Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:32 AM, on 2/18/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\Windows\system32\snmvtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 6094 bytes
Microsoft® Windows Vista™ Home Premium ( v6.0.6001 ) Service Pack 1
X86-based PC ( Multiprocessor Free : Intel® Pentium® Dual CPU T2390 @ 1.86GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A11
USER : Conner ( Administrator )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:136 Go (Free:55 Go)
D:\ (Local Disk) - NTFS - Total:9 Go (Free:5 Go)
E:\ (CD or DVD)
Wed 02/18/2009| 3:31
----------------------\\ Search..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\..\{0E3C0E48-250C-42AC-83E2-74F99EB3FB95}]
DhcpNameServer REG_SZ 85.255.112.39,85.255.112.40
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\..\{0E3C0E48-250C-42AC-83E2-74F99EB3FB95}]
DhcpNameServer REG_SZ 85.255.112.39,85.255.112.40
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\..\{0E3C0E48-250C-42AC-83E2-74F99EB3FB95}]
DhcpNameServer REG_SZ 85.255.112.39,85.255.112.40
==> WAREOUT <==
1 - "C:\Rooter$\Rooter_1.txt" - Wed 02/18/2009| 3:31
----------------------\\ Scan completed at 3:31
Full Version: Google Redirect Virus
hello
It sounds like a case of Zlob/DNSchanger that change the router's DNS settings. Please download Malwarebytes' Anti-Malware from Here or Here
Next disconnect your system from the internet, and your router, then…
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE
However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.
Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.
===============================================
Please post the Malwarebytes log and let me know how things are running now :thumbsup:
It sounds like a case of Zlob/DNSchanger that change the router's DNS settings. Please download Malwarebytes' Anti-Malware from Here or Here
Next disconnect your system from the internet, and your router, then…
Double Click mbam-setup.exe to install the application.
- Launch Malwarebytes' Anti-Malware, then click Finish.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE
However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.
Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.
===============================================
Please post the Malwarebytes log and let me know how things are running now :thumbsup:
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 6.0.6001 Service Pack 1
2/18/2009 2:15:07 PM
mbam-log-2009-02-18 (14-15-07).txt
Scan type: Quick Scan
Objects scanned: 60673
Time elapsed: 2 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0e3c0e48-250c-42ac-83e2-74f99eb3fb95}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0e3c0e48-250c-42ac-83e2-74f99eb3fb95}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0e3c0e48-250c-42ac-83e2-74f99eb3fb95}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
Folders Infected:
C:\Users\Conner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\freshplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\freshplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\freshplay\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-7-6-17-100006588-100031111-100002018-6328.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\gaopdxrxtvvujk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\gaopdxnuyxpxvp.sys (Trojan.Agent) -> Quarantined and deleted successfully.
Rebooting now for results. Will tell you if its gone
EDIT: Thank you so much! No more stupid advertisements or redirects!
Database version: 1749
Windows 6.0.6001 Service Pack 1
2/18/2009 2:15:07 PM
mbam-log-2009-02-18 (14-15-07).txt
Scan type: Quick Scan
Objects scanned: 60673
Time elapsed: 2 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0e3c0e48-250c-42ac-83e2-74f99eb3fb95}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0e3c0e48-250c-42ac-83e2-74f99eb3fb95}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{0e3c0e48-250c-42ac-83e2-74f99eb3fb95}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
Folders Infected:
C:\Users\Conner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\freshplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\freshplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\freshplay\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-7-6-17-100006588-100031111-100002018-6328.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\gaopdxrxtvvujk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\gaopdxnuyxpxvp.sys (Trojan.Agent) -> Quarantined and deleted successfully.
Rebooting now for results. Will tell you if its gone
EDIT: Thank you so much! No more stupid advertisements or redirects!
bit left
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
ComboFix 09-02-18.01 - Conner 2009-02-19 19:36:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.797 [GMT -5:00]
Running from: c:\users\Conner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\install.exe
c:\users\Conner\Logo.png
c:\windows\system32\gaopdxcounter
D:\Autorun.inf
d:\recycler\S-7-6-17-100006588-100031111-100002018-6328.com
.
((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.
2009-02-18 18:14 . 2009-01-15 01:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-18 18:13 . 2009-01-14 22:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-18 14:06 . 2009-02-18 14:06 <DIR> d-------- c:\users\Conner\AppData\Roaming\Malwarebytes
2009-02-18 14:06 . 2009-02-18 14:06 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-18 14:06 . 2009-02-18 14:06 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-18 14:06 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-18 14:06 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-18 14:05 . 2009-02-18 14:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 03:37 . 2009-02-18 03:44 <DIR> d-------- c:\program files\Defraggler
2009-02-18 03:12 . 2009-02-18 03:31 <DIR> d-------- C:\Rooter$
2009-02-18 02:14 . 2009-02-18 02:14 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 00:25 . 2009-02-16 00:25 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-02-16 00:25 . 2009-02-16 00:25 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-02-16 00:23 . 2009-02-16 00:23 <DIR> d-------- c:\users\Conner\AppData\Roaming\SUPERAntiSpyware.com
2009-02-16 00:23 . 2009-02-16 00:23 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-15 01:47 . 2009-02-18 03:11 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-15 01:45 . 2009-02-19 09:49 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-02-15 01:45 . 2009-02-15 01:45 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-02-15 01:45 . 2009-02-15 01:45 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-15 01:45 . 2009-02-15 01:45 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-02-15 01:44 . 2009-02-15 13:53 <DIR> d-------- c:\users\All Users\avg8
2009-02-15 01:44 . 2009-02-15 13:53 <DIR> d-------- c:\programdata\avg8
2009-02-15 01:44 . 2009-02-15 01:44 <DIR> d-------- c:\program files\AVG
2009-02-15 01:07 . 2009-02-15 01:07 194,543,182 --a------ c:\windows\MEMORY.DMP
2009-02-15 01:06 . 2009-02-15 01:06 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-02-15 01:06 . 2009-02-15 01:06 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-02-15 01:06 . 2009-02-15 01:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-12 23:42 . 2005-02-27 14:20 <DIR> d-------- c:\program files\VB6
2009-02-12 22:48 . 2009-02-12 22:48 229,888 --a------ c:\windows\System32\wmp.oca
2009-02-12 22:44 . 2009-02-12 22:44 <DIR> d-------- c:\users\Conner\AppData\Roaming\GetRightToGo
2009-02-12 21:10 . 2009-02-12 23:24 <DIR> d-------- c:\program files\VB5CCE
2009-02-12 21:10 . 1997-01-14 23:10 2,495 --a------ c:\windows\System32\ComDlg32.dep
2009-02-12 21:10 . 1997-02-28 15:24 2,495 --a------ c:\windows\System32\ComCtl32.dep
2009-02-12 21:10 . 2009-02-12 21:10 63 --a------ c:\windows\vbaddin.ini
2009-02-12 20:39 . 2009-02-15 13:52 <DIR> d-------- c:\program files\HTV
2009-01-29 16:13 . 2009-01-29 16:15 <DIR> d-------- c:\users\Conner\Old Microsoft
2009-01-24 01:45 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-21 22:59 . 2009-01-29 20:53 <DIR> d-------- c:\users\Conner\dwhelper
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 00:29 --------- d-----w c:\users\Conner\AppData\Roaming\SiteAdvisor
2009-02-18 07:39 --------- d-----w c:\programdata\Viewpoint
2009-02-17 16:38 --------- d-----w c:\program files\Full Tilt Poker
2009-02-17 02:04 --------- d---a-w c:\programdata\TEMP
2009-02-16 05:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-15 07:04 --------- d-sh--w c:\program files\Omnecient
2009-02-15 07:04 --------- d-----r c:\program files\Omniscient
2009-01-29 21:16 --------- d-----w c:\users\Conner\AppData\Roaming\uTorrent
2009-01-24 09:37 --------- d-----w c:\users\Conner\AppData\Roaming\Ventrilo
2009-01-23 02:50 --------- d-----w c:\users\Conner\AppData\Roaming\Xfire
2009-01-21 00:22 --------- d-----w c:\programdata\Xfire
2009-01-21 00:22 --------- d-----w c:\program files\Xfire
2009-01-19 06:38 --------- d-----w c:\users\Conner\AppData\Roaming\dyyno-vlc
2009-01-19 06:36 --------- d-----w c:\program files\Dyyno
2009-01-11 17:33 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 09:45 --------- d-----w c:\program files\GameGain
2009-01-11 09:13 23,600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-01-11 08:51 --------- d-----w c:\programdata\PC Drivers Headquarters
2009-01-02 20:18 --------- d-----w c:\users\Conner\AppData\Roaming\OpenOffice.org2
2008-12-31 10:47 --------- d-----w c:\program files\Ventrilo
2008-12-19 20:24 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2005-02-27 19:22 74 ----a-w c:\program files\Serial.txt
2005-02-22 01:39 2,662 ----a-w c:\program files\1337Warez.nfo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-20 c:\windows\System32\oobefldr.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-15 1601304]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-05-26 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-09-07 1180952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-26 13:38 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Users^Conner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IOJ.lnk]
path=c:\users\Conner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IOJ.lnk
backup=c:\windows\pss\IOJ.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Conner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\Conner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EFD3CED1-0968-435D-B94A-1D2B72855FBD}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{CFCAC46A-54C1-4DA0-97AE-E6082B435CB5}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{53BE7528-154E-4471-9AC6-785393FCEF02}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{90412C66-A663-4478-8E31-C25398DBA63F}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{D12F248C-D558-4B91-8900-866D721C4236}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B21CB403-353B-4A9D-B963-4EB8231456F6}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{69D8AD9C-411A-4C8A-BDBB-CD85A990BFAA}c:\\program files\\tortun\\gui.exe"= UDP:c:\program files\tortun\gui.exe:gui
"UDP Query User{62752B6C-9932-4897-866F-10B76B631FD0}c:\\program files\\tortun\\gui.exe"= TCP:c:\program files\tortun\gui.exe:gui
"TCP Query User{72C202DD-A9DE-4C66-A7AF-A33A86293C90}c:\\users\\conner\\downloads\\wow-burningcrusade-trial-enus-installer-downloader.exe"= UDP:c:\users\conner\downloads\wow-burningcrusade-trial-enus-installer-downloader.exe:wow-burningcrusade-trial-enus-installer-downloader.exe
"UDP Query User{F430365A-3106-491F-9DBB-12E5B117BA23}c:\\users\\conner\\downloads\\wow-burningcrusade-trial-enus-installer-downloader.exe"= TCP:c:\users\conner\downloads\wow-burningcrusade-trial-enus-installer-downloader.exe:wow-burningcrusade-trial-enus-installer-downloader.exe
"TCP Query User{98EEF6FB-7D48-4FDA-B48E-254B4C36B8F0}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{CC1B0262-8BAC-4BE5-9B41-4484484B5B4D}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"{C9566139-4DF0-4D37-B79E-01740F5FC21D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9A949749-1380-43E5-B630-2FFA6F9393E6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{8132BACF-010E-47E8-9F5D-8E87E1E49D08}c:\\users\\conner\\downloads\\wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe"= UDP:c:\users\conner\downloads\wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe:wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe
"UDP Query User{CFFD7011-F359-49CB-80B4-A0C4E7854ADE}c:\\users\\conner\\downloads\\wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe"= TCP:c:\users\conner\downloads\wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe:wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe
"{65395D30-93CF-4527-B240-3EA6611E046C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{44F2D0CD-0702-4634-89C0-FEBF76C4C534}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{585E1D0F-6191-42F8-A638-482A3C9831BD}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{3B6F8A4D-95EA-4C55-8580-1F3E4B34F59E}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{BDDA7F8A-367F-4A23-A6A3-E0D83B2C29E7}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{E8CC0FD5-EF2A-4B62-ABAE-614D60A06022}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"TCP Query User{FE12EC3E-D642-47F9-8319-8F1CB93C79BE}c:\\users\\conner\\games\\world of warcraft\\repair.exe"= UDP:c:\users\conner\games\world of warcraft\repair.exe:repair.exe
"UDP Query User{D645C93B-A7CB-4432-B99D-8FC1E96CCE0D}c:\\users\\conner\\games\\world of warcraft\\repair.exe"= TCP:c:\users\conner\games\world of warcraft\repair.exe:repair.exe
"{49D5F9EC-548C-43F9-985C-2EF6A8D88907}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{00A566DD-77AD-4B50-B73B-171FA8591D34}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{482518C6-776F-4E59-8C01-D5C4C600E5F5}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-15 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-05-26 73728]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-15 298264]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [2008-05-26 111616]
R3 MovRVDrv32;MovRVDrv32;c:\windows\System32\drivers\MovRVDrv32.sys [2008-08-20 3768]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 SoundMovieServer;SoundMovieServer;c:\windows\System32\snmvtsvc.exe [2008-08-20 184320]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\System32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10a61130-7f07-11dd-a451-001d09625b6f}]
\shell\AutoRun\command - F:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96dcae50-7cdd-11dd-af18-001d09625b6f}]
\shell\AutoRun\command - F:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3bb2dc8-7cf4-11dd-a87e-001d09625b6f}]
\shell\AutoRun\command - F:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-HTV Agent - c:\program files\Omnecient\HTV.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080526
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Conner\AppData\Roaming\Mozilla\Firefox\Profiles\7m64mnls.default\
FF - prefs.js: browser.startup.homepage - about:blank
1 file(s) moved.
1 file(s) moved.
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\users\Conner\AppData\Roaming\Mozilla\Firefox\Profiles\7m64mnls.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 19:40:01
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-02-19 19:42:22
ComboFix-quarantined-files.txt 2009-02-20 00:42:19
Pre-Run: 60,391,231,488 bytes free
Post-Run: 60,685,381,632 bytes free
215 --- E O F --- 2009-02-19 17:37:03
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.797 [GMT -5:00]
Running from: c:\users\Conner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\install.exe
c:\users\Conner\Logo.png
c:\windows\system32\gaopdxcounter
D:\Autorun.inf
d:\recycler\S-7-6-17-100006588-100031111-100002018-6328.com
.
((((((((((((((((((((((((( Files Created from 2009-01-20 to 2009-02-20 )))))))))))))))))))))))))))))))
.
2009-02-18 18:14 . 2009-01-15 01:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-18 18:13 . 2009-01-14 22:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-18 14:06 . 2009-02-18 14:06 <DIR> d-------- c:\users\Conner\AppData\Roaming\Malwarebytes
2009-02-18 14:06 . 2009-02-18 14:06 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-18 14:06 . 2009-02-18 14:06 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-18 14:06 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-18 14:06 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-18 14:05 . 2009-02-18 14:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 03:37 . 2009-02-18 03:44 <DIR> d-------- c:\program files\Defraggler
2009-02-18 03:12 . 2009-02-18 03:31 <DIR> d-------- C:\Rooter$
2009-02-18 02:14 . 2009-02-18 02:14 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 00:25 . 2009-02-16 00:25 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-02-16 00:25 . 2009-02-16 00:25 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-02-16 00:23 . 2009-02-16 00:23 <DIR> d-------- c:\users\Conner\AppData\Roaming\SUPERAntiSpyware.com
2009-02-16 00:23 . 2009-02-16 00:23 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-15 01:47 . 2009-02-18 03:11 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-15 01:45 . 2009-02-19 09:49 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-02-15 01:45 . 2009-02-15 01:45 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-02-15 01:45 . 2009-02-15 01:45 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-15 01:45 . 2009-02-15 01:45 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-02-15 01:44 . 2009-02-15 13:53 <DIR> d-------- c:\users\All Users\avg8
2009-02-15 01:44 . 2009-02-15 13:53 <DIR> d-------- c:\programdata\avg8
2009-02-15 01:44 . 2009-02-15 01:44 <DIR> d-------- c:\program files\AVG
2009-02-15 01:07 . 2009-02-15 01:07 194,543,182 --a------ c:\windows\MEMORY.DMP
2009-02-15 01:06 . 2009-02-15 01:06 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-02-15 01:06 . 2009-02-15 01:06 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-02-15 01:06 . 2009-02-15 01:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-12 23:42 . 2005-02-27 14:20 <DIR> d-------- c:\program files\VB6
2009-02-12 22:48 . 2009-02-12 22:48 229,888 --a------ c:\windows\System32\wmp.oca
2009-02-12 22:44 . 2009-02-12 22:44 <DIR> d-------- c:\users\Conner\AppData\Roaming\GetRightToGo
2009-02-12 21:10 . 2009-02-12 23:24 <DIR> d-------- c:\program files\VB5CCE
2009-02-12 21:10 . 1997-01-14 23:10 2,495 --a------ c:\windows\System32\ComDlg32.dep
2009-02-12 21:10 . 1997-02-28 15:24 2,495 --a------ c:\windows\System32\ComCtl32.dep
2009-02-12 21:10 . 2009-02-12 21:10 63 --a------ c:\windows\vbaddin.ini
2009-02-12 20:39 . 2009-02-15 13:52 <DIR> d-------- c:\program files\HTV
2009-01-29 16:13 . 2009-01-29 16:15 <DIR> d-------- c:\users\Conner\Old Microsoft
2009-01-24 01:45 . 2008-12-15 21:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-21 22:59 . 2009-01-29 20:53 <DIR> d-------- c:\users\Conner\dwhelper
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 00:29 --------- d-----w c:\users\Conner\AppData\Roaming\SiteAdvisor
2009-02-18 07:39 --------- d-----w c:\programdata\Viewpoint
2009-02-17 16:38 --------- d-----w c:\program files\Full Tilt Poker
2009-02-17 02:04 --------- d---a-w c:\programdata\TEMP
2009-02-16 05:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-15 07:04 --------- d-sh--w c:\program files\Omnecient
2009-02-15 07:04 --------- d-----r c:\program files\Omniscient
2009-01-29 21:16 --------- d-----w c:\users\Conner\AppData\Roaming\uTorrent
2009-01-24 09:37 --------- d-----w c:\users\Conner\AppData\Roaming\Ventrilo
2009-01-23 02:50 --------- d-----w c:\users\Conner\AppData\Roaming\Xfire
2009-01-21 00:22 --------- d-----w c:\programdata\Xfire
2009-01-21 00:22 --------- d-----w c:\program files\Xfire
2009-01-19 06:38 --------- d-----w c:\users\Conner\AppData\Roaming\dyyno-vlc
2009-01-19 06:36 --------- d-----w c:\program files\Dyyno
2009-01-11 17:33 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 09:45 --------- d-----w c:\program files\GameGain
2009-01-11 09:13 23,600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-01-11 08:51 --------- d-----w c:\programdata\PC Drivers Headquarters
2009-01-02 20:18 --------- d-----w c:\users\Conner\AppData\Roaming\OpenOffice.org2
2008-12-31 10:47 --------- d-----w c:\program files\Ventrilo
2008-12-19 20:24 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2005-02-27 19:22 74 ----a-w c:\program files\Serial.txt
2005-02-22 01:39 2,662 ----a-w c:\program files\1337Warez.nfo
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-20 c:\windows\System32\oobefldr.dll]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-15 1601304]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-05-26 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-09-07 1180952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-26 13:38 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Users^Conner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^IOJ.lnk]
path=c:\users\Conner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IOJ.lnk
backup=c:\windows\pss\IOJ.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Conner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\Conner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-08-06 10:21 50472 c:\program files\AIM6\aim6.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EFD3CED1-0968-435D-B94A-1D2B72855FBD}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{CFCAC46A-54C1-4DA0-97AE-E6082B435CB5}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{53BE7528-154E-4471-9AC6-785393FCEF02}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{90412C66-A663-4478-8E31-C25398DBA63F}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{D12F248C-D558-4B91-8900-866D721C4236}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B21CB403-353B-4A9D-B963-4EB8231456F6}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{69D8AD9C-411A-4C8A-BDBB-CD85A990BFAA}c:\\program files\\tortun\\gui.exe"= UDP:c:\program files\tortun\gui.exe:gui
"UDP Query User{62752B6C-9932-4897-866F-10B76B631FD0}c:\\program files\\tortun\\gui.exe"= TCP:c:\program files\tortun\gui.exe:gui
"TCP Query User{72C202DD-A9DE-4C66-A7AF-A33A86293C90}c:\\users\\conner\\downloads\\wow-burningcrusade-trial-enus-installer-downloader.exe"= UDP:c:\users\conner\downloads\wow-burningcrusade-trial-enus-installer-downloader.exe:wow-burningcrusade-trial-enus-installer-downloader.exe
"UDP Query User{F430365A-3106-491F-9DBB-12E5B117BA23}c:\\users\\conner\\downloads\\wow-burningcrusade-trial-enus-installer-downloader.exe"= TCP:c:\users\conner\downloads\wow-burningcrusade-trial-enus-installer-downloader.exe:wow-burningcrusade-trial-enus-installer-downloader.exe
"TCP Query User{98EEF6FB-7D48-4FDA-B48E-254B4C36B8F0}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{CC1B0262-8BAC-4BE5-9B41-4484484B5B4D}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"{C9566139-4DF0-4D37-B79E-01740F5FC21D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9A949749-1380-43E5-B630-2FFA6F9393E6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{8132BACF-010E-47E8-9F5D-8E87E1E49D08}c:\\users\\conner\\downloads\\wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe"= UDP:c:\users\conner\downloads\wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe:wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe
"UDP Query User{CFFD7011-F359-49CB-80B4-A0C4E7854ADE}c:\\users\\conner\\downloads\\wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe"= TCP:c:\users\conner\downloads\wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe:wow-2.4.3.8568-to-3.0.2.8916-enus-downloader.exe
"{65395D30-93CF-4527-B240-3EA6611E046C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{44F2D0CD-0702-4634-89C0-FEBF76C4C534}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{585E1D0F-6191-42F8-A638-482A3C9831BD}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{3B6F8A4D-95EA-4C55-8580-1F3E4B34F59E}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{BDDA7F8A-367F-4A23-A6A3-E0D83B2C29E7}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{E8CC0FD5-EF2A-4B62-ABAE-614D60A06022}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"TCP Query User{FE12EC3E-D642-47F9-8319-8F1CB93C79BE}c:\\users\\conner\\games\\world of warcraft\\repair.exe"= UDP:c:\users\conner\games\world of warcraft\repair.exe:repair.exe
"UDP Query User{D645C93B-A7CB-4432-B99D-8FC1E96CCE0D}c:\\users\\conner\\games\\world of warcraft\\repair.exe"= TCP:c:\users\conner\games\world of warcraft\repair.exe:repair.exe
"{49D5F9EC-548C-43F9-985C-2EF6A8D88907}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{00A566DD-77AD-4B50-B73B-171FA8591D34}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{482518C6-776F-4E59-8C01-D5C4C600E5F5}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-15 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-15 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [2008-05-26 73728]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-15 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-15 298264]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [2008-05-26 111616]
R3 MovRVDrv32;MovRVDrv32;c:\windows\System32\drivers\MovRVDrv32.sys [2008-08-20 3768]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S3 SoundMovieServer;SoundMovieServer;c:\windows\System32\snmvtsvc.exe [2008-08-20 184320]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-07-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\System32\drivers\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-10 369688]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10a61130-7f07-11dd-a451-001d09625b6f}]
\shell\AutoRun\command - F:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96dcae50-7cdd-11dd-af18-001d09625b6f}]
\shell\AutoRun\command - F:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3bb2dc8-7cf4-11dd-a87e-001d09625b6f}]
\shell\AutoRun\command - F:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-HTV Agent - c:\program files\Omnecient\HTV.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5080526
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Conner\AppData\Roaming\Mozilla\Firefox\Profiles\7m64mnls.default\
FF - prefs.js: browser.startup.homepage - about:blank
1 file(s) moved.
1 file(s) moved.
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\users\Conner\AppData\Roaming\Mozilla\Firefox\Profiles\7m64mnls.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-19 19:40:01
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-02-19 19:42:22
ComboFix-quarantined-files.txt 2009-02-20 00:42:19
Pre-Run: 60,391,231,488 bytes free
Post-Run: 60,685,381,632 bytes free
215 --- E O F --- 2009-02-19 17:37:03
hello
Please download OTMoveIt3 by OldTimer
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please download ATF Cleaner by Atribune.
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.
Please download OTMoveIt3 by OldTimer
- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):CODE:Processes
explorer.exe
:Services
:Reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10a61130-7f07-11dd-a451-001d09625b6f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96dcae50-7cdd-11dd-af18-001d09625b6f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a3bb2dc8-7cf4-11dd-a87e-001d09625b6f}]
:Files
c:\program files\Serial.txt
c:\program files\1337Warez.nfo
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot] - Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Please download ATF Cleaner by Atribune.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Please download Malwarebytes' Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases - Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.