Author Topic: Win32 MB Rootkit from XP Antispyware Virus (Read 30346 times)

strangerinchi · « **Reply #15 on:** December 15, 2011, 02:48:03 PM »

Update: Ran ComboFix. And like last time it told me ZeroAccess rootkit was on the system. And as I watched it I noticed it deleting a file "_ex-68.exe from the Temp folder, a suspicious file I saw pop up on the Task Manager process list and ended the process a few times, before re-running combofix. Also wanted to note that prior to rerunning combofix, downloading to desktop and naming it "commy.exe" as you said, I would go back and forth between Safe and Regular mode and everytime, when I went back to Regular mode, it was always the way I left it and it never froze upon start-up, just had the browser hijacking and popups and browser crashes and laggings, and that was about it.
All seems to be running smoothly as the time I was virus-free, at the moment, will continue to monitor, here is the combo fix log. =]]

ComboFix 11-12-15.02 - Compaq_Administrator 12/15/2011 15:18:27.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1600 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\commy.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Compaq_Administrator\Application Data\Caotd
c:\documents and settings\Compaq_Administrator\Application Data\Caotd\higy.exe
c:\documents and settings\Compaq_Administrator\Recent\Thumbs.db
c:\windows\$NtUninstallKB62280$
c:\windows\$NtUninstallKB62280$\1434328181
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\bckfg.tmp
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\keywords
c:\windows\$NtUninstallKB62280$\485945278\kwrd.dll
c:\windows\$NtUninstallKB62280$\485945278\L\aqaeidou
c:\windows\$NtUninstallKB62280$\485945278\lsflt7.ver
c:\windows\$NtUninstallKB62280$\485945278\U\00000001.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000002.@
c:\windows\$NtUninstallKB62280$\485945278\U\00000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000000.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000004.@
c:\windows\$NtUninstallKB62280$\485945278\U\80000032.@
c:\windows\CSC\d6
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\Temp\_ex-68.exe
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-15 21:15 . 2010-02-24 12:31   454016   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-12-15 16:14 . 2011-12-15 18:07   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\Avdu
2011-12-14 21:07 . 2004-08-09 21:00   50176   ----a-w-   c:\windows\system32\proquota.exe
2011-12-14 21:07 . 2004-08-09 21:00   50176   ----a-w-   c:\windows\system32\dllcache\proquota.exe
2011-12-14 20:16 . 2011-12-14 20:16   --------   d-----w-   C:\_OTL
2011-12-13 01:52 . 2009-06-30 16:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-12-13 01:50 . 2011-12-13 01:50   --------   d-----w-   c:\program files\Panda Security
2011-12-12 07:08 . 2011-12-12 07:08   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2011-12-11 20:32 . 2011-12-11 20:32   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\AVG2012
2011-12-11 20:26 . 2011-12-11 20:26   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\AVG Secure Search
2011-12-11 20:25 . 2011-12-11 20:25   --------   d-----w-   c:\program files\Common Files\AVG Secure Search
2011-12-11 20:25 . 2011-12-11 20:26   --------   d-----w-   c:\program files\AVG Secure Search
2011-12-11 20:25 . 2011-12-11 20:25   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-12-11 20:23 . 2011-12-11 20:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG2012
2011-12-11 20:23 . 2011-12-11 20:24   --------   d-----w-   c:\windows\system32\drivers\AVG
2011-12-11 20:22 . 2011-12-11 20:22   --------   d-----w-   c:\program files\AVG
2011-12-11 20:01 . 2011-12-11 20:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-12-11 19:32 . 2011-12-11 19:34   --------   d-----w-   C:\a39014efedd8604e4c25e763
2011-12-11 19:06 . 2011-12-11 20:33   --------   d-----w-   c:\program files\Common Files\PC Tools
2011-12-11 19:03 . 2011-12-11 19:03   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\TestApp
2011-12-11 18:19 . 2011-12-11 18:19   --------   d-----w-   c:\program files\Conduit
2011-12-11 18:19 . 2011-12-15 02:12   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\midicairUSA
2011-12-11 18:19 . 2011-12-11 18:19   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Conduit
2011-12-11 18:19 . 2011-12-11 18:19   --------   d-----w-   c:\program files\midicairUSA
2011-12-11 17:35 . 2011-12-11 17:42   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\NPE
2011-12-11 17:35 . 2011-12-11 17:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2011-12-11 13:10 . 2001-08-17 20:06   154496   ----a-w-   c:\windows\system32\dllcache\icam4usb.sys
2011-12-11 12:53 . 2001-08-18 04:36   27648   ----a-w-   c:\windows\system32\dllcache\cyzports.dll
2011-12-11 12:46 . 2001-08-17 18:13   22044   ----a-w-   c:\windows\system32\dllcache\cem33n5.sys
2011-12-11 11:44 . 2011-12-14 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVAST Software
2011-12-11 11:44 . 2011-12-11 11:44   --------   d-----w-   c:\program files\AVAST Software
2011-12-11 09:03 . 2011-12-12 03:10   23624   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys
2011-12-11 09:03 . 2011-12-11 09:03   --------   d-----w-   c:\program files\Hitman Pro 3.5
2011-12-11 09:02 . 2011-12-11 09:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Hitman Pro
2011-12-11 07:31 . 2011-12-11 11:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
2011-12-10 06:10 . 2011-12-10 06:10   --------   d-----w-   c:\program files\Common Files\McAfee
2011-12-04 16:46 . 2011-12-04 16:46   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-12-04 16:45 . 2011-12-04 16:45   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Solid State Networks
2011-12-04 14:23 . 2011-12-04 14:23   --------   d-----w-   c:\program files\McAfee
2011-12-03 06:11 . 2011-12-03 06:11   --------   d-----w-   c:\documents and settings\LocalService\Application Data\McAfee
2011-12-01 06:09 . 2011-12-04 14:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2011-12-01 06:09 . 2011-12-01 06:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-12-01 06:09 . 2011-12-04 18:03   --------   d-----w-   c:\program files\McAfee Security Scan
2011-11-16 07:36 . 2011-12-11 20:54   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\QuickScan
2011-11-16 05:36 . 2011-11-16 05:36   --------   d-----w-   c:\program files\ESET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 12:23 . 2011-10-07 12:23   230608   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2011-10-04 12:21 . 2011-10-04 12:21   16720   ----a-w-   c:\windows\system32\drivers\AVGIDSShim.sys
2011-11-27 04:06 . 2011-05-07 00:15   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.

Code: [Select]

<pre>
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater .exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
c:\program files\iTunes\iTunesHelper .exe
c:\windows\system32\RunDll32 .exe
</pre>

.
((((((((((((((((((((((((((((( SnapShot@2011-12-14_21.15.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-15 21:34 . 2011-12-15 21:34   16384 c:\windows\temp\Perflib_Perfdata_784.dat
+ 2011-12-15 21:34 . 2011-12-15 21:34   16384 c:\windows\temp\Perflib_Perfdata_668.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}"= "c:\program files\Dogpile Bundle Toolbar\Helper.dll" [2011-05-08 357376]
"{f3902028-4a21-4793-8e05-793e183d51c2}"= "c:\program files\midicairUSA\prxtbmidi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{C766F9AD-E91E-43DE-91DC-D007680ED4AF}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_CLASSES_ROOT\clsid\{f3902028-4a21-4793-8e05-793e183d51c2}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-12-11 20:25   1451336   ----a-w-   c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}]
2011-05-08 19:54   1543168   ----a-w-   c:\program files\Dogpile Bundle Toolbar\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f3902028-4a21-4793-8e05-793e183d51c2}]
2011-05-09 08:49   176936   ----a-w-   c:\program files\midicairUSA\prxtbmidi.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2011-05-08 1543168]
"{f3902028-4a21-4793-8e05-793e183d51c2}"= "c:\program files\midicairUSA\prxtbmidi.dll" [2011-05-09 176936]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll" [2011-12-11 1451336]
.
[HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
.
[HKEY_CLASSES_ROOT\clsid\{f3902028-4a21-4793-8e05-793e183d51c2}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2011-05-08 1543168]
"{F3902028-4A21-4793-8E05-793E183D51C2}"= "c:\program files\midicairUSA\prxtbmidi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
.
[HKEY_CLASSES_ROOT\clsid\{f3902028-4a21-4793-8e05-793e183d51c2}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{A830B3A0-7E01-AD7C-8227-6CA295624FB0}"="c:\documents and settings\Compaq_Administrator\Application Data\Caotd\higy.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [N/A]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ifaje.exe [2011-12-15 194560]
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-10 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-10 27136]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ujqi.exe [2011-12-15 194560]
.
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\AutorunsDisabled
Antimalware Doctor.lnk - c:\documents and settings\Compaq_Administrator\Application Data\DBF4505D2E0503B99DD8E1D3DBBBD72D\sorttp700.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgebc]
khfgebc.dll [BU]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WhiteSmoke Translator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WhiteSmoke Translator.lnk
backup=c:\windows\pss\WhiteSmoke Translator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Free Music Zilla.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\Free Music Zilla.lnk
backup=c:\windows\pss\Free Music Zilla.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^ZooskMessenger.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\ZooskMessenger.lnk
backup=c:\windows\pss\ZooskMessenger.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 09:44   500208   ------w-   c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 10:57   406992   ----a-w-   c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-05-03 15:43   4321112   ----a-w-   c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Akamai\netsession_win.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirus AntiSpyware 2011]
c:\documents and settings\Compaq_Administrator\Application Data\AntiVirus AntiSpyware 2011\AntiVirus AntiSpyware.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 21:51   177440   -c--a-w-   c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast]
c:\program files\AVAST Software\Avast\avastUI.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
c:\progra~1\ALWILS~1\Avast5\avastUI.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
c:\progra~1\Grisoft\AVG7\avgcc.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2011-10-25 02:29   2415456   ----a-w-   c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNowEZtray]
2009-09-19 13:04   562944   ----a-w-   c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet]
c:\program files\BitComet\BitComet.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClickPotatoLiteSA]
c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2007-10-31 02:57   1095256   ----a-w-   c:\program files\DISC\DISCover.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2011-06-08 15:45   822456   ----a-w-   c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-Set 2011]
c:\program files\E-Set 2011\e-set.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56   64512   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\frlhavwk]
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\qdmnov\pklssftav.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fxvjhtup]
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\tpnwfbyar\kxyxqcgtssd.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gamevance]
c:\program files\Gamevance Games\gamevance32.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-05-18 19:00   136176   ----atw-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2011-12-11 09:00   6480192   ----a-w-   c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 13:38   241664   -c--a-w-   c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24   54840   -c--a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-15 23:34   249856   -c--a-w-   c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46   172032   -c--a-w-   c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICS5R7Y0OS]
c:\windows\Fqugac.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jahovosuz]
c:\windows\system32\gebojele.dll [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-08-24 12:51   442455   -c--a-w-   c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24   1694208   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 04:12   3872080   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor]
c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
c:\windows\system32\NvCpl.dll [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA driver monitor]
c:\windows\nvsvc32.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-09 15:50   1519616   -c--a-w-   c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCFixSpeed]
2011-02-11 08:10   312440   ----a-w-   c:\program files\PCFixSpeed\PCFixTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcsafedoctor.exe]
2011-11-01 22:22   2052608   ----a-w-   c:\program files\PCSafeDoctor\pcsafedoctor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Play Pickle]
c:\program files\Play Pickle\playpickle32.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qowhgiom]
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ftssqe\oqicsftav.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\R8388QA8U8]
c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Fpt.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-22 23:14   237568   -c--a-w-   c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 14:27   17351304   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sorttp700.exe]
c:\documents and settings\Compaq_Administrator\Application Data\DBF4505D2E0503B99DD8E1D3DBBBD72D\sorttp700.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07   2260480   ------w-   c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-26 07:35   148888   -c--a-w-   c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-11-07 18:04   4617600   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 19:37   517096   -c--a-w-   c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysfbtray]
c:\windows\freddy67.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\system tool]
c:\windows\sysguard.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vgkjwjqs]
c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\nfljrr\habvsftav.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
2011-12-11 20:25   218464   ----a-w-   c:\program files\AVG Secure Search\vprot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 21:19   129536   -c--a-w-   c:\progra~1\Yahoo!\browser\ybrwicon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
c:\program files\Yahoo!\Search Protection\SearchProtection.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RSVP"=3 (0x3)
"fioo32"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\SecondLifeViewer2\\SLVoice.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"2155:TCP"= 2155:TCP:Services
"1044:TCP"= 1044:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"10432:UDP"= 10432:UDP:UDP 10432
"23624:TCP"= 23624:TCP:TCP 23624
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/12/2011 7:52 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/9/2004 3:00 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ     Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-11 c:\windows\Tasks\AdobeAAMUpdater-1.0-BOPEEP-Compaq_Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-12-04 09:44]
.
2011-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3122169640-262842125-2451393388-1007Core.job
- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-18 19:00]
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3122169640-262842125-2451393388-1007UA.job
- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-18 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.sweetim.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: babynamescentral.com\www
Trusted Zone: trymedia.com
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\uqjfirve.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://aol.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3070524&SearchSource=2&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Compaq_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-15 15:35
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\msacm32.drv
.
- - - - - - - > 'explorer.exe'(3992)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ARPWRMSG.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2011-12-15 15:38:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-15 21:38
ComboFix2.txt 2011-12-14 21:20
ComboFix3.txt 2008-11-16 16:58
.
Pre-Run: 91,037,110,272 bytes free
Post-Run: 91,356,209,152 bytes free
.
- - End Of File - - 0D9AA94C56A499CA91BA03DC30DA4722

strangerinchi · « **Reply #16 on:** December 15, 2011, 03:23:55 PM »

UPDATE:

Browsers still crashing, and Automatic Update wants to run for some reason, Dr. Watson's Postmortem Debugger message came up about how it couldn't run, MRT.exe was running in the processes for some reason, otherwise, everything else seems ok.

SuperDave · « **Reply #17 on:** December 15, 2011, 07:44:30 PM »

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*******************************************************
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

RenV::
c:\program files\Common Files\Adobe\Updater5\AdobeUpdater .exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc .exe
c:\program files\iTunes\iTunesHelper .exe
c:\windows\system32\RunDll32 .exe

Firefox::
Trusted Zone: babynamescentral.com\www
Trusted Zone: trymedia.com
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

strangerinchi · « **Reply #18 on:** December 16, 2011, 12:06:06 AM »

Here is the checkup.txt log you requested. =]]]]

===================================================================

Results of screen317's Security Check version 0.99.28
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2012
ESET Online Scanner v3
McAfee Security Scan Plus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner (remove only)
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java version out of date!
Adobe Flash Player ( 10.0.32.18) Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of date!
Mozilla Firefox (8.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

strangerinchi · « **Reply #19 on:** December 16, 2011, 12:32:21 AM »

Here is the new ComboFix log =D

=====================================================================

ComboFix 11-12-15.02 - Compaq_Administrator 12/16/2011 1:13.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1982.1677 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\commy.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Compaq_Administrator\Application Data\Caotd\higy.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-15 22:05 . 2011-12-15 22:05   --------   d-----w-   c:\windows\LastGood.Tmp
2011-12-15 21:15 . 2010-02-24 12:31   454016   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2011-12-15 16:14 . 2011-12-15 18:07   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\Avdu
2011-12-14 21:07 . 2004-08-09 21:00   50176   ----a-w-   c:\windows\system32\proquota.exe
2011-12-14 21:07 . 2004-08-09 21:00   50176   ----a-w-   c:\windows\system32\dllcache\proquota.exe
2011-12-14 20:16 . 2011-12-14 20:16   --------   d-----w-   C:\_OTL
2011-12-13 01:52 . 2009-06-30 16:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2011-12-13 01:50 . 2011-12-13 01:50   --------   d-----w-   c:\program files\Panda Security
2011-12-12 07:08 . 2011-12-12 07:08   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2011-12-11 20:32 . 2011-12-11 20:32   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\AVG2012
2011-12-11 20:26 . 2011-12-11 20:26   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\AVG Secure Search
2011-12-11 20:25 . 2011-12-11 20:25   --------   d-----w-   c:\program files\Common Files\AVG Secure Search
2011-12-11 20:25 . 2011-12-11 20:26   --------   d-----w-   c:\program files\AVG Secure Search
2011-12-11 20:25 . 2011-12-11 20:25   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2011-12-11 20:23 . 2011-12-11 20:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG2012
2011-12-11 20:23 . 2011-12-11 20:24   --------   d-----w-   c:\windows\system32\drivers\AVG
2011-12-11 20:22 . 2011-12-11 20:22   --------   d-----w-   c:\program files\AVG
2011-12-11 20:01 . 2011-12-11 20:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2011-12-11 19:32 . 2011-12-11 19:34   --------   d-----w-   C:\a39014efedd8604e4c25e763
2011-12-11 19:06 . 2011-12-11 20:33   --------   d-----w-   c:\program files\Common Files\PC Tools
2011-12-11 19:03 . 2011-12-11 19:03   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\TestApp
2011-12-11 18:19 . 2011-12-11 18:19   --------   d-----w-   c:\program files\Conduit
2011-12-11 18:19 . 2011-12-15 02:12   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\midicairUSA
2011-12-11 18:19 . 2011-12-11 18:19   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Conduit
2011-12-11 18:19 . 2011-12-11 18:19   --------   d-----w-   c:\program files\midicairUSA
2011-12-11 17:35 . 2011-12-11 17:42   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\NPE
2011-12-11 17:35 . 2011-12-11 17:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2011-12-11 13:10 . 2001-08-17 20:06   154496   ----a-w-   c:\windows\system32\dllcache\icam4usb.sys
2011-12-11 12:53 . 2001-08-18 04:36   27648   ----a-w-   c:\windows\system32\dllcache\cyzports.dll
2011-12-11 12:46 . 2001-08-17 18:13   22044   ----a-w-   c:\windows\system32\dllcache\cem33n5.sys
2011-12-11 11:44 . 2011-12-14 20:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVAST Software
2011-12-11 11:44 . 2011-12-11 11:44   --------   d-----w-   c:\program files\AVAST Software
2011-12-11 09:03 . 2011-12-12 03:10   23624   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys
2011-12-11 09:03 . 2011-12-11 09:03   --------   d-----w-   c:\program files\Hitman Pro 3.5
2011-12-11 09:02 . 2011-12-11 09:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Hitman Pro
2011-12-11 07:31 . 2011-12-11 11:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Tools
2011-12-10 06:10 . 2011-12-10 06:10   --------   d-----w-   c:\program files\Common Files\McAfee
2011-12-04 16:46 . 2011-12-04 16:46   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-12-04 16:45 . 2011-12-04 16:45   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Solid State Networks
2011-12-04 14:23 . 2011-12-04 14:23   --------   d-----w-   c:\program files\McAfee
2011-12-03 06:11 . 2011-12-03 06:11   --------   d-----w-   c:\documents and settings\LocalService\Application Data\McAfee
2011-12-01 06:09 . 2011-12-04 14:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee
2011-12-01 06:09 . 2011-12-01 06:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-12-01 06:09 . 2011-12-04 18:03   --------   d-----w-   c:\program files\McAfee Security Scan
2011-11-16 07:36 . 2011-12-11 20:54   --------   d-----w-   c:\documents and settings\Compaq_Administrator\Application Data\QuickScan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-14 23:38 . 2004-08-09 21:00   456192   ----a-w-   c:\windows\system32\encdec.dll
2011-10-07 12:23 . 2011-10-07 12:23   230608   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2011-10-04 12:21 . 2011-10-04 12:21   16720   ----a-w-   c:\windows\system32\drivers\AVGIDSShim.sys
2011-11-27 04:06 . 2011-05-07 00:15   134104   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-14_21.15.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-16 07:25 . 2011-12-16 07:25   16384 c:\windows\temp\Perflib_Perfdata_50c.dat
+ 2011-12-16 07:25 . 2011-12-16 07:25   16384 c:\windows\temp\Perflib_Perfdata_2b0.dat
- 2006-11-10 23:58 . 2010-12-21 15:36   26488 c:\windows\system32\spupdsvc.exe
+ 2006-11-10 23:58 . 2010-12-21 17:36   26488 c:\windows\system32\spupdsvc.exe
+ 2006-11-11 00:05 . 2010-12-21 17:36   17272 c:\windows\system32\spmsg.dll
- 2006-11-11 00:05 . 2010-12-21 15:36   17272 c:\windows\system32\spmsg.dll
- 2011-09-21 21:06 . 2011-09-21 21:06   38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2011-12-15 22:06 . 2011-12-15 22:06   38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2004-08-09 21:00 . 2011-02-04 22:48   456192 c:\windows\system32\dllcache\encdec.dll
+ 2004-08-09 21:00 . 2011-10-14 23:38   456192 c:\windows\system32\dllcache\encdec.dll
+ 2011-11-01 19:34 . 2011-11-01 19:34   1552384 c:\windows\Installer\19b371.msp
+ 2011-11-01 19:34 . 2011-11-01 19:34   2531840 c:\windows\Installer\19b368.msp
+ 2011-11-11 22:16 . 2011-11-11 22:16   8458240 c:\windows\Installer\19b35f.msp
+ 2010-05-06 21:04 . 2011-12-15 22:03   52988224 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}"= "c:\program files\Dogpile Bundle Toolbar\Helper.dll" [2011-05-08 357376]
"{f3902028-4a21-4793-8e05-793e183d51c2}"= "c:\program files\midicairUSA\prxtbmidi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{f78bf7a8-cf12-4de7-a6da-c463d1b539a7}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{C766F9AD-E91E-43DE-91DC-D007680ED4AF}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_CLASSES_ROOT\clsid\{f3902028-4a21-4793-8e05-793e183d51c2}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-12-11 20:25   1451336   ----a-w-   c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}]
2011-05-08 19:54   1543168   ----a-w-   c:\program files\Dogpile Bundle Toolbar\Toolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f3902028-4a21-4793-8e05-793e183d51c2}]
2011-05-09 08:49   176936   ----a-w-   c:\program files\midicairUSA\prxtbmidi.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2011-05-08 1543168]
"{f3902028-4a21-4793-8e05-793e183d51c2}"= "c:\program files\midicairUSA\prxtbmidi.dll" [2011-05-09 176936]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\8.0.0.40\AVG Secure Search_toolbar.dll" [2011-12-11 1451336]
.
[HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
.
[HKEY_CLASSES_ROOT\clsid\{f3902028-4a21-4793-8e05-793e183d51c2}]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2011-05-08 1543168]
"{F3902028-4A21-4793-8E05-793E183D51C2}"= "c:\program files\midicairUSA\prxtbmidi.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]
.
[HKEY_CLASSES_ROOT\clsid\{f3902028-4a21-4793-8e05-793e183d51c2}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ifaje.exe [2011-12-15 194560]
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-10 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-10 27136]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ujqi.exe [2011-12-15 194560]
.
c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\AutorunsDisabled
Antimalware Doctor.lnk - c:\documents and settings\Compaq_Administrator\Application Data\DBF4505D2E0503B99DD8E1D3DBBBD72D\sorttp700.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgebc]
khfgebc.dll [BU]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Self Support Tool.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Self Support Tool.lnk
backup=c:\windows\pss\AT&T Self Support Tool.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WhiteSmoke Translator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WhiteSmoke Translator.lnk
backup=c:\windows\pss\WhiteSmoke Translator.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^Free Music Zilla.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\Free Music Zilla.lnk
backup=c:\windows\pss\Free Music Zilla.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^RCA Detective.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\RCA Detective.lnk
backup=c:\windows\pss\RCA Detective.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Administrator^Start Menu^Programs^Startup^ZooskMessenger.lnk]
path=c:\documents and settings\Compaq_Administrator\Start Menu\Programs\Startup\ZooskMessenger.lnk
backup=c:\windows\pss\ZooskMessenger.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 09:44   500208   ------w-   c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 10:57   406992   ----a-w-   c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2010-08-09 20:19   2356088   ----a-w-   c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2011-05-03 15:43   4321112   ----a-w-   c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 21:51   177440   -c--a-w-   c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_TRAY]
2011-10-25 02:29   2415456   ----a-w-   c:\program files\AVG\AVG2012\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNowEZtray]
2009-09-19 13:04   562944   ----a-w-   c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2007-10-31 02:57   1095256   ----a-w-   c:\program files\DISC\DISCover.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2011-06-08 15:45   822456   ----a-w-   c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56   64512   ----a-w-   c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-05-18 19:00   136176   ----atw-   c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2011-12-11 09:00   6480192   ----a-w-   c:\program files\Hitman Pro 3.5\HitmanPro35.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 13:38   241664   -c--a-w-   c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24   54840   -c--a-w-   c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-15 23:34   249856   -c--a-w-   c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-03-04 15:46   172032   -c--a-w-   c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
2005-08-24 12:51   442455   -c--a-w-   c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24   1694208   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 04:12   3872080   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-09 15:50   1519616   -c--a-w-   c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCFixSpeed]
2011-02-11 08:10   312440   ----a-w-   c:\program files\PCFixSpeed\PCFixTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcsafedoctor.exe]
2011-11-01 22:22   2052608   ----a-w-   c:\program files\PCSafeDoctor\pcsafedoctor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-22 23:14   237568   -c--a-w-   c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 14:27   17351304   ----a-r-   c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07   2260480   ------w-   c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-04-26 07:35   148888   -c--a-w-   c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-11-07 18:04   4617600   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 19:37   517096   -c--a-w-   c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vProt]
2011-12-11 20:25   218464   ----a-w-   c:\program files\AVG Secure Search\vprot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2006-07-21 21:19   129536   -c--a-w-   c:\progra~1\Yahoo!\browser\ybrwicon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RSVP"=3 (0x3)
"fioo32"=2 (0x2)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\SecondLifeViewer2\\SLVoice.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"2155:TCP"= 2155:TCP:Services
"1044:TCP"= 1044:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"10432:UDP"= 10432:UDP:UDP 10432
"23624:TCP"= 23624:TCP:TCP 23624
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [12/12/2011 7:52 PM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/9/2004 3:00 PM 14336]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - EHRECVR
*NewlyCreated* - EHSCHED
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ     Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-11 c:\windows\Tasks\AdobeAAMUpdater-1.0-BOPEEP-Compaq_Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-12-04 09:44]
.
2011-12-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3122169640-262842125-2451393388-1007Core.job
- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-18 19:00]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3122169640-262842125-2451393388-1007UA.job
- c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-18 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.sweetim.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: babynamescentral.com\www
Trusted Zone: trymedia.com
TCP: DhcpNameServer = 192.168.1.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\uqjfirve.default\
FF - prefs.js: browser.search.defaulturl -
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://aol.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3070524&SearchSource=2&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKCU-Run-{A830B3A0-7E01-AD7C-8227-6CA295624FB0} - c:\documents and settings\Compaq_Administrator\Application Data\Caotd\higy.exe
HKLM-Run-NvCplDaemon - c:\windows\system32\NvCpl.dll
MSConfigStartUp-Akamai NetSession Interface - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\Akamai\netsession_win.exe
MSConfigStartUp-AntiVirus AntiSpyware 2011 - c:\documents and settings\Compaq_Administrator\Application Data\AntiVirus AntiSpyware 2011\AntiVirus AntiSpyware.exe
MSConfigStartUp-avast - c:\program files\AVAST Software\Avast\avastUI.exe
MSConfigStartUp-avast5 - c:\progra~1\ALWILS~1\Avast5\avastUI.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe
MSConfigStartUp-ClickPotatoLiteSA - c:\program files\ClickPotatoLite\bin\10.0.659.0\ClickPotatoLiteSA.exe
MSConfigStartUp-E-Set 2011 - c:\program files\E-Set 2011\e-set.exe
MSConfigStartUp-frlhavwk - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\qdmnov\pklssftav.exe
MSConfigStartUp-fxvjhtup - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\tpnwfbyar\kxyxqcgtssd.exe
MSConfigStartUp-Gamevance - c:\program files\Gamevance Games\gamevance32.exe
MSConfigStartUp-ICS5R7Y0OS - c:\windows\Fqugac.exe
MSConfigStartUp-jahovosuz - c:\windows\system32\gebojele.dll
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
MSConfigStartUp-NvCplDaemon - c:\windows\system32\NvCpl.dll
MSConfigStartUp-NVIDIA driver monitor - c:\windows\nvsvc32.exe
MSConfigStartUp-Play Pickle - c:\program files\Play Pickle\playpickle32.exe
MSConfigStartUp-qowhgiom - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ftssqe\oqicsftav.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-R8388QA8U8 - c:\docume~1\COMPAQ~1\LOCALS~1\Temp\Fpt.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-sorttp700 - c:\documents and settings\Compaq_Administrator\Application Data\DBF4505D2E0503B99DD8E1D3DBBBD72D\sorttp700.exe
MSConfigStartUp-sysfbtray - c:\windows\freddy67.exe
MSConfigStartUp-system tool - c:\windows\sysguard.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-vgkjwjqs - c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\nfljrr\habvsftav.exe
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-16 01:26
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2716)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2011-12-16 01:29:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 07:29
ComboFix2.txt 2011-12-15 21:38
ComboFix3.txt 2011-12-14 21:20
ComboFix4.txt 2008-11-16 16:58
.
Pre-Run: 90,809,044,992 bytes free
Post-Run: 91,207,462,912 bytes free
.
- - End Of File - - FF0025947DC922EA22C39860B66DAA92

strangerinchi · « **Reply #20 on:** December 16, 2011, 11:36:00 AM »

UPDATE: On regular mode, everything started freezing (including the browsers) and I cold booted. I left my pc on safe mode. =[

SuperDave · « **Reply #21 on:** December 16, 2011, 06:06:55 PM »

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.
Hidden Startup Objects
System Memory
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

strangerinchi · « **Reply #22 on:** December 17, 2011, 09:43:50 AM »

UPDATE: Ran program, but wasn't able to save log before it restarted.
But I happened to be taking some notes and one of the files deleted, a Win 32 virus was svcs.exe

Do you want me to run the program again with a new report from it?

strangerinchi · « **Reply #23 on:** December 17, 2011, 09:54:20 AM »

Also noticed, upon startup, I got the "Sorry for the inconveinience but Windows did not start" screen and I proceeded to restart Windows from there, then Windows XP started up normally and when it came to the startup page, there was an error related to the scan or deletion of the Kapersky program. I went back to safe mode once more and left to go to regular mode and started up XP with no more problems. My apologies for overlooking the part about saving the log.

SuperDave · « **Reply #24 on:** December 17, 2011, 11:06:18 AM »

I noticed that you asked for help in this forum. Please inform me if you start doing any scans from that site.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

strangerinchi · « **Reply #25 on:** December 17, 2011, 12:46:54 PM »

Hi! Yeah I actually went to that site prior to coming to this one. ^^ Will run ESET scanner soon.

strangerinchi · « **Reply #26 on:** December 17, 2011, 07:54:16 PM »

Do you want me to check the box next to "Remove found threats" on the ESET scan?
Yes,please.

strangerinchi · « **Reply #27 on:** December 20, 2011, 05:04:54 AM »

Okay, will scan soon.

strangerinchi · « **Reply #28 on:** December 21, 2011, 05:21:10 PM »

Okay, here's the results of the ESET scan, sorry for the delay.

=========================================================
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\10\28d68ca-112ba6d2   a variant of Win32/Kryptik.XUP trojan   cleaned by deleting - quarantined
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\52\dcccaf4-7ce0ab4a   Java/Exploit.CVE-2011-3544.I trojan   deleted - quarantined
C:\Documents and Settings\Compaq_Administrator\Local Settings\temp\0.20380625498182015.exe   a variant of Win32/Kryptik.XUP trojan   cleaned by deleting - quarantined
C:\Documents and Settings\Compaq_Administrator\Local Settings\temp\wpbt0.dll   a variant of Win32/Kryptik.XUP trojan   cleaned by deleting - quarantined
C:\Program Files\PCSafeDoctor\pcsafedoctor.exe   Win32/Adware.SpywareCease application   cleaned by deleting - quarantined
C:\Program Files\PCSafeDoctor\RkHitApi.dll   a variant of Win32/Adware.SpywareCease.AA application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Administrator\Application Data\Caotd\higy.exe.vir   a variant of Win32/Kryptik.XLE trojan   deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbeg.bak1.vir   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbeg.bak2.vir   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\dcbeg.ini.vir   Win32/Adware.Virtumonde.NEO application   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\mrxsmb.sys.vir   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\RKHit.sys.vir   Win32/Adware.SpywareCease application   cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-3122169640-262842125-2451393388-1007\Dc2.exe   Win32/TrojanClicker.Agent.NEB trojan   cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-3122169640-262842125-2451393388-1007\Dc1\setup.exe   Win32/TrojanDownloader.Unruy.BN trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000040.sys   Win32/Adware.SpywareCease application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000123.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000130.exe   a variant of Win32/Kryptik.XIR trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0000132.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002140.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002149.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002163.exe   a variant of Win32/Kryptik.XIR trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002165.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002179.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002223.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002234.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002326.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002437.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1\A0002470.exe   a variant of Win32/Kryptik.XLE trojan   deleted - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0004710.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0004718.exe   a variant of Win32/Kryptik.XKR trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0004804.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0005804.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0005813.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0005835.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0005845.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0005856.exe   probably a variant of Win32/Spy.Agent.CXWZSIU trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0005858.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0006858.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0006860.exe   probably a variant of Win32/Spy.KeyLogger.LFJNMOG trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0006871.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0006882.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP3\A0008916.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP4\A0008939.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP4\A0008955.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP4\A0009955.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP4\A0010955.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP4\A0011052.exe   probably a variant of Win32/Spy.Agent.CXWZSIU trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0011955.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0012065.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0013065.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0013089.exe   Win32/Adware.SpywareCease application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0013090.dll   a variant of Win32/Adware.SpywareCease.AA application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0013091.exe   Win32/TrojanClicker.Agent.NEB trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0013092.exe   Win32/TrojanDownloader.Unruy.BN trojan   cleaned by deleting - quarantined
C:\WINDOWS\5230238   probably a variant of Win32/Routmo.AL trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\6to4ex.dll   a variant of Win32/Routmo.N trojan   cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\mrxsmb.sys   Win32/Sirefef.DA trojan   cleaned by deleting - quarantined
D:\I386\APPS\APP15973\src\CompaqPresario_Spring06.exe   a variant of Win32/Toolbar.MyWebSearch application   deleted - quarantined
D:\I386\APPS\APP15973\src\HPPavillion_Spring06.exe   a variant of Win32/Toolbar.MyWebSearch application   deleted - quarantined
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0013095.exe   a variant of Win32/Toolbar.MyWebSearch application   deleted - quarantined
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP5\A0013096.exe   a variant of Win32/Toolbar.MyWebSearch application   deleted - quarantined
Operating memory   multiple threats

SuperDave · « **Reply #29 on:** December 21, 2011, 05:26:53 PM »

How's your computer running now?

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

Computer Hope Forum

News:

Author Topic: Win32 MB Rootkit from XP Antispyware Virus (Read 30346 times)

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

SuperDave

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

SuperDave

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

SuperDave

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

strangerinchi

Re: Win32 MB Rootkit from XP Antispyware Virus

SuperDave

Re: Win32 MB Rootkit from XP Antispyware Virus