, but is it possible?
You may be interested in the events that persuaded me to uninstall McAfee. After an automatic update, a message prompted me to reboot my computer. I chose not to at that time as I was busy doing something. The prompt kept reappearing, along with warnings that my computer was unsafe. I didn't like the way it was behaving, so I used system restore and took it to a point before the installation. After rebooting, within a minute or so, the update intalled again and the same warnings continued. I tried to access the uninstaller from the McAfee website but had no Internet access. I used my laptop to download the tool, transferred it to a USB flash drive, connected that drive to my PC and ran the program. The McAfee security centre then uninstalled.
The update acted like a virus,even if it wasn't.

SuperDave · « **Reply #25 on:** September 27, 2010, 01:18:57 PM »

This mcagent.exe file is called the Mcafee agent. It is part of your Mcafee virus protection and Mcafee security suite of software. Its purpose is to connect to the Mcafee server and update and verify that your virus definitions are up to date. This file is considered safe and is not considered spyware.

Since you've uninstalled McAfee it shouldn't be a concern for you.

ronymaxwell · « **Reply #26 on:** September 27, 2010, 03:19:22 PM »

It is only a concern because Secunia PSI highlights it as 'insecure' but I cannot find it. Sorry if the previous was a bit fanciful.

SuperDave · « **Reply #27 on:** September 27, 2010, 05:21:03 PM »

Try running Secunia again to see if it shows up again.

ronymaxwell · « **Reply #28 on:** September 28, 2010, 05:16:26 AM »

I ran Secunia again. System score was 99%. Programs found: 1 Insecure; 0 End-Of-Life; 161 Patched.
Under 'Detected Programs': McAfee SecurityCenter 6.x, detected version 6.0.0.16, flagged Insecure.
Double clicked listing. Path shown as C:\My Backup--07-06-15 0746PM\RECYCLER\S-1-5-21-1644647770-490980070-3551582110-1007\Dc10.com\Agent\mcagent.exe
Right clicked and selected Open folder. No folder opens.
Checked path via 'Computer'. RECYCLER folder is not shown.
(Have checked Dc10.com - it is a list of links to websites under various headings, 'Dating', etc. I don't see why updates from the McAfee server should come from here.)

ronymaxwell · « **Reply #29 on:** September 28, 2010, 08:04:47 AM »

Just one other bit of information which may be relevant. I searched the Internet for help when I first had problems, before I posted on here and before I uninstalled McAfee. I found ComboFix and did a scan, but as I did not know how to use it, just left it at that. I still have the log. It includes the line "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-30 1193848]

ronymaxwell · « **Reply #30 on:** September 28, 2010, 08:41:26 AM »

From your reply to Rootkit.Agent found in System32 Drivers' on this forum

Please read here for more information about WildTangent. Your choice if you want to remove it or not.

From the link:-

Fourth: There are also claims in the forums and by anti-spyware tool makers that the uninstaller does not remove everything
that was installed by WildTangent and that you still need to run the free remover tools to get everything. Also a classic
spyware tactic.

and...

There is also the increased chance that another piece of malware/spyware could be designed and injected into your machine
that will leverage or redirect the information gathered by their technology for more sinister purposes. Why would a
malicious code writer go to the trouble of writing their own relay software if they know that a large portion of home
systems may already contain the code he needs?

I may be getting paranoid here or have gotten completely the wrong impression from this article, but McAfee supplies a
removal tool which I had to download. This mysterious file or link or whatever it is, coupled with this information,
has me concerned.

SuperDave · « **Reply #31 on:** September 28, 2010, 01:35:03 PM »

Did you run the McAfee Removal tool?

ronymaxwell · « **Reply #32 on:** September 28, 2010, 03:28:01 PM »

Yes.

SuperDave · « **Reply #33 on:** September 28, 2010, 04:55:00 PM »

Let's try another scan.

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

ronymaxwell · « **Reply #34 on:** September 28, 2010, 05:52:53 PM »

ComboFix 10-09-27.05 - Ron 29/09/2010 0:30.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3069.1691 [GMT 1:00]
Running from: c:\users\Ron\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))
.

2010-09-28 23:42 . 2010-09-28 23:42   --------   d-----w-   c:\users\Ron\AppData\Local\temp
2010-09-28 23:42 . 2010-09-28 23:42   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-09-28 23:42 . 2010-09-28 23:42   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-09-28 22:17 . 2010-09-28 22:20   --------   d-----w-   c:\program files\SpywareBlaster
2010-09-28 22:11 . 2010-09-28 22:11   --------   d-----w-   c:\program files\WOT
2010-09-27 13:39 . 2010-09-27 13:39   --------   d-----w-   c:\program files\iPod
2010-09-27 13:39 . 2010-09-27 13:40   --------   d-----w-   c:\program files\iTunes
2010-09-27 13:37 . 2010-09-27 13:37   --------   d-----w-   c:\program files\QuickTime
2010-09-27 13:35 . 2010-09-27 13:35   --------   d-----w-   c:\program files\Apple Software Update
2010-09-27 13:02 . 2010-09-27 13:02   --------   d-----w-   c:\users\Ron\AppData\Local\Secunia PSI
2010-09-27 13:02 . 2010-09-27 13:02   --------   d-----w-   c:\program files\Secunia
2010-09-27 12:34 . 2010-09-28 22:13   --------   d-----w-   c:\users\Ron\AppData\Roaming\OnlineArmor
2010-09-27 12:34 . 2010-09-27 12:53   --------   d-----w-   c:\programdata\OnlineArmor
2010-09-27 12:33 . 2010-07-05 07:44   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-09-27 12:33 . 2010-07-05 07:44   29256   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-09-27 12:33 . 2010-07-05 07:43   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-09-27 12:33 . 2010-09-27 12:33   --------   d-----w-   c:\program files\Emsisoft
2010-09-26 19:23 . 2010-09-26 19:23   --------   d-----w-   c:\programdata\WindowsSearch
2010-09-26 19:08 . 2010-09-27 11:46   --------   d-----w-   c:\programdata\Comodo
2010-09-26 14:59 . 2010-09-26 14:59   --------   d-----w-   c:\programdata\NVIDIA Corporation
2010-09-24 01:51 . 2010-09-24 01:51   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
2010-09-22 14:02 . 2010-09-22 14:02   --------   d-----w-   c:\program files\ESET
2010-09-17 22:15 . 2010-09-17 22:15   388096   ----a-r-   c:\users\Ron\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\users\Ron\AppData\Roaming\Malwarebytes
2010-09-17 21:53 . 2010-04-29 14:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\programdata\Malwarebytes
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-17 21:53 . 2010-04-29 14:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-17 09:43 . 2010-09-17 21:42   63488   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 09:43 . 2010-09-17 09:43   52224   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-17 09:43 . 2010-09-17 21:42   117760   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 09:43 . 2010-09-17 09:43   --------   d-----w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 09:43   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 21:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-17 09:30 . 2010-09-27 15:02   --------   d-----w-   c:\programdata\Yahoo! Companion
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\users\Ron\AppData\Roaming\Yahoo!
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\program files\Yahoo!
2010-09-17 09:29 . 2010-09-17 09:30   --------   d-----w-   c:\program files\CCleaner
2010-09-17 07:47 . 2010-04-16 16:46   502272   ----a-w-   c:\windows\system32\usp10.dll
2010-09-17 07:47 . 2010-08-17 14:11   128000   ----a-w-   c:\windows\system32\spoolsv.exe
2010-09-17 07:47 . 2010-04-05 17:02   317952   ----a-w-   c:\windows\system32\MP4SDECD.DLL
2010-09-17 07:47 . 2010-05-27 20:08   739328   ----a-w-   c:\windows\system32\inetcomm.dll
2010-09-09 21:00 . 2010-09-09 21:00   --------   d-sh--w-   c:\windows\system32\%APPDATA%
2010-09-06 11:17 . 2010-09-06 11:17   --------   d-----w-   c:\program files\Common Files\Java
2010-09-06 11:14 . 2010-09-06 11:16   10787840   ----a-w-   c:\users\Ron\AppData\Roaming\Adobe\Acrobat\7.0\Updater\AcroProUpd710_all_cum.exe
2010-09-04 09:48 . 2010-09-04 09:49   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-04 09:42 . 2010-09-04 09:42   --------   d-----w-   c:\program files\Bonjour
2010-09-01 08:30 . 2010-09-01 08:30   15544   ----a-w-   c:\windows\system32\drivers\psi_mf.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-28 23:23 . 2009-07-12 09:53   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-09-28 23:23 . 2009-07-12 09:53   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2010-09-28 23:00 . 2009-11-06 11:28   1   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-28 21:53 . 2010-06-24 06:29   36725   ----a-w-   c:\programdata\nvModes.dat
2010-09-28 21:50 . 2009-07-15 13:51   12   ----a-w-   c:\windows\bthservsdp.dat
2010-09-27 13:42 . 2009-11-13 18:53   --------   d-----w-   c:\users\Ron\AppData\Roaming\Apple Computer
2010-09-27 13:39 . 2009-11-13 18:45   --------   d-----w-   c:\program files\Common Files\Apple
2010-09-27 13:15 . 2009-07-06 10:58   --------   d-----w-   c:\program files\Java
2010-09-26 15:24 . 2009-05-31 18:09   --------   d-----w-   c:\programdata\NVIDIA
2010-09-26 15:00 . 2010-06-24 04:42   --------   d-----w-   c:\program files\NVIDIA Corporation
2010-09-22 13:10 . 2009-05-03 04:20   175808   ----a-w-   c:\users\Ron\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-22 13:10 . 2009-05-05 21:40   --------   d-----w-   c:\program files\Common Files\Adobe
2010-09-17 22:32 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-09-13 09:42 . 2009-05-17 18:30   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-08-27 14:15 . 2010-08-27 14:15   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-08-14 21:06 . 2009-07-19 15:39   300384   ----a-w-   c:\users\Ron\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-08-13 14:06 . 2010-08-13 06:10   --------   d-----w-   c:\program files\Common Files\ParetoLogic
2010-08-13 06:33 . 2010-08-13 06:33   --------   d-----w-   c:\users\Ron\AppData\Roaming\AdobeUM
2010-08-13 06:33 . 2010-08-13 06:33   --------   d-----w-   c:\program files\Common Files\Java(0)
2010-08-13 06:10 . 2010-08-13 06:10   --------   d-----w-   c:\programdata\FileCure
2010-08-08 18:48 . 2010-08-08 18:48   568832   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-08 18:48 . 2010-08-08 18:48   686080   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-08 18:48 . 2010-08-08 18:48   655872   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-08 18:48 . 2010-08-08 18:48   583168   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-08 18:48 . 2010-08-08 18:48   224768   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcm90.dll
2010-08-08 18:42 . 2009-11-06 11:24   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-07-27 17:44 . 2010-07-27 17:44   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44   75040   ----a-w-   c:\windows\system32\jdns_sd.dll
2010-07-27 17:44 . 2010-07-27 17:44   197920   ----a-w-   c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-07-17 04:00 . 2010-05-17 12:09   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-09 15:37 . 2010-07-09 15:37   1469544   ----a-w-   c:\windows\system32\nvsvc.dll
2010-07-09 15:37 . 2010-07-09 15:37   13939816   ----a-w-   c:\windows\system32\nvcpl.dll
2010-07-09 15:37 . 2010-07-09 15:37   129640   ----a-w-   c:\windows\system32\nvvsvc.exe
2010-07-09 15:37 . 2010-07-09 15:37   110696   ----a-w-   c:\windows\system32\nvmctray.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-19_20.49.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-22 09:00 . 2010-09-22 09:25   65536 c:\windows\tracing\RASPPTP.BIN
+ 2010-09-22 09:00 . 2010-09-22 09:25   65536 c:\windows\tracing\RASL2TP.BIN
+ 2010-09-22 09:00 . 2010-09-22 09:25   65536 c:\windows\tracing\IPSEC.BIN
+ 2009-05-03 14:56 . 2010-09-28 21:54   68536 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-09-28 21:54   60142 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-05-03 14:40 . 2010-09-28 21:54   18796 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3891294070-290603237-754910137-1000_UserData.bin
+ 2010-07-10 04:37 . 2010-07-10 04:37   56936 c:\windows\System32\OpenCL.dll
+ 2010-09-27 12:33 . 2010-07-05 07:44   29256 c:\windows\System32\DriverStore\FileRepository\oanet.inf_536b0972\OAnet.sys
+ 2010-07-10 04:37 . 2010-07-10 04:37   56936 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\OpenCL.dll
+ 2006-11-02 13:02 . 2010-09-28 21:52   32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2010-09-19 20:17   32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-27 13:15 . 2010-09-27 13:15   79488 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\jre1.6.0_20\gtapi.dll
+ 2010-09-28 22:17 . 2010-09-28 21:52   32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2010-09-28 21:52   16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2010-09-19 20:17   16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-09-09 21:00 . 2010-09-09 21:00   16384 c:\windows\System32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2010-09-09 21:00 . 2010-09-27 13:16   16384 c:\windows\System32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-18 19:46 . 2010-09-28 21:53   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-18 19:46 . 2010-09-19 20:18   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-18 19:46 . 2010-09-19 20:18   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-18 19:46 . 2010-09-28 21:53   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-18 19:46 . 2010-09-28 21:53   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-18 19:46 . 2010-09-19 20:18   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-19 20:17   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-18 19:40 . 2010-09-28 21:52   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-14 10:04 . 2010-09-26 14:14   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-14 10:04 . 2010-09-17 17:06   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-14 10:04 . 2010-09-26 14:14   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-14 10:04 . 2010-09-17 17:06   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-12-14 10:04 . 2010-09-26 14:14   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-12-14 10:04 . 2010-09-17 17:06   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2009-05-18 19:40 . 2010-09-28 21:52   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-19 20:17   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-19 20:17   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-18 19:40 . 2010-09-28 21:52   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-27 13:35 . 2010-09-27 13:35   27136 c:\windows\Installer\{C41300B9-185D-475E-BFEC-39EF732F19B1}\AppleSoftwareUpdateIco.exe
+ 2009-12-21 19:09 . 2009-12-21 19:09   16832 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\ViewerPS.dll
+ 2009-12-22 00:57 . 2009-12-22 00:57   35760 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\reader_sl.exe
+ 2009-12-21 19:02 . 2009-12-21 19:02   79280 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\PDFPrevHndlr.dll
+ 2009-12-21 22:21 . 2009-12-21 22:21   99776 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\eula.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57   70584 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobeextractfiles.dll
+ 2009-12-21 22:37 . 2009-12-21 22:37   27048 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrotextextractor.exe
+ 2009-12-21 17:39 . 2009-12-21 17:39   15288 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32Info.exe
+ 2009-12-21 17:27 . 2009-12-21 17:27   75200 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acroiehelpershim.dll
+ 2009-12-21 17:27 . 2009-12-21 17:27   61888 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroIEHelper.dll
- 2006-11-02 10:25 . 2010-09-04 09:44   86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2010-09-27 12:34   86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2010-09-27 12:34   51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2010-09-04 09:44   51200 c:\windows\inf\infpub.dat
+ 2010-09-28 21:52 . 2010-09-28 21:52   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-09-19 20:17 . 2010-09-19 20:17   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-28 21:52 . 2010-09-28 21:52   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-09-19 20:17 . 2010-09-19 20:17   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-09-22 09:00 . 2010-09-22 09:25   131072 c:\windows\tracing\RASSSTP.BIN
+ 2006-11-02 10:33 . 2010-09-28 21:58   608760 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-19 20:23   608760 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-19 20:23   108268 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-09-28 21:58   108268 c:\windows\System32\perfc009.dat
+ 2009-05-31 17:14 . 2010-07-10 04:37   604776 c:\windows\System32\nvuninst.exe
+ 2008-09-17 22:55 . 2010-07-10 04:37   604776 c:\windows\System32\nvudisp.exe
+ 2010-07-10 04:37 . 2010-07-10 04:37   236136 c:\windows\System32\nvcod1922.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   236136 c:\windows\System32\nvcod.dll
+ 2010-09-27 13:12 . 2010-09-27 13:12   232912 c:\windows\System32\Macromed\Flash\FlashUtil10k_Plugin.exe
+ 2010-09-27 13:18 . 2010-09-27 13:18   232912 c:\windows\System32\Macromed\Flash\FlashUtil10k_ActiveX.exe
+ 2010-09-27 13:18 . 2010-09-27 13:18   311760 c:\windows\System32\Macromed\Flash\FlashUtil10k_ActiveX.dll
- 2010-09-06 11:17 . 2010-07-17 04:00   153376 c:\windows\System32\javaws.exe
+ 2010-09-27 13:15 . 2010-07-17 04:00   153376 c:\windows\System32\javaws.exe
- 2010-09-06 11:17 . 2010-07-17 04:00   145184 c:\windows\System32\javaw.exe
+ 2010-09-27 13:15 . 2010-07-17 04:00   145184 c:\windows\System32\javaw.exe
+ 2010-09-27 13:15 . 2010-07-17 04:00   145184 c:\windows\System32\java.exe
- 2010-09-06 11:17 . 2010-07-17 04:00   145184 c:\windows\System32\java.exe
+ 2006-11-02 12:47 . 2010-09-22 13:08   546176 c:\windows\System32\FNTCACHE.DAT
+ 2010-07-10 04:37 . 2010-07-10 04:37   604776 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvudisp.exe
+ 2010-07-10 04:37 . 2010-07-10 04:37   261268 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvdrsdb.bin
+ 2010-07-10 04:37 . 2010-07-10 04:37   236136 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcod.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   795104 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\dpinst.exe
+ 2010-07-10 04:37 . 2010-07-10 04:37   156264 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\dbInstaller.exe
+ 2009-05-17 18:41 . 2010-09-28 14:24   294912 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-17 18:41 . 2010-09-17 21:47   294912 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-09-27 13:15 . 2010-09-27 13:15   152576 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\jre1.6.0_20\lzma.dll
+ 2010-09-27 13:15 . 2010-09-27 13:15   581120 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\jre1.6.0_20\jre1.6.0_20.msi
+ 2010-09-27 13:16 . 2010-09-27 13:16   183808 c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\AU\au.msi
+ 2010-09-19 21:26 . 2010-09-19 21:26   802304 c:\windows\Installer\3e650b.msi
+ 2010-09-27 13:15 . 2010-09-27 13:15   577536 c:\windows\Installer\17f3ac.msi
+ 2010-09-28 22:11 . 2010-09-28 22:11   279552 c:\windows\Installer\11c055.msi
+ 2010-09-19 21:26 . 2010-09-19 21:26   295606 c:\windows\Installer\{AC76BA86-7AD7-5464-3428-900000000004}\ARPPRODUCTICON.exe
+ 2010-09-27 13:41 . 2010-09-27 13:41   380928 c:\windows\Installer\{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}\iTunesIco.exe
+ 2008-04-10 08:20 . 2008-04-10 08:20   638976 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA746454382090000000040\9.0.0\AdobeLinguistic.dll
+ 2009-12-11 14:57 . 2009-12-11 14:57   326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\readerupdater.exe
+ 2009-12-21 17:35 . 2009-12-21 17:35   378264 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\pdfshell.dll
+ 2009-12-21 17:34 . 2009-12-21 17:34   103864 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\nppdf32.dll
+ 2009-11-09 18:18 . 2009-11-09 18:18   684032 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\JP2KLib.dll
+ 2009-12-21 19:02 . 2009-12-21 19:02   542168 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AdobeCollabSync.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57   948672 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\adobearm.exe
+ 2009-12-21 17:43 . 2009-12-21 17:43   120240 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRdIF.dll
+ 2009-12-22 00:57 . 2009-12-22 00:57   349616 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.exe
+ 2009-12-21 17:15 . 2009-12-21 17:15   660912 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroPDF.dll
+ 2009-12-21 18:32 . 2009-12-21 18:32   280024 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobroker.exe
+ 2009-12-11 14:57 . 2009-12-11 14:57   326056 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\acrobatupdater.exe
+ 2009-12-21 18:15 . 2009-12-21 18:15   251296 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\a3dutility.exe
+ 2006-11-02 10:25 . 2010-09-27 12:34   143360 c:\windows\inf\infstrng.dat
- 2006-11-02 10:25 . 2010-09-04 09:44   143360 c:\windows\inf\infstrng.dat
+ 2008-09-17 22:55 . 2010-07-10 04:37   9818728 c:\windows\System32\nvd3dum.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   2892904 c:\windows\System32\nvcuvid.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   2506344 c:\windows\System32\nvcuvenc.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   4553832 c:\windows\System32\nvcuda.dll
+ 2008-09-17 22:55 . 2010-07-10 04:37   1625192 c:\windows\System32\nvapi.dll
+ 2009-02-03 02:15 . 2010-09-27 13:12   5969360 c:\windows\System32\Macromed\Flash\NPSWF32.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   9818728 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvd3dum.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   2892904 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcuvid.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   2506344 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcuvenc.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   4553832 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcuda.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   1625192 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvapi.dll
+ 2010-09-27 13:41 . 2010-09-27 13:41   6333440 c:\windows\Installer\29a52d.msi
+ 2010-09-27 13:37 . 2010-09-27 13:37   9472000 c:\windows\Installer\299c8c.msi
+ 2010-09-27 13:35 . 2010-09-27 13:35   1554944 c:\windows\Installer\2999d8.msi
+ 2010-06-20 08:01 . 2010-06-20 08:01   8040960 c:\windows\Installer\13fca.msp
+ 2010-09-22 08:34 . 2010-09-22 08:34   3940352 c:\windows\Installer\13ed7.msi
+ 2009-12-21 17:29 . 2009-12-21 17:29   2409880 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\rt3d.dll
+ 2009-10-27 19:34 . 2009-10-27 19:34   5009408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\authplay.dll
+ 2009-12-21 22:31 . 2009-12-21 22:31   5713920 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AGM.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   14092904 c:\windows\System32\nvoglv32.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   10267240 c:\windows\System32\nvcompiler.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   14092904 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvoglv32.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   11008040 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvlddmkm.sys
+ 2010-07-10 04:37 . 2010-07-10 04:37   50354424 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\NvCplSetupInt.exe
+ 2010-07-10 04:37 . 2010-07-10 04:37   10267240 c:\windows\System32\DriverStore\FileRepository\nv_disp.inf_a648eb91\nvcompiler.dll
+ 2010-07-10 04:37 . 2010-07-10 04:37   11008040 c:\windows\System32\drivers\nvlddmkm.sys
+ 2010-04-04 06:54 . 2010-04-04 06:54   11850240 c:\windows\Installer\13fcb.msp
+ 2010-08-13 18:09 . 2010-08-13 18:09   12263936 c:\windows\Installer\13fc9.msp
+ 2009-12-21 22:21 . 2009-12-21 22:21   20436408 c:\windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0300000010\9.3.0\AcroRd32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-29 303104]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-05 6854984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-05 924488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 apprngr;AppRanger Scan Driver;c:\windows\system32\Drivers\apprngr.sys

R2 apprngr_svc;AppRanger Service;c:\program files\AppRanger\SWSvc.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 133104]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [2010-07-05 3364680]
R3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-02-21 151552]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S0 npf;npf Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-07-05 236104]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-07-05 22600]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\OAcat.exe [2010-07-05 1283400]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2010-09-01 318520]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]
S3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [2010-07-05 29256]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 12:13]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 12:13]

2010-09-28 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]

2010-08-13 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-04 18:19]

2010-09-28 c:\windows\Tasks\User_Feed_Synchronization-{AAD29C0A-613E-42B8-9812-D1A798192E3F}.job
- c:\windows\system32\msfeedssync.exe [2010-08-11 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.voover.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HostManager - c:\program files\Common Files\AOL\1247602731\ee\AOLSoftware.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 00:42
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-29 00:50:17
ComboFix-quarantined-files.txt 2010-09-28 23:50
ComboFix2.txt 2010-09-26 14:35
ComboFix3.txt 2010-09-22 13:52
ComboFix4.txt 2010-09-19 20:56
ComboFix5.txt 2010-09-28 23:26

Pre-Run: 58,355,978,240 bytes free
Post-Run: 58,314,850,304 bytes free

- - End Of File - - 0F8EC5D396A3C767211116E26047E049

HJT log to follow.

ronymaxwell · « **Reply #35 on:** September 28, 2010, 06:00:31 PM »

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 00:59:45, on 29/09/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\sttray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voover.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AppRanger Service (apprngr_svc) - Unknown owner - C:\Program Files\AppRanger\SWSvc.exe (file missing)
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\oasrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8610 bytes

ronymaxwell · « **Reply #36 on:** September 29, 2010, 06:34:15 AM »

Latest Logs

ComboFix 10-09-28.03 - Ron 29/09/2010 13:06:37.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3069.1639 [GMT 1:00]
Running from: c:\users\Ron\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-29 )))))))))))))))))))))))))))))))
.

2010-09-29 12:17 . 2010-09-29 12:17   --------   d-----w-   c:\users\Ron\AppData\Local\temp
2010-09-29 12:17 . 2010-09-29 12:17   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-09-29 12:17 . 2010-09-29 12:17   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-09-29 12:02 . 2010-09-29 12:02   --------   d-----w-   C:\32788R22FWJFW
2010-09-29 11:57 . 2010-06-22 13:30   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-09-28 22:17 . 2010-09-28 22:20   --------   d-----w-   c:\program files\SpywareBlaster
2010-09-28 22:11 . 2010-09-28 22:11   --------   d-----w-   c:\program files\WOT
2010-09-27 13:39 . 2010-09-27 13:39   --------   d-----w-   c:\program files\iPod
2010-09-27 13:39 . 2010-09-27 13:40   --------   d-----w-   c:\program files\iTunes
2010-09-27 13:37 . 2010-09-27 13:37   --------   d-----w-   c:\program files\QuickTime
2010-09-27 13:35 . 2010-09-27 13:35   --------   d-----w-   c:\program files\Apple Software Update
2010-09-27 13:02 . 2010-09-27 13:02   --------   d-----w-   c:\users\Ron\AppData\Local\Secunia PSI
2010-09-27 13:02 . 2010-09-27 13:02   --------   d-----w-   c:\program files\Secunia
2010-09-27 12:34 . 2010-09-28 22:13   --------   d-----w-   c:\users\Ron\AppData\Roaming\OnlineArmor
2010-09-27 12:34 . 2010-09-27 12:53   --------   d-----w-   c:\programdata\OnlineArmor
2010-09-27 12:33 . 2010-07-05 07:44   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
2010-09-27 12:33 . 2010-07-05 07:44   29256   ----a-w-   c:\windows\system32\drivers\OAnet.sys
2010-09-27 12:33 . 2010-07-05 07:43   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
2010-09-27 12:33 . 2010-09-27 12:33   --------   d-----w-   c:\program files\Emsisoft
2010-09-26 19:23 . 2010-09-26 19:23   --------   d-----w-   c:\programdata\WindowsSearch
2010-09-26 19:08 . 2010-09-27 11:46   --------   d-----w-   c:\programdata\Comodo
2010-09-26 14:59 . 2010-09-26 14:59   --------   d-----w-   c:\programdata\NVIDIA Corporation
2010-09-22 14:02 . 2010-09-22 14:02   --------   d-----w-   c:\program files\ESET
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\users\Ron\AppData\Roaming\Malwarebytes
2010-09-17 21:53 . 2010-04-29 14:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\programdata\Malwarebytes
2010-09-17 21:53 . 2010-09-17 21:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-17 21:53 . 2010-04-29 14:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-17 09:43 . 2010-09-17 09:43   --------   d-----w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 09:43   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-09-17 09:43 . 2010-09-17 21:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-17 09:30 . 2010-09-27 15:02   --------   d-----w-   c:\programdata\Yahoo! Companion
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\users\Ron\AppData\Roaming\Yahoo!
2010-09-17 09:30 . 2010-09-17 09:30   --------   d-----w-   c:\program files\Yahoo!
2010-09-17 09:29 . 2010-09-17 09:30   --------   d-----w-   c:\program files\CCleaner
2010-09-17 07:47 . 2010-04-16 16:46   502272   ----a-w-   c:\windows\system32\usp10.dll
2010-09-17 07:47 . 2010-08-17 14:11   128000   ----a-w-   c:\windows\system32\spoolsv.exe
2010-09-17 07:47 . 2010-04-05 17:02   317952   ----a-w-   c:\windows\system32\MP4SDECD.DLL
2010-09-17 07:47 . 2010-05-27 20:08   739328   ----a-w-   c:\windows\system32\inetcomm.dll
2010-09-09 21:00 . 2010-09-09 21:00   --------   d-sh--w-   c:\windows\system32\%APPDATA%
2010-09-06 11:17 . 2010-09-06 11:17   --------   d-----w-   c:\program files\Common Files\Java
2010-09-04 09:48 . 2010-09-04 09:49   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-04 09:42 . 2010-09-04 09:42   --------   d-----w-   c:\program files\Bonjour
2010-09-01 08:30 . 2010-09-01 08:30   15544   ----a-w-   c:\windows\system32\drivers\psi_mf.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-29 11:59 . 2009-05-17 18:30   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-09-29 11:49 . 2010-06-24 06:29   36725   ----a-w-   c:\programdata\nvModes.dat
2010-09-29 11:47 . 2009-07-12 09:53   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-09-29 00:11 . 2009-07-15 13:51   12   ----a-w-   c:\windows\bthservsdp.dat
2010-09-28 23:53 . 2010-09-28 23:53   388096   ----a-r-   c:\users\Ron\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-28 23:23 . 2009-07-12 09:53   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2010-09-28 10:30 . 2010-09-28 10:30   2023824   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C4E298DB-ECDF-46E5-8671-41B2BE418959}\mpavdlta.vdm
2010-09-28 10:30 . 2010-09-28 10:30   365968   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C4E298DB-ECDF-46E5-8671-41B2BE418959}\mpasdlta.vdm
2010-09-27 13:42 . 2009-11-13 18:53   --------   d-----w-   c:\users\Ron\AppData\Roaming\Apple Computer
2010-09-27 13:39 . 2009-11-13 18:45   --------   d-----w-   c:\program files\Common Files\Apple
2010-09-27 13:15 . 2009-07-06 10:58   --------   d-----w-   c:\program files\Java
2010-09-27 12:59 . 2010-08-29 15:49   1987984   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpavdlta.vdm
2010-09-27 12:59 . 2010-08-29 15:49   349584   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpasdlta.vdm
2010-09-26 15:24 . 2009-05-31 18:09   --------   d-----w-   c:\programdata\NVIDIA
2010-09-26 15:00 . 2010-06-24 04:42   --------   d-----w-   c:\program files\NVIDIA Corporation
2010-09-24 01:51 . 2010-09-24 01:51   73000   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe
2010-09-22 13:13 . 2010-09-22 13:13   12575488   ----a-w-   c:\users\Ron\AppData\Roaming\Adobe\AIR\Updater\Background\1.0\updater
2010-09-22 13:10 . 2009-05-03 04:20   175808   ----a-w-   c:\users\Ron\AppData\Local\GDIPFONTCACHEV1.DAT
2010-09-22 13:10 . 2009-05-05 21:40   --------   d-----w-   c:\program files\Common Files\Adobe
2010-09-17 22:32 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-09-17 21:42 . 2010-09-17 09:43   63488   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 21:42 . 2010-09-17 09:43   117760   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-17 09:43 . 2010-09-17 09:43   52224   ----a-w-   c:\users\Ron\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-17 07:50 . 2010-09-28 10:30   41722256   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C4E298DB-ECDF-46E5-8671-41B2BE418959}\mpavbase.vdm
2010-09-17 07:50 . 2010-08-29 15:49   41722256   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpavbase.vdm
2010-09-17 07:50 . 2010-09-28 10:30   12300688   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C4E298DB-ECDF-46E5-8671-41B2BE418959}\mpasbase.vdm
2010-09-17 07:50 . 2010-08-29 15:49   12300688   ----a-w-   c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpasbase.vdm
2010-09-10 22:41 . 2010-09-10 22:41   109512   ----a-w-   c:\programdata\Comodo\Installer\cmddns.tmp
2010-09-06 11:16 . 2010-09-06 11:14   10787840   ----a-w-   c:\users\Ron\AppData\Roaming\Adobe\Acrobat\7.0\Updater\AcroProUpd710_all_cum.exe
2010-08-28 12:39 . 2010-08-28 12:39   63520   ----a-w-   c:\programdata\Comodo\Installer\crtman.tmp
2010-08-27 14:15 . 2010-08-27 14:15   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-08-26 18:20 . 2010-08-27 14:11   366992   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{8B226FB6-3024-4D43-9F12-F9F3CD893053}\mpasdlta.vdm
2010-08-19 09:25 . 2010-08-27 14:11   12120464   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{8B226FB6-3024-4D43-9F12-F9F3CD893053}\mpasbase.vdm
2010-08-14 21:06 . 2009-07-19 15:39   300384   ----a-w-   c:\users\Ron\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-08-13 14:06 . 2010-08-13 06:10   --------   d-----w-   c:\program files\Common Files\ParetoLogic
2010-08-13 06:33 . 2010-08-13 06:33   --------   d-----w-   c:\users\Ron\AppData\Roaming\AdobeUM
2010-08-13 06:33 . 2010-08-13 06:33   --------   d-----w-   c:\program files\Common Files\Java(0)
2010-08-13 06:10 . 2010-08-13 06:10   --------   d-----w-   c:\programdata\FileCure
2010-08-08 18:48 . 2010-08-08 18:48   568832   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcp90.dll
2010-08-08 18:48 . 2010-08-08 18:48   686080   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2010-08-08 18:48 . 2010-08-08 18:48   655872   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcr90.dll
2010-08-08 18:48 . 2010-08-08 18:48   583168   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2010-08-08 18:48 . 2010-08-08 18:48   224768   ----a-w-   c:\users\Ron\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\uno_packages\4FE5.tmp_\sun-pdfimport.oxt\msvcm90.dll
2010-08-08 18:42 . 2009-11-06 11:24   --------   d-----w-   c:\program files\OpenOffice.org 3
2010-07-27 17:44 . 2010-07-27 17:44   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-07-27 17:44 . 2010-07-27 17:44   75040   ----a-w-   c:\windows\system32\jdns_sd.dll
2010-07-27 17:44 . 2010-07-27 17:44   197920   ----a-w-   c:\windows\system32\dnssdX.dll
2010-07-27 17:44 . 2010-07-27 17:44   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-07-17 04:00 . 2010-05-17 12:09   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-09 15:37 . 2010-07-09 15:37   1469544   ----a-w-   c:\windows\system32\nvsvc.dll
2010-07-09 15:37 . 2010-07-09 15:37   13939816   ----a-w-   c:\windows\system32\nvcpl.dll
2010-07-09 15:37 . 2010-07-09 15:37   129640   ----a-w-   c:\windows\system32\nvvsvc.exe
2010-07-09 15:37 . 2010-07-09 15:37   110696   ----a-w-   c:\windows\system32\nvmctray.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-09-28_23.42.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-29 11:57 . 2010-08-26 05:15   13312 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.23061_none_842241d16004f2b8\iecompat.dll
+ 2010-09-29 11:57 . 2010-08-26 04:23   13312 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18969_none_83a0d11a46dfe78b\iecompat.dll
+ 2010-09-29 11:57 . 2010-06-22 13:26   19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.22429_none_17aad34f1fde10ac\tzupd.exe
+ 2010-02-24 17:50 . 2010-01-23 09:26   19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.18276_none_16e8242406ebb36b\tzupd.exe
+ 2010-09-29 11:57 . 2010-06-22 13:04   19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.22717_none_15cd30bf22b16ce9\tzupd.exe
+ 2010-02-24 17:50 . 2010-01-23 09:44   19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.18497_none_14ed10c809d4b259\tzupd.exe
+ 2009-05-03 14:56 . 2010-09-29 11:50   68664 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-09-29 11:50   60312 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-05-03 14:40 . 2010-09-29 11:50   18804 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3891294070-290603237-754910137-1000_UserData.bin
+ 2006-11-02 13:02 . 2010-09-29 11:52   32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2010-09-28 21:52   32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-09-28 22:17 . 2010-09-29 11:52   32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-09-28 22:17 . 2010-09-28 21:52   32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2010-09-29 11:52   16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2010-09-28 21:52   16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-09-09 21:00 . 2010-09-29 11:59   16384 c:\windows\System32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2010-09-09 21:00 . 2010-09-27 13:16   16384 c:\windows\System32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2009-05-18 19:46 . 2010-09-28 21:53   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-18 19:46 . 2010-09-29 11:49   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-18 19:46 . 2010-09-28 21:53   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-18 19:46 . 2010-09-29 11:49   32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-18 19:46 . 2010-09-29 11:49   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-18 19:46 . 2010-09-28 21:53   16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-28 21:52   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-18 19:40 . 2010-09-29 11:48   16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-18 19:40 . 2010-09-29 11:48   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-28 21:52   32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-05-18 19:40 . 2010-09-28 21:52   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-18 19:40 . 2010-09-29 11:48   16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-06-04 19:35 . 2010-09-29 12:00   49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-06-04 19:35 . 2010-09-09 21:01   49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-09-29 11:57 . 2010-06-22 13:26   2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.22429_none_17aad34f1fde10ac\tzres.dll
+ 2010-09-29 11:57 . 2010-06-22 13:30   2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.18276_none_16e8242406ebb36b\tzres.dll
+ 2010-09-29 11:57 . 2010-06-22 13:04   2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.22717_none_15cd30bf22b16ce9\tzres.dll
+ 2010-09-29 11:57 . 2010-06-22 12:57   2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.18497_none_14ed10c809d4b259\tzres.dll
+ 2010-09-29 11:48 . 2010-09-29 11:48   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-09-28 21:52 . 2010-09-28 21:52   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-09-29 11:48 . 2010-09-29 11:48   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-09-28 21:52 . 2010-09-28 21:52   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-09-29 11:54   608760 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-28 21:58   608760 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-09-28 21:58   108268 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-09-29 11:54   108268 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:22 . 2010-09-29 11:55   6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2010-09-18 08:51   6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2010-09-29 12:03 . 2010-09-29 12:03   6410240 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2010-09-29 11:58 . 2010-09-29 11:58   20303872 c:\windows\Installer\a26be.msp
+ 2009-05-31 17:07 . 2010-09-29 12:00   186205553 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-09 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"SigmatelSysTrayApp"="sttray.exe" [2007-03-29 303104]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\oaui.exe" [2010-07-05 6854984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-05 924488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 apprngr;AppRanger Scan Driver;c:\windows\system32\Drivers\apprngr.sys

R2 apprngr_svc;AppRanger Service;c:\program files\AppRanger\SWSvc.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 133104]
R2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [2010-07-05 3364680]
R3 bepldr;BCL easyPDF SDK 5 Loader;c:\program files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe [2007-02-21 151552]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 amacpi;Microsoft Away Mode System;c:\windows\system32\DRIVERS\null.sys [2008-01-19 4608]
S0 npf;npf Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2010-07-05 236104]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2010-07-05 22600]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\OAcat.exe [2010-07-05 1283400]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2010-09-01 318520]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]
S3 OAnet;OnlineArmor Service;c:\windows\system32\DRIVERS\oanet.sys [2010-07-05 29256]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 12:13]

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-11 12:13]

2010-09-28 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-08-04 18:19]

2010-08-13 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-08-04 18:19]

2010-09-29 c:\windows\Tasks\User_Feed_Synchronization-{AAD29C0A-613E-42B8-9812-D1A798192E3F}.job
- c:\windows\system32\msfeedssync.exe [2010-08-11 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.voover.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-29 13:17
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-09-29 13:25:53
ComboFix-quarantined-files.txt 2010-09-29 12:25
ComboFix2.txt 2010-09-28 23:50
ComboFix3.txt 2010-09-26 14:35
ComboFix4.txt 2010-09-22 13:52
ComboFix5.txt 2010-09-29 12:02

Pre-Run: 59,893,477,376 bytes free
Post-Run: 59,291,213,824 bytes free

- - End Of File - - E9C012840EC9B2A6897E8CB2BF14911F

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:30:43, on 29/09/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\sttray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.voover.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AppRanger Service (apprngr_svc) - Unknown owner - C:\Program Files\AppRanger\SWSvc.exe (file missing)
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Emsisoft\Online Armor\oasrv.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8610 bytes

ronymaxwell · « **Reply #37 on:** September 29, 2010, 12:06:53 PM »

Just to keep you up to date, SuperDave, I deleted the back up folder that contained the 'RECYCLE' folder I couldn't find. I had to change a number of permissions and ownerships to do so (temporarily switched UAC off). During this process a message came up 'Are you sure you want to delete RECYCLE...
I scanned with Secunia again and obtained 100%.

SuperDave · « **Reply #38 on:** September 29, 2010, 01:17:03 PM »

All the logs look ok. Just run this to get rid of the latest version of ComboFix and to set a new restore date.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

ronymaxwell · « **Reply #39 on:** September 29, 2010, 03:18:50 PM »

ComboFix uninstalled. Incidentally, I failed to do that before because I misunderstood your instruction. [quote * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.[/quote]
You might consider changing it to 'Vista users press the Windows Key and the R keys together for the Run box'.

Anyway, thanks SuperDave for your considerable help. I'm impressed with your skill and knowledge. This is an excellent site.

SuperDave · « **Reply #40 on:** September 29, 2010, 07:26:40 PM »

Thanks for the advice. I'll have to update my canned speeches one day when I'm not so busy. Tell your friends about this site.

Computer Hope Forum

News:

Author Topic: Lost access to router (Read 17595 times)

ronymaxwell

SuperDave

ronymaxwell

ronymaxwell

ronymaxwell

ronymaxwell

ronymaxwell

ronymaxwell

SuperDave

ronymaxwell

ronymaxwell

SuperDave

ronymaxwell

ronymaxwell

ronymaxwell

ronymaxwell

SuperDave

ronymaxwell

ronymaxwell

SuperDave

ronymaxwell

ronymaxwell

SuperDave

ronymaxwell

ronymaxwell

SuperDave

ronymaxwell

SuperDave

ronymaxwell

ronymaxwell

ronymaxwell

SuperDave

ronymaxwell

SuperDave

ronymaxwell

ronymaxwell

ronymaxwell

ronymaxwell

SuperDave

ronymaxwell

SuperDave